--- title: "US CCPA Privacy Law FAQ" canonical_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items" source_url: "https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items" author: "Sorena AI" description: "Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "US CCPA" - "FAQ" - "US CCPA FAQ" - "compliance checklist" - "practical guidance" - "Compliance" - "Regulatory guidance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # US CCPA Privacy Law FAQ Practical guidance for the US CCPA FAQ, with practical decisions, evidence, edge cases, and external source citations. *Artifact Guide* *US* *FAQ* ## US CCPA FAQ Use this FAQ to answer recurring US CCPA implementation questions with source-linked operational guidance, clear owners, and reusable evidence. This guide converts official requirements into scope, evidence, ownership, and review decisions for practical implementation, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. This FAQ hub answers the most common US CCPA questions with plain, direct guidance on scope, consumer rights, business obligations, request handling, and enforcement basics. ## Browse sub-FAQ modules ### [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md) US CCPA guidance for GPC, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md) US CCPA guidance for Thresholds, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md) US CCPA guidance for consumer request verification, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md) US CCPA guidance for Dark Patterns, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md) US CCPA guidance for Data Broker Crossover, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md) US CCPA guidance for Do not sell or share, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md) US CCPA guidance for Financial Incentives, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Minors under the California CCPA?](/artifacts/us/california-consumer-privacy-act/faq/minors.md) US CCPA guidance for Minors, with practical decisions, evidence, edge cases, and external source citations. - 4 items ### [What should teams do about Notice at collection under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/notice-at-collection.md) US CCPA guidance for Notice at collection, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Personal And Sensitive Pi Categories under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/personal-and-sensitive-pi-categories.md) US CCPA guidance for Personal And Sensitive Pi Categories, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Privacy Policy under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/privacy-policy.md) US CCPA guidance for Privacy Policy, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Risk And Cyber Audits under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/risk-and-cyber-audits.md) US CCPA guidance for Risk And Cyber Audits, with practical decisions, evidence, edge cases, and external source citations. - 3 items ### [What should teams do about Service Provider And Contractor Contracts under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/service-provider-and-contractor-contracts.md) US CCPA guidance for Service Provider And Contractor Contracts, with practical decisions, evidence, edge cases, and external source citations. - 3 items Browse all indexed questions: [/artifacts/us/california-consumer-privacy-act/faq/items](/artifacts/us/california-consumer-privacy-act/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 40 items.* ### [What is GPC and how should teams handle it under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/gpc.md#what-is-gpc-and-how-should-teams-handle-it-under-the-us-ccpa) *Module: [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md)* GPC, or Global Privacy Control, is a browser or device privacy signal that tells a business the consumer wants to opt out of sale or sharing of personal information. Under the CCPA, businesses that sell or share personal information must process a valid opt-out preference signal as an opt-out request for that browser or device, and for the consumer when the business knows who the consumer is. - Write the GPC decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [California Civil Code Section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - CCPA statutory source for opt-out preference signals and sale/share opt-out duties. - [California Civil Code privacy provisions](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - Confirms privacy-policy disclosure duties for opt-out preference signal handling. - [CPPA Final CCPA Regulations Text](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - CPPA regulation text defining opt-out preference signals and processing requirements. ### [What evidence should teams keep for GPC under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/gpc.md#what-evidence-should-teams-keep-for-gpc-under-the-us-ccpa) *Module: [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Civil Code privacy provisions](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - Evidence source for recording how the business honors opt-out preference signals. - [CPPA Final CCPA Regulations Text](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - Evidence source for when opt-out preference signal processing can replace homepage links. ### [Which mistakes create risk when handling GPC under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/gpc.md#which-mistakes-create-risk-when-handling-gpc-under-the-us-ccpa) *Module: [CCPA Global Privacy Control (GPC): team obligations and technical implementation](/artifacts/us/california-consumer-privacy-act/faq/gpc.md)* The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [California Civil Code Section 1798.135](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - Risk source for sale/share opt-out and sensitive-information limit signal handling. - [California Civil Code privacy provisions](https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV§ionNum=1798.135.&ref=sorena.io) - Boundary source for CCPA opt-out links, signal alternatives, and policy statements. - [CPPA Final CCPA Regulations Text](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - Boundary source for retention and use limits tied to opt-out preference signal processing. ### [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md#how-should-teams-decide-whether-us-ccpa-applies) *Module: [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md)* Teams should treat Thresholds under the US CCPA as a source-linked operating decision: first check whether the organization meets the definition of a business by doing business in California and satisfying at least one of these thresholds - annual gross revenues in excess of $25 million in the preceding calendar year, annually buying, selling, or sharing the personal information of 100,000 or more consumers or households, or deriving 50 percent or more of annual revenues from selling or sharing consumers' personal information. If a company does not meet one of those thresholds, it may still be covered if it controls or is controlled by a business and shares common branding with it and shares consumers' personal information, or if it is a joint venture or partnership in which each business has at least a 40 percent interest, or a person that voluntarily certifies compliance to the California Privacy Protection Agency. - Write the Thresholds decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Updated Monetary Thresholds in CCPA](https://cppa.ca.gov/regulations/cpi_adjustment.html?ref=sorena.io) - Official CPPA page for the inflation-adjusted revenue threshold used in the CCPA business test. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Official CPPA regulations source used with the statute when operationalizing CCPA applicability and rights workflows. - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Official CPPA rulemaking page to check whether updates affect threshold-adjacent CCPA obligations. ### [What evidence should teams keep for Thresholds under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md#what-evidence-should-teams-keep-for-thresholds-under-the-us-ccpa) *Module: [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Evidence source for documenting the CCPA threshold decision, effective date, and current CPPA materials used. - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Evidence source for documenting the CCPA threshold decision, effective date, and current CPPA materials used. - [Updated Monetary Thresholds in CCPA](https://cppa.ca.gov/regulations/cpi_adjustment.html?ref=sorena.io) - Evidence source for documenting the CCPA threshold decision, effective date, and current CPPA materials used. ### [Which mistakes create risk when handling Thresholds under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md#which-mistakes-create-risk-when-handling-thresholds-under-the-us-ccpa) *Module: [How should teams decide whether US CCPA applies?](/artifacts/us/california-consumer-privacy-act/faq/thresholds.md)* The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Updated Monetary Thresholds in CCPA](https://cppa.ca.gov/regulations/cpi_adjustment.html?ref=sorena.io) - Boundary source for checking that CCPA threshold assumptions and adjacent obligations use current CPPA source material. - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Boundary source for checking that CCPA threshold assumptions and adjacent obligations use current CPPA source material. - [CCPA Updates, Cybersecurity Audits, Risk Assessments, Automated Decisionmaking Technology (ADMT), and Insurance Regulations](https://cppa.ca.gov/regulations/ccpa_updates.html?ref=sorena.io) - Boundary source for checking that CCPA threshold assumptions and adjacent obligations use current CPPA source material. ### [What should teams do about DSAR Verification under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md#what-should-teams-do-about-dsar-verification-under-the-us-ccpa) *Module: [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md)* Teams should treat DSAR Verification under the US CCPA as a source-linked operating decision: confirm which request is being handled, whether verification is required, what method the business must offer, and what evidence shows the process was documented and applied consistently. - Write the DSAR Verification decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Supports using current CPPA rulemaking materials when request-verification workflows are updated. - [CPPA Final Regulations Text](https://cppa.ca.gov/regulations/20230329_final_regs_text.pdf?ref=sorena.io) - Supports the request-method rules for delete, correct, know, opt-out of sale/sharing, and limit requests. ### [What evidence should teams keep for DSAR Verification under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md#what-evidence-should-teams-keep-for-dsar-verification-under-the-us-ccpa) *Module: [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, request-form screenshots, verification rules, request logs, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Evidence source for keeping request-handling records. - [CPPA Final Regulations Text](https://cppa.ca.gov/regulations/20230329_final_regs_text.pdf?ref=sorena.io) - Evidence source for the verification rules that apply to password-protected accounts and non-accountholders. ### [Which mistakes create risk when handling DSAR Verification under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md#which-mistakes-create-risk-when-handling-dsar-verification-under-the-us-ccpa) *Module: [What should teams do about consumer request verification under the CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dsar-verification.md)* The common failure pattern is treating every request the same instead of checking whether the business must offer two designated submission methods, whether the request is verifiable, and whether the consumer is already using a password-protected account. - Using one request form for every CCPA right without checking the different verification rules. - Requiring identity verification for opt-out of sale/sharing or limit requests when the regulations do not allow it. - Asking for more personal information than is reasonably needed to verify a delete, correct, or know request. Sources for this answer: - [California Consumer Privacy Act Regulations (March 2023)](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - Boundary source for the methods businesses must provide for delete, correct, and know requests. - [CPPA Final Regulations Text](https://cppa.ca.gov/regulations/20230329_final_regs_text.pdf?ref=sorena.io) - Boundary source for minimizing verification data collection. ### [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md#what-should-teams-do-about-dark-patterns-under-the-us-ccpa) *Module: [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md)* Teams should treat Dark Patterns under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Dark Patterns decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [AVOIDING Dark Patterns: CLEAR AND UNDERSTANDABLE LANGUAGE, SYMMETRY IN CHOICE](https://cppa.ca.gov/pdf/enfadvisory202402.pdf?ref=sorena.io) - CPPA enforcement advisory source for CCPA dark-pattern expectations, including clear language and symmetrical privacy choices. - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for treating opt-out preference signals, including Global Privacy Control, as CCPA opt-out requests. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations source for CCPA request and consent interface rules that prohibit dark-pattern effects. ### [What evidence should teams keep for Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md#what-evidence-should-teams-keep-for-dark-patterns-under-the-us-ccpa) *Module: [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for treating opt-out preference signals, including Global Privacy Control, as CCPA opt-out requests. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations source for CCPA request and consent interface rules that prohibit dark-pattern effects. - [AVOIDING Dark Patterns: CLEAR AND UNDERSTANDABLE LANGUAGE, SYMMETRY IN CHOICE](https://cppa.ca.gov/pdf/enfadvisory202402.pdf?ref=sorena.io) - CPPA enforcement advisory source for clear-language and symmetrical choice evidence. ### [Which mistakes create risk when handling Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md#which-mistakes-create-risk-when-handling-dark-patterns-under-the-us-ccpa) *Module: [What should teams do about Dark Patterns under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/dark-patterns.md)* The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [AVOIDING Dark Patterns: CLEAR AND UNDERSTANDABLE LANGUAGE, SYMMETRY IN CHOICE](https://cppa.ca.gov/pdf/enfadvisory202402.pdf?ref=sorena.io) - CPPA enforcement advisory source for CCPA dark-pattern expectations, including clear language and symmetrical privacy choices. - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for treating opt-out preference signals, including Global Privacy Control, as CCPA opt-out requests. - [California Consumer Privacy Act Regulations](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations source for CCPA request and consent interface rules that prohibit dark-pattern effects. ### [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md#what-should-teams-do-about-data-broker-crossover-under-the-us-ccpa) *Module: [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md)* Teams should treat Data Broker Crossover under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Data Broker Crossover decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [Information for Data Brokers - California Privacy Protection Agency](https://cppa.ca.gov/data_brokers/?ref=sorena.io) - CPPA source for the Data Broker Registration definition and how data broker duties intersect with CCPA rights workflows. - [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - CPPA source confirming CalPrivacy implements and enforces both the CCPA and the Delete Act for data broker crossover issues. - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for opt-out preference signals, including Global Privacy Control, in CCPA sale and sharing workflows. ### [What evidence should teams keep for Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md#what-evidence-should-teams-keep-for-data-broker-crossover-under-the-us-ccpa) *Module: [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - CPPA source confirming CalPrivacy implements and enforces both the CCPA and the Delete Act for data broker crossover issues. - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for opt-out preference signals, including Global Privacy Control, in CCPA sale and sharing workflows. - [California Civil Code privacy provisions](https://leginfo.legislature.ca.gov/faces/codes%5FdisplaySection.xhtml?lawCode=CIV§ionNum=1798.145.&ref=sorena.io) - California Civil Code source for statutory exceptions that can limit CCPA consumer request outcomes for data broker workflows. ### [Which mistakes create risk when handling Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md#which-mistakes-create-risk-when-handling-data-broker-crossover-under-the-us-ccpa) *Module: [What should teams do about Data Broker Crossover under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/data-broker-crossover.md)* The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [Information for Data Brokers - California Privacy Protection Agency](https://cppa.ca.gov/data_brokers/?ref=sorena.io) - CPPA source for the Data Broker Registration definition and how data broker duties intersect with CCPA rights workflows. - [Laws & Regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - CPPA source confirming CalPrivacy implements and enforces both the CCPA and the Delete Act for data broker crossover issues. - [California Privacy Protection Agency FAQs](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official CPPA FAQ source for opt-out preference signals, including Global Privacy Control, in CCPA sale and sharing workflows. - [California Civil Code privacy provisions](https://leginfo.legislature.ca.gov/faces/codes%5FdisplaySection.xhtml?lawCode=CIV§ionNum=1798.145.&ref=sorena.io) - California Civil Code source for statutory exceptions that can limit CCPA consumer request outcomes for data broker workflows. ### [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md#what-should-teams-do-about-do-not-sell-or-share-under-the-us-ccpa) *Module: [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md)* Start with what the right means: "sell" is disclosing personal information to a third party for monetary or other valuable consideration, and "share" is disclosing it to a third party for cross-context behavioral advertising, with or without payment. A business that does either must let consumers opt out (usually a "Do Not Sell or Share My Personal Information" link), must honor an opt-out preference signal such as Global Privacy Control as a valid request, and must then stop selling or sharing that consumer's data. - Write the Do not sell or share decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - CPPA consumer FAQ confirms the CCPA opt-out right for sale or sharing, including opt-out preference signals. - [How to Implement Global Privacy Control (GPC) for Publishers](https://globalprivacycontrol.org/implementation?ref=sorena.io) - Direct support for the FAQ answer on Do not sell or share. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - Direct support for the FAQ answer on Do not sell or share. ### [What evidence should teams keep for Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md#what-evidence-should-teams-keep-for-do-not-sell-or-share-under-the-us-ccpa) *Module: [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [How to Implement Global Privacy Control (GPC) for Publishers](https://globalprivacycontrol.org/implementation?ref=sorena.io) - Evidence support for the FAQ answer. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - Evidence support for the FAQ answer. - [U.S. Privacy User Signal Mechanism](https://iabtechlab.com/standards/ccpa?ref=sorena.io) - Evidence support for the FAQ answer. ### [Which mistakes create risk when handling Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md#which-mistakes-create-risk-when-handling-do-not-sell-or-share-under-the-us-ccpa) *Module: [What should teams do about Do not sell or share under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/do-not-sell-or-share.md)* The common failure pattern is treating CCPA as one static notice instead of checking each collection point, sale/share flow, consumer request, GPC signal, and vendor restriction against current source material. - Using an old threshold, deadline, source page, or contract template without checking current source text. - Treating a source-linked exception as a general exemption for every product or data flow. - Publishing notices, controls, or answers that do not match the actual product behavior. Sources for this answer: - [California Privacy Protection Agency FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [How to Implement Global Privacy Control (GPC) for Publishers](https://globalprivacycontrol.org/implementation?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [Enforcement Advisory No. 2024-01 Applying Data Minimization to Consumer Requests](https://cppa.ca.gov/pdf/enfadvisory202401.pdf?ref=sorena.io) - Risk and boundary support for the FAQ answer. - [U.S. Privacy User Signal Mechanism](https://iabtechlab.com/standards/ccpa?ref=sorena.io) - Risk and boundary support for the FAQ answer. ### [When does the CCPA require a financial incentive notice?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md#when-does-the-ccpa-require-a-financial-incentive-notice) *Module: [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md)* Teams should treat Financial Incentives under the US CCPA as a source-linked operating decision: confirm whether the issue affects business-threshold status, notice at collection, privacy policy disclosures, consumer rights, do-not-sell/share controls, GPC, service-provider restrictions, or enforcement exposure, assign the team that can change the process, and keep evidence showing the action and review trigger. - Write the Financial Incentives decision in one sentence before drafting controls. - Attach the external source URL and a short source quote to the evidence record. - Route unclear cases to legal, privacy, security, or compliance review before launch. Sources for this answer: - [CPPA CCPA Regulations (effective January 1, 2026) - § 7016 Notice of Financial Incentive](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - CPPA regulation § 7016 sets what a Notice of Financial Incentive must explain before a consumer opts in. - [CPPA CCPA Regulations (March 2023 final text)](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - CPPA final regulations define financial incentives and price or service differences for CCPA scoping. - [California Consumer Privacy Act Regulations - CPPA](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page is the official hub for the final CCPA regulation materials used for this FAQ. ### [What evidence should teams keep for Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md#what-evidence-should-teams-keep-for-financial-incentives-under-the-us-ccpa) *Module: [What should teams do about Financial Incentives under the US CCPA?](/artifacts/us/california-consumer-privacy-act/faq/financial-incentives.md)* Useful evidence is not just a privacy policy. Keep the source, threshold notes, notice screenshots, request logs, opt-out/GPC tests, vendor terms, and approval trail together. - Source URL and quote used for the decision. - Scope notes, screenshots, data-flow or system references, and role mapping. - Implementation ticket, approval record, exception notes, and review date. Sources for this answer: - [CPPA CCPA Regulations (effective January 1, 2026) - § 7016 Notice of Financial Incentive](https://cppa.ca.gov/regulations/pdf/ccpa_statute_eff_20260101.pdf?ref=sorena.io) - CPPA regulation § 7016 sets what a Notice of Financial Incentive must explain before a consumer opts in. - [CPPA CCPA Regulations (March 2023 final text)](https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf?ref=sorena.io) - CPPA final regulations define financial incentives and price or service differences for CCPA scoping. - [California Consumer Privacy Act Regulations - CPPA](https://cppa.ca.gov/regulations/consumer_privacy_act.html?ref=sorena.io) - CPPA regulations page is the official hub for the final CCPA regulation materials used for this FAQ. ## FAQ Pagination - Canonical index (page 1): [/artifacts/us/california-consumer-privacy-act/faq/items](/artifacts/us/california-consumer-privacy-act/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/us/california-consumer-privacy-act/faq/items.md) | [2](/artifacts/us/california-consumer-privacy-act/faq/items/page/2.md) [Next page](/artifacts/us/california-consumer-privacy-act/faq/items/page/2.md) *Recommended next step* *Placement: after the practical guidance* ## Turn US CCPA FAQ into assigned work This US CCPA guide turns FAQ into owners, evidence requests, review checkpoints, and reusable operating records inside Sorena. - [Open Assessment Autopilot for US CCPA](/solutions/assessment.md): Turn FAQ into scoped questions, evidence fields, and review tasks. - [Review US CCPA source evidence](/solutions/research-copilot.md): Use Research Copilot to answer follow-up questions with cited source material. - [Talk through implementation](/contact.md): Review scope, evidence, owners, and the next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/us/california-consumer-privacy-act/faq/items