Do Not Sell or Share my personal information
Under California's CCPA as amended by the CPRA, consumers can direct a business not to sell or share their personal information, where 'sharing' specifically covers disclosure for cross-context behavioural advertising. Businesses must offer a clear opt-out and honour opt-out signals. This page explains the right and how analytics and ad tags can fall within 'sharing'.
The right and the link
The CPRA amended the CCPA to give consumers the right to opt out of both the 'sale' of personal information and its 'sharing' for cross-context behavioural advertising. Businesses that sell or share must provide a clear and conspicuous 'Do Not Sell or Share My Personal Information' link (or equivalent mechanism) and process opt-out requests, including via recognised opt-out preference signals.
The definitions are broad: 'sale' is not limited to money changing hands, and 'sharing' is defined specifically around cross-context behavioural advertising.
When analytics and ad tags are caught
If an analytics or advertising tag passes identifiers to a third party that uses them for cross-context behavioural advertising, that disclosure can be 'sharing' under the CPRA — bringing the tag within the opt-out. Honouring an opt-out (or a Global Privacy Control signal) means stopping those disclosures for that consumer. Purely first-party, non-advertising measurement is generally outside the scope of 'sale' and 'share'.
- 'Sharing' targets cross-context behavioural advertising
- 'Sale' is broad and not limited to monetary exchange
- Opt-out can be exercised via a link and via GPC
How it appears in analytics and logs
Tags that disclose identifiers to third parties for cross-context advertising can be 'sharing' under the CPRA, so a missing opt-out path on those tags is a compliance gap.
Diagnostic use case
Determine whether your analytics or ad integrations constitute a 'sale' or 'share' under California law and need a Do Not Sell or Share opt-out.
What WebmasterID can help detect
WebmasterID does not sell or share personal information for cross-context advertising, so its first-party model avoids the activity the opt-out targets.
Common mistakes
- Assuming no opt-out is needed because no money changes hands.
- Treating all analytics as outside 'sale' and 'share'.
- Failing to honour a Global Privacy Control opt-out signal.
Privacy and accuracy notes
This page is educational and not legal advice. Whether a given data flow is a 'sale' or 'share' is fact-specific under California law; consult counsel for your configuration.
Related pages
- CCPA / CPRA and analytics
The CCPA (as amended by the CPRA) gives California residents rights over their personal information, including a right to opt out of its sale or sharing. For analytics, that turns on whether your tooling discloses identifiers to third parties for cross-context advertising. First-party, minimised measurement narrows the exposure. This is an educational overview, not legal advice.
- Global Privacy Control: legal status
Global Privacy Control (GPC) is a specification that lets a browser or extension send a machine-readable opt-out signal to every site. Unlike the older Do Not Track, GPC has been given legal teeth in some US states: California's Attorney General and the CPPA have stated that GPC must be honoured as a valid do-not-sell-or-share request. This page summarises its status.
- The Global Privacy Platform (GPP)
The Global Privacy Platform (GPP) is an IAB Tech Lab specification that transmits a user's consent and privacy choices across the digital advertising supply chain using a single, extensible container. Instead of separate strings per regulation, GPP bundles section-specific signals — for example US state strings and the EU TCF — into one encoded value. This page explains the container model.
- Privacy-first analytics
First-party measurement that does not sell or share data.
Sources and verification notes
- California Legislative Information — CCPA/CPRA (Civil Code 1798.100 et seq.)Statutory definitions of sale, share, and the opt-out right.
- California Privacy Protection Agency — CCPA regulationsRegulations on opt-out mechanisms and signals.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.