US CCPA Do not sell or share

The CCPA gives a consumer the right to direct a business to stop selling or sharing their personal information. "Sell" means disclosing a consumer's personal information to a third party for monetary or other valuable consideration. "Share" is narrower and specific to advertising: it means disclosing personal information to a third party for cross-context behavioral advertising, whether or not any money changes hands. A common example of sharing is letting an ad-tech vendor use a site visitor's identifiers to target ads across other sites and apps.

In practice, a business that sells or shares personal information must give consumers a clear way to opt out, most commonly a "Do Not Sell or Share My Personal Information" link, and must treat an opt-out preference signal such as Global Privacy Control as a valid opt-out request. Once a consumer opts out, the business must stop selling or sharing that person's personal information and must pass the opt-out on to third parties it had already sold or shared the information with. A consumer can also authorize someone else to opt out on their behalf.

Start by deciding whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure. The useful answer should name the exact trigger, affected product or process, required action, owner, evidence, and escalation point.

Keep the California source, threshold calculation, notice text, consumer-right workflow, opt-out/GPC evidence, and service-provider contract record together so the CCPA decision can be reviewed later.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.