Quick summary

When a company sells your personal data—either directly to third parties or by sharing it for cross-context behavioral advertising—you may have legal rights to stop the sale, get a copy of the data, and request deletion. These consumer protections are established mainly by state privacy laws (for example, California’s CCPA/CPRA) and enforced by state agencies and the Federal Trade Commission (FTC) under general consumer-protection authority (FTC: https://www.ftc.gov). Always check both the company’s privacy policy and your state’s rules.

How U.S. privacy law treats “sale” of data

  • State privacy laws (California, Virginia, Colorado, Connecticut, Utah, and others) create most of the clear consumer rights in the U.S. California’s laws—the California Consumer Privacy Act (CCPA) and its successor amendments under the California Privacy Rights Act (CPRA)—are the most developed and widely referenced. The CCPA/CPRA define “sale” broadly to include many forms of data transfers used for advertising (see California resources: https://www.oag.ca.gov/privacy/ccpa).
  • At the federal level there is no single, comprehensive privacy law for consumer data in 2025; instead, the FTC enforces deceptive and unfair practices and issues guidance about data-security and consumer privacy (FTC: https://www.ftc.gov/news-events/media-resources/protecting-your-privacy).

What rights you can typically exercise

Rights differ by law and company, but commonly include:

  • Right to opt out of sale/sharing: You can tell a company not to sell or share your personal data for targeted ads. Under California law, businesses must provide a clear “Do Not Sell or Share My Personal Information” link (CPRA/CCPA) and honor opt-outs.
  • Right to know/access: You can request a copy of the categories of personal information a company collected about you and the categories of third parties with whom it shared that information.
  • Right to deletion: You can ask the company to delete personal data it collected from you, subject to certain exceptions (for example, data needed to complete a transaction or comply with law).
  • Right to correction: Some laws allow you to request correction of inaccurate data.
  • Right to appeal or limit certain uses: CPRA introduces a right to limit the use of sensitive personal information.

Typical timelines and proof requirements

  • Many state laws require businesses to respond to consumer requests within 45 days of receipt; companies may be allowed one extension with notice (check the company’s privacy policy for specifics). Always expect to verify your identity—businesses can require reasonable methods to confirm you’re the data subject for privacy and security reasons.

Practical steps to stop a sale or sharing of your data

  1. Find the privacy policy and the opt-out link: Look for a “Do Not Sell or Share My Personal Information” or an opt-out preference page on the company’s website. If you’re in California, the company should provide a clear path to opt out per CCPA/CPRA.
  2. Use the company’s web form or email: Submit a request to opt out, access data, or delete. Keep copies/screenshots of the submission and any confirmation.
  3. Provide minimal verification: Only provide what the company’s form requests. Do not share more personal details than necessary when verifying your identity.
  4. Use browser and system privacy controls: Enable tracking protection in your browser, install ad-blockers, and consider Global Privacy Control (GPC) which signals opt-out preferences to participating sites.
  5. For advertising opt-outs, use industry tools: Industry opt-out pages and browser settings (or mobile ad settings) limit targeted advertising.

Sample request templates

  • Opt-out (short):
    To: privacy@[company].com
    Subject: Opt-out — Do Not Sell or Share My Personal Information

    Please treat this as a request to opt out of the sale or sharing of my personal information under applicable privacy law. My name is [Full Name]. My email is [email]. Please confirm in writing that you have completed this request and that you will not sell or share my personal information going forward.

  • Access/delete (short):
    To: privacy@[company].com
    Subject: Request for Access and Deletion of Personal Information

    Under applicable privacy laws, I request a copy of the personal information you have collected or sold about me and a deletion of my personal information, except for data you are required to retain by law. Please tell me within the timeline required by law how you will respond and any verification steps you need.

Always attach proof of identity only when requested; follow the company’s instructions to avoid disclosure of sensitive documents over insecure channels.

How to escalate if a company refuses or ignores your request

  • File a complaint with the FTC and your state attorney general or privacy agency. For California, you can contact the California Privacy Protection Agency or the Attorney General (https://oag.ca.gov/privacy).
  • Many state laws give regulators the power to investigate and fine noncompliant businesses. In limited cases (for example, certain data breaches under CCPA), consumers may have a private right of action—consult a lawyer to evaluate legal claims.

Real-world examples and common outcomes

  • Consumers who opt out of “sales” or “sharing” typically see fewer personalized marketing messages and fewer cross-site targeted ads within 45–90 days after a company processes the request.
  • Businesses that fail to provide an opt-out or ignore access/deletion requests risk enforcement actions and fines from state regulators.

Common mistakes to avoid

  • Sending too much personal information when making a request. Give only what’s required to identify you; don’t send Social Security numbers or copies of sensitive documents unless a company specifically requires a secure verification step.
  • Using unclear language: Use the terms “Do Not Sell or Share My Personal Information,” “opt-out,” or cite the specific law if you are in a covered state (e.g., CCPA/CPRA for California).
  • Forgetting to check account settings and third parties: Data brokers and advertising platforms may keep records even after a company stops selling data. Use broker opt-out tools and the FTC’s resources.

Tools, resources and further reading

Related FinHelp resources

Practical checklist to protect yourself now

  • Review the privacy settings on your major accounts and mobile devices.
  • Search for “Do Not Sell” links on websites you use and submit opt-outs.
  • Use browser privacy extensions and consider a dedicated privacy email address for marketing sign-ups.
  • Track requests and confirmations in a personal privacy log (date, company, request type, confirmation).

Frequently asked enforcement questions

  • Will opting out stop all tracking? No. Opting out under state law generally stops sales or sharing as defined by that law, but it may not stop all forms of tracking or processing (e.g., first-party analytics, necessary service communications).
  • Can I sue a company for selling my data? State laws vary. Some provide limited private rights (for particular data-breach harms); most enforcement actions are brought by regulators. Get legal advice for potential claims.

Final professional note

In my practice advising individuals and small businesses, the most effective approach combines legal rights (know and use your state-level opt-out and access rights) with practical controls (browser protections, ad settings, and opt-out industry tools). Keep records of every request: regulators and courts rely on documentation.

This entry is for educational purposes and does not constitute legal advice. If you need legally binding guidance about a particular situation, consult a qualified attorney or your state privacy regulator.

Sources: U.S. Federal Trade Commission (FTC) guidance; California Consumer Privacy Act / California Privacy Rights Act resources (California Attorney General & California Privacy Protection Agency).