# AI tells a California business that CPRA requires a 'Do Not Sell My Personal Information' link only if they actually sell data for money

- **ID:** `legal/california-privacy-rights-act-opt-out-sale`
- **Domain:** legal
- **Category:** config_error
- **Error Code:** `CPRA-OPT-OUT-ERR-001`
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

California Privacy Rights Act (CPRA) defines 'sale' broadly to include sharing data for valuable consideration (e.g., ad targeting, cross-context behavioral advertising), not just monetary exchange; businesses must provide a 'Do Not Sell or Share My Personal Information' link if they engage in any such sharing, with penalties up to $7,500 per intentional violation.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| CPRA 2020 (effective 2023) | active | — | — |
| CCPA 2018 | active | — | — |
| CCPA Regulations §999.330 | active | — | — |

## Workarounds

1. **Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>** (90% success)
   ```
   Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>
   ```
2. **Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.** (85% success)
   ```
   Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.
   ```
3. **For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.** (70% success)
   ```
   For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.
   ```

## Dead Ends

- **** — Assuming that using third-party analytics or ad cookies without payment is not 'selling'; CPRA's definition includes sharing for cross-context behavioral advertising, which covers common ad tech. (75% fail)
- **** — Adding only a 'Do Not Sell' link without a 'Do Not Share' link; CPRA requires both, and the link must be titled 'Your Privacy Choices' or equivalent. (60% fail)
- **** — Implementing an opt-out via email or phone only; CPRA requires a 'clear and conspicuous' link on the website homepage and a method that is 'easy for consumers to execute'. (80% fail)