CPRA-OPT-OUT-ERR-001 legal config_error ai_generated true

AI 告诉加州企业,CPRA 仅在实际以金钱出售数据时才需要“不要出售我的个人信息”链接

AI tells a California business that CPRA requires a 'Do Not Sell My Personal Information' link only if they actually sell data for money

ID: legal/california-privacy-rights-act-opt-out-sale

其他格式: JSON · Markdown 中文 · English
80%修复率
88%置信度
1证据数
2023-07-01首次发现

版本兼容性

版本状态引入弃用备注
CPRA 2020 (effective 2023) active
CCPA 2018 active
CCPA Regulations §999.330 active

根因分析

加州隐私权法案 (CPRA) 将“出售”宽泛定义为包括为有价值对价(例如广告定向、跨情境行为广告)共享数据,而不仅仅是金钱交易;如果企业从事任何此类共享,必须提供“不要出售或共享我的个人信息”链接,每次故意违规罚款高达 7,500 美元。

English

California Privacy Rights Act (CPRA) defines 'sale' broadly to include sharing data for valuable consideration (e.g., ad targeting, cross-context behavioral advertising), not just monetary exchange; businesses must provide a 'Do Not Sell or Share My Personal Information' link if they engage in any such sharing, with penalties up to $7,500 per intentional violation.

generic

官方文档

https://oag.ca.gov/privacy/ccpa

解决方案

  1. Add a global 'Your Privacy Choices' link in the website footer that triggers a consent management platform (CMP) with a toggle for 'Do Not Sell or Share My Personal Information'. Example HTML: <a href='#privacy-choices' onclick='showCMP()'>Your Privacy Choices</a>
  2. Audit all third-party scripts (ad networks, analytics, social media pixels) and categorize data flows; use a CMP like OneTrust or Cookiebot to signal opt-out via the IAB's Global Privacy Platform (GPP) string.
  3. For businesses with no data sharing, document a formal policy and add a static statement: 'We do not sell or share your personal information as defined by CPRA.' Ensure no third-party tracking is present.

无效尝试

常见但无效的做法:

  1. 75% 失败

    Assuming that using third-party analytics or ad cookies without payment is not 'selling'; CPRA's definition includes sharing for cross-context behavioral advertising, which covers common ad tech.

  2. 60% 失败

    Adding only a 'Do Not Sell' link without a 'Do Not Share' link; CPRA requires both, and the link must be titled 'Your Privacy Choices' or equivalent.

  3. 80% 失败

    Implementing an opt-out via email or phone only; CPRA requires a 'clear and conspicuous' link on the website homepage and a method that is 'easy for consumers to execute'.