US CCPA Minors

The key minors rule is that a business that has actual knowledge it sells or shares personal information of a consumer under 16 must get affirmative authorization before doing so. For consumers under 13, that authorization must come from a parent or guardian; for consumers at least 13 and under 16, the consumer can give the authorization themselves. Under the CCPA regulations, businesses also must describe these procedures in their privacy policy.

Use this section to confirm whether the business has actual knowledge, whether the consumer is under 13 or between 13 and 15, and whether the correct opt-in or opt-out process is in place before any sale or sharing occurs.

Ownership should sit with the team that can change notices, request intake, ad-tech settings, vendor contracts, data retention, or consumer-facing controls, with privacy/legal review for ambiguous cases.

Evidence should show threshold calculations, notice-at-collection placement, privacy-policy disclosures, rights request logs, opt-out/GPC handling, vendor restrictions, and enforcement-response readiness.

Most CCPA mistakes happen at the boundary between a business, service provider, contractor and third party, or between selling, sharing, financial incentives, Minors, GPC, and data-broker obligations.

Apply this section before launching a collection point, ad-tech flow, rights workflow, vendor onboarding, financial incentive, minor-focused journey, or data-broker process.

Use a CCPA workflow that captures threshold status, data category, collection point, consumer right, opt-out or GPC trigger, vendor role, evidence, owner, and review date.

The output should be a threshold note, notice update, DSAR decision, opt-out/GPC record, vendor clause map, dark-pattern review, or enforcement evidence pack.