Opt-Out (CCPA)
CCPA guest opt-out
Section titled “CCPA guest opt-out”The CCPA requires that users can opt out of data sale/sharing without creating an account or logging in. The opt-out system supports both authenticated users and anonymous visitors.
POST /privacy/opt-outis[AllowAnonymous]- If authenticated → opt-out recorded against
UserId - If anonymous →
AnonymousTrackIdgenerated, stored in_optout_idHTTP-Only cookie - Idempotent — repeated requests return existing opt-out status
Cookie _optout_id
Section titled “Cookie _optout_id”| Property | Value |
|---|---|
| Category | StrictlyNecessary (registered in ICookieRegistry) |
| HttpOnly | true |
| Secure | true |
| SameSite | Lax |
| Retention | 730 days (2 years) |
Cart merge (anonymous → authenticated)
Section titled “Cart merge (anonymous → authenticated)”When a visitor logs in after opting out anonymously, the application should merge the anonymous opt-out with their user profile:
// In your login handler (e.g., Wolverine handler on UserLoggedInEto)await optOutWriter.MergeAnonymousAsync(anonymousTrackId, userId);The framework provides the IOptOutRecordWriter.MergeAnonymousAsync() interface;
the merge call is application-level logic, not auto-triggered.
Endpoints
Section titled “Endpoints”| Method | Route | Operation | Auth |
|---|---|---|---|
| POST | /opt-out | RequestOptOut | Anonymous |
| GET | /opt-out/status | GetOptOutStatus | Anonymous |
context.Services.AddGranitPrivacy(privacy =>{ privacy.UseOptOutRecordStore<EfCoreOptOutRecordStore>();});