{
  "id": "legal/california-privacy-rights-act-opt-out-sale",
  "signature": "AI tells a California business that CPRA requires a 'Do Not Sell My Personal Information' link only if they actually sell data for money",
  "signature_zh": "AI 告诉加州企业，CPRA 仅在实际以金钱出售数据时才需要“不要出售我的个人信息”链接",
  "regex": "(Do Not Sell|CPRA) only (applies|required) if (you )?actually sell (data|information) for money",
  "domain": "legal",
  "category": "config_error",
  "subcategory": null,
  "root_cause": "California Privacy Rights Act (CPRA) defines 'sale' broadly to include sharing data for valuable consideration (e.g., ad targeting, cross-context behavioral advertising), not just monetary exchange; businesses must provide a 'Do Not Sell or Share My Personal Information' link if they engage in any such sharing, with penalties up to $7,500 per intentional violation.",
  "root_cause_type": "generic",
  "root_cause_zh": "加州隐私权法案 (CPRA) 将“出售”宽泛定义为包括为有价值对价（例如广告定向、跨情境行为广告）共享数据，而不仅仅是金钱交易；如果企业从事任何此类共享，必须提供“不要出售或共享我的个人信息”链接，每次故意违规罚款高达 7,500 美元。",
  "versions": [
    {
      "version": "CPRA 2020 (effective 2023)",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "CCPA 2018",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "CCPA Regulations §999.330",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Assuming that using third-party analytics or ad cookies without payment is not 'selling'; CPRA's definition includes sharing for cross-context behavioral advertising, which covers common ad tech.",
      "fail_rate": 0.75,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Adding only a 'Do Not Sell' link without a 'Do Not Share' link; CPRA requires both, and the link must be titled 'Your Privacy Choices' or equivalent.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Implementing an opt-out via email or phone only; CPRA requires a 'clear and conspicuous' link on the website homepage and a method that is 'easy for consumers to execute'.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>",
      "success_rate": 0.9,
      "how": "Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>",
      "condition": "",
      "sources": []
    },
    {
      "action": "Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.",
      "success_rate": 0.85,
      "how": "Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.",
      "condition": "",
      "sources": []
    },
    {
      "action": "For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.",
      "success_rate": 0.7,
      "how": "For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>",
    "Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.",
    "For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://oag.ca.gov/privacy/ccpa",
  "official_doc_section": null,
  "error_code": "CPRA-OPT-OUT-ERR-001",
  "verification_tier": "ai_generated",
  "confidence": 0.88,
  "fix_success_rate": 0.8,
  "resolvable": "true",
  "first_seen": "2023-07-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}