CCPA: Opt-Out of Sale and Sharing
Opt-Out of Sale and Sharing [§ 1798.120, 135]
Rule: Consumers have the right to opt-out of the sale or sharing of their personal information, and businesses must provide easy mechanisms to exercise this right.
What Is a “Sale”? [§ 1798.140(ad)]
Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating… a consumer’s personal information… to a third party for monetary or other valuable consideration.
Key points:
- Must be for consideration (money or other value)
- To a third party (not service provider)
- Includes data-for-services exchanges
What Is “Sharing”? [§ 1798.140(ah)]
Sharing, renting, releasing, disclosing, disseminating, making available, transferring… for cross-context behavioral advertising.
Key points:
- Applies even WITHOUT monetary consideration
- Targeted at cross-context behavioral advertising
- Includes sharing with ad networks, data brokers
Exemptions from Sale/Share [§ 1798.140(ad)(2)]
NOT a sale or share if:
| Exemption | Condition |
|---|---|
| Consumer direction | Consumer directs disclosure |
| Service provider | Disclosure to service provider per contract |
| Contractor | Disclosure to contractor per contract |
| Merger/acquisition | Part of business transfer (with restrictions) |
| Intentional disclosure | Consumer intentionally made PI public |
Opt-Out Mechanism Requirements [§ 1798.135]
Website Link
Must include link titled:
- “Do Not Sell or Share My Personal Information”, OR
- Both: “Do Not Sell My PI” AND “Do Not Share My PI”, OR
- “Your Privacy Choices” with opt-out preference icon
Link must be:
- On homepage
- Clear and conspicuous
- Easy to find
Opt-Out Process
| Requirement | Detail |
|---|---|
| No account required | Cannot require consumer to create account |
| Minimal steps | Must be easy to complete |
| No dark patterns | Cannot use confusing design to undermine choice |
| Confirmation | Must confirm opt-out was processed |
| No fee | Cannot charge for opting out |
Global Privacy Control (GPC) [§ 1798.135(b)]
Businesses must honor browser-based opt-out signals:
A business that collects consumers’ personal information shall treat the consumer’s use of an opt-out preference signal… as a valid request to opt-out.
GPC requirements:
- Must honor GPC as valid opt-out of sale AND sharing
- Applies site-wide (not just single transaction)
- Cannot require additional action from consumer
- CPPA treats GPC non-compliance as a violation
Opt-Out for Minors [§ 1798.120(c)-(d)]
| Age | Requirement |
|---|---|
| Under 13 | Cannot sell/share unless parent/guardian opts IN |
| 13-15 | Cannot sell/share unless minor opts IN |
| 16+ | Standard opt-out applies |
Actual knowledge standard: Applies when business has actual knowledge of consumer’s age.
Re-Asking After Opt-Out [§ 1798.135(b)]
After a consumer opts out, business:
- Must wait at least 12 months before asking to opt back in
- Can provide option to opt back in but cannot push/incentivize
Financial Incentives [§ 1798.125(b)]
May offer financial incentives for:
- Allowing sale/sharing
- Providing personal information
Requirements:
- Must disclose material terms
- Consumer must opt IN
- Must not be unjust, unreasonable, coercive, or usurious
- Value must be reasonably related to data value
Practical Implementation
Checklist:
- Add “Do Not Sell/Share” link to homepage footer
- Implement opt-out mechanism (no account required)
- Honor Global Privacy Control signals
- Update service provider/contractor contracts
- Implement age verification for minors (if applicable)
- Document all opt-out requests
- Stop selling/sharing within 15 business days of request