9.3 The Right to Object & Opt Out

Not all data processing is based on your consent. Companies frequently process personal data under the legal basis of "legitimate interests" — a broad ground that allows processing without asking you first, provided their interests are not overridden by yours. The right to object is your mechanism to challenge this. Combined with the CCPA's opt-out rights, it gives you a powerful toolkit to push back against unwanted data use.

GDPR Art. 21: The right to object

Article 21 grants you the right to object, on grounds relating to your particular situation, to processing of your personal data that is based on legitimate interests (GDPR Art. 6(1)(f)) or processing in the public interest (Art. 6(1)(e)). The controller must stop processing unless they can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.

For direct marketing, the right to object is absolute. You do not need to give any reason. If you object to processing for direct marketing — including profiling for that purpose — the controller must stop immediately and without exception (GDPR Art. 21(2)–(3)).

Withdrawing consent vs. objecting: a critical distinction

Withdrawing consent (under GDPR Art. 7(3)) and objecting under Art. 21 are different tools for different situations. Consent withdrawal applies where processing is based on your consent — once you withdraw, there is no longer a lawful basis and processing must stop. By contrast, the right to object applies to processing based on legitimate interests or public interest — the controller continues to have a potential legal basis, but you are asking them to weigh it against your interests. Understanding which situation you are in determines which mechanism to use.

CCPA: opt out of sale and sharing

The CCPA grants Californian consumers the right to opt out of the sale or sharing of their personal information. Businesses subject to the CCPA must include a clear "Do Not Sell or Share My Personal Information" link on their website. The California Privacy Rights Act (CPRA, 2023) strengthened this right by adding a separate right to opt out of cross-context behavioural advertising.

The Global Privacy Control (GPC)

The Global Privacy Control is a browser-level signal — a technical standard you can enable in privacy-focused browsers and extensions (such as Firefox with the uBlock Origin extension, or the Brave browser) — that automatically communicates your opt-out preference to every website you visit. Under California law, businesses must honour the GPC signal as a valid opt-out of sale and sharing. The GPC is one of the most practical tools available for scaling your privacy choices without manually opting out of every website.

How to opt out of data broker profiles

Data brokers are required under California and other state laws to provide opt-out mechanisms. Services like DeleteMe, Privacy Bee, and the free opt-out lists maintained by the Privacy Rights Clearinghouse can help you submit removal requests across dozens of brokers simultaneously.

Your takeaway

Object to direct marketing immediately and without hesitation — it is an absolute right. For other legitimate-interest processing, build your case around your particular situation. Enable the GPC signal in your browser today as a lightweight, high-impact privacy step.