AI tells a California business that CPRA requires a 'Do Not Sell My Personal Information' link only if they actually sell data for money
ID: legal/california-privacy-rights-act-opt-out-sale
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CPRA 2020 (effective 2023) | active | — | — | — |
| CCPA 2018 | active | — | — | — |
| CCPA Regulations §999.330 | active | — | — | — |
Root Cause
California Privacy Rights Act (CPRA) defines 'sale' broadly to include sharing data for valuable consideration (e.g., ad targeting, cross-context behavioral advertising), not just monetary exchange; businesses must provide a 'Do Not Sell or Share My Personal Information' link if they engage in any such sharing, with penalties up to $7,500 per intentional violation.
generic中文
加州隐私权法案 (CPRA) 将“出售”宽泛定义为包括为有价值对价(例如广告定向、跨情境行为广告)共享数据,而不仅仅是金钱交易;如果企业从事任何此类共享,必须提供“不要出售或共享我的个人信息”链接,每次故意违规罚款高达 7,500 美元。
Official Documentation
https://oag.ca.gov/privacy/ccpaWorkarounds
-
90% success Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>
Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>
-
85% success Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.
Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.
-
70% success For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.
For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.
中文步骤
Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>
Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.
For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.
Dead Ends
Common approaches that don't work:
-
75% fail
Assuming that using third-party analytics or ad cookies without payment is not 'selling'; CPRA's definition includes sharing for cross-context behavioral advertising, which covers common ad tech.
-
60% fail
Adding only a 'Do Not Sell' link without a 'Do Not Share' link; CPRA requires both, and the link must be titled 'Your Privacy Choices' or equivalent.
-
80% fail
Implementing an opt-out via email or phone only; CPRA requires a 'clear and conspicuous' link on the website homepage and a method that is 'easy for consumers to execute'.