Codigo Alpha

Muito mais que artigos: São verdadeiros e-books jurídicos gratuitos para o mundo. Nossa missão é levar conhecimento global para você entender a lei com clareza. 🇧🇷 PT | 🇺🇸 EN | 🇪🇸 ES | 🇩🇪 DE

Codigo Alpha

Muito mais que artigos: São verdadeiros e-books jurídicos gratuitos para o mundo. Nossa missão é levar conhecimento global para você entender a lei com clareza. 🇧🇷 PT | 🇺🇸 EN | 🇪🇸 ES | 🇩🇪 DE

Digital & Privacy Law

Cross-Context Behavioral Ads Compliance Under CPRA Standards

Código Alpha

Clarifying the distinction between data sharing and selling under California’s expanded privacy mandates.

The expansion of California privacy law introduced a specific compliance hurdle that continues to trip up marketing and legal teams alike: the reclassification of cross-context behavioral advertising. Under the previous framework, many businesses argued that utilizing third-party tracking pixels did not constitute a “sale” of data because no money changed hands. The California Privacy Rights Act (CPRA) closed this interpretative gap by explicitly regulating “sharing” essentially capturing the vast majority of modern digital advertising ecosystems.

This shift moves the compliance focus from monetary exchange to the nature of the data transfer. If a digital identifier is made available to a third party for the purpose of targeting advertising based on the consumer’s activity across different websites, it is now a regulated activity. This creates immediate friction between standard marketing performance tools—like retargeting pixels and audience matching—and the legal requirement to offer a frictionless opt-out.

The following analysis breaks down the operational reality of “sharing” under CPRA standards. We will examine the technical definitions that trap common marketing technologies, the specific tests used to determine if a vendor is a “service provider” or a “third party,” and the workflow required to implement the “Do Not Sell or Share” mandate without dismantling your entire digital strategy.

Critical thresholds for CPRA Sharing compliance:

  • The Consideration Fallacy: The absence of a monetary payment does not exempt a transfer from being classified as “sharing” if the data facilitates cross-context advertising.
  • The Purpose Limitation: Sharing data solely for measurement or attribution may be exempt, but only if the contract strictly prohibits the vendor from building their own profiles.
  • Signal Recognition: Processing the Global Privacy Control (GPC) signal is not optional; it is a mandatory, automated opt-out mechanism for browser-based traffic.
  • Vendor Re-papering: Standard “service provider” contracts fail if they allow the vendor to combine your data with data from other sources for their own benefit.

See more in this category: Digital & Privacy Law

In this article:

Last updated: February 9, 2026.

Quick definition: “Sharing” under CPRA is the disclosure of personal information to a third party for Cross-Context Behavioral Advertising (CCBA), regardless of whether money is exchanged. It targets the ad-tech ecosystem where user profiles are built across multiple unrelated websites.

Who it applies to: Any for-profit business meeting CPRA thresholds (e.g., $25M+ revenue or processing 100k+ consumers) that uses third-party cookies, pixels, or server-to-server APIs for retargeting or interest-based advertising.

Time, cost, and documents:

  • Audit Phase: 2–4 weeks to map all pixels, tags, and SDKs.
  • Implementation: Continuous; requires CMP (Consent Management Platform) configuration.
  • Documents: Privacy Policy updates, Service Provider Addendums (SPA), Notice at Collection.

Key takeaways that usually decide disputes:

  • Contractual Restrictions: Does the vendor contract explicitly ban cross-use of data?
  • Opt-Out Friction: Is the “Do Not Sell or Share” link easy to find and functional?
  • GPC Compliance: Did the site honor the browser signal automatically?
  • Downstream Notification: Did you notify third parties to stop processing opted-out data?

Quick guide to CPRA Sharing vs. Selling

Navigating the “sharing” requirement demands a shift in perspective from data ownership to data usage. The regulator is less concerned with who “owns” the data and more concerned with whether the data is being used to follow a consumer across the web. The following points summarize the operational reality for privacy officers and marketing directors.

  • The “Sharing” Trigger: If a third party (like a social media platform or ad network) receives your user’s email or cookie ID and uses it to show that user an ad on a different platform, you are “sharing” data.
  • The “Sale” Trigger: Selling is broader and includes any exchange for “valuable consideration.” While all sharing might arguably be selling, the CPRA created “sharing” specifically to catch ad-tech flows where the “value” was disputed.
  • Service Provider Exception: You can disclose data without it being a “sale” or “share” if the vendor is a strict Service Provider. This requires a contract that prohibits the vendor from combining your data with data from other companies.
  • The Opt-Out Link: The footer link must now read “Do Not Sell or Share My Personal Information” (or “Your Privacy Choices” with the specific icon). A simple “Do Not Sell” link is no longer sufficient.
  • Global Privacy Control (GPC): You must treat the GPC browser signal as a valid request to opt-out of both selling and sharing. This must happen automatically, without forcing the user to click a confirmation modal.

Understanding Cross-Context Behavioral Advertising in practice

The core concept underpinning the “sharing” regulation is Cross-Context Behavioral Advertising (CCBA). This is defined as the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.

In practice, this definition captures the standard mechanism of modern digital marketing: retargeting. When a user visits an e-commerce store, looks at a pair of shoes, leaves without buying, and then sees an ad for those exact shoes on Instagram or a news site, CCBA has occurred. The e-commerce store “shared” the user’s browsing interest (and identifiers) with the ad network, which then used that data to target the user in a different context (the news site).

The distinction between “sharing” and strict “service provider” usage often comes down to attribution vs. targeting. If a business sends data to a vendor solely to measure how many people clicked an ad (attribution), and the vendor is contractually prohibited from building a profile on those users for other clients, this is likely a business purpose, not “sharing.” However, if that same vendor retains the data to improve its own targeting algorithm for other clients, the line is crossed into “sharing.”

Decision logic for classifying data flows:

  • Is the data used for targeting outside your site? If YES → It is likely “Sharing.”
  • Does the vendor combine this data with other clients’ data? If YES → It is likely “Sharing” or “Selling.”
  • Is the vendor contractually bound to process only on your behalf? If YES → It may be a “Service Provider” (exempt from opt-out).
  • Is the transfer purely for frequency capping or debugging? If YES → Likely “Business Purpose” (exempt).
  • Does the user have a reasonable expectation of this transfer? This is the overarching lens regulators apply when reviewing “dark patterns.”

Legal and practical angles that change the outcome

The enforcement actions by the California Attorney General and the CPPA (California Privacy Protection Agency) have made it clear that technical configuration matters as much as legal contracts. A business cannot hide behind a “Service Provider” contract if the technical implementation (e.g., the pixel configuration) allows the platform to use the data broadly. This is often referred to as the “contract-configuration mismatch.”

Furthermore, the definition of “Personal Information” in this context is extremely broad. It includes IP addresses, unique device identifiers, and probabilistic identifiers. Many businesses fail to realize that allowing a third-party script to load on their page effectively transmits the IP address and User Agent to that third party. If that transmission is used for CCBA, the “sharing” regulation applies, even if no names or emails are exchanged.

Workable paths parties actually use to resolve this

To resolve the tension between marketing performance and compliance, businesses typically adopt one of three postures. The first is the “Strict Opt-Out” approach, where a Consent Management Platform (CMP) suppresses all non-essential cookies until a user interacts, or immediately upon receiving a GPC signal. This is the safest but most disruptive path for marketing data.

The second path is “Restricted Data Processing” (RDP) modes offered by major platforms. Many ad-tech vendors now offer a flag (like Google’s RDP or Meta’s Limited Data Use) that, when triggered, restricts their use of the data to service provider activities (measurement, fraud detection) and disables the CCBA component. The workable path often involves detecting the opt-out signal and dynamically switching these flags rather than blocking the tag entirely.

Practical application of compliance workflows

Implementing a robust compliance strategy for “sharing” requires collaboration between legal, marketing, and engineering. It is rarely a “set and forget” task due to the frequent changes in ad-tech taxonomy and vendor capabilities. The goal is to create a verifiable audit trail that shows the regulator you have control over your data egress points.

  1. Conduct a Comprehensive Tag Audit: Use scanning tools to identify every script, pixel, and iframe loading on your properties. Categorize them by vendor and function (e.g., Analytics, Advertising, Functional, Essential).
  2. Review Vendor Contracts (The “Addendum” Step): For every vendor categorized as “Advertising” or “Analytics,” determine if a valid CPRA Service Provider Addendum is in place. If the vendor refuses to sign one or admits to cross-context use, they are a “Third Party” receiving “Shared” data.
  3. Configure the CMP and Footer Links: Update the website footer to say “Do Not Sell or Share My Personal Information.” Ensure the CMP is configured to listen for the GPC signal and the user’s manual click.
  4. Implement Downstream Propagation: When a user opts out, the system must not only stop future collection but, ideally, signal downstream vendors (via US Privacy Strings or GPP standards) that the data is restricted.
  5. Verify “Frictionless” Status: Test the opt-out flow. Does it require multiple steps? Is the toggle confusing? Does it persist across page loads? The CPRA demands the process be easy and non-coercive.
  6. Document the “Why”: Maintain an internal record of why certain tags were classified as “Essential” or “Service Provider.” If challenged, this contemporary documentation is your primary defense against “willful non-compliance” claims.

Technical details and relevant updates

The technical standard for communicating opt-out preferences is evolving. The Global Privacy Control (GPC) is currently the primary signal that California regulators insist upon. Unlike the older “Do Not Track” (DNT) header, which was largely ignored, the GPC is considered a legally binding consumer request. Technically, this is an HTTP header or a DOM signal (`navigator.globalPrivacyControl`) that the browser sends.

Another critical technical component is the IAB Multi-State Privacy Agreement (MSPA) and the Global Privacy Platform (GPP) string. These frameworks allow publishers and advertisers to pass the user’s consent status (e.g., “Opted Out of Sale/Sharing”) through the ad-tech bid stream. If you are a publisher monetizing via programmatic ads, implementing the GPP string is essential to ensure that downstream bidders know not to use the bid request data for building profiles.

  • Signal Persistence: If a user opts out via GPC, you should treat that user as opted out. If the user is logged in, that opt-out should ideally propagate to their account settings across devices.
  • Pseudonymous Data: Hashed emails (HEMs) and Mobile Advertising IDs (MAIDs) are personal information. Uploading a list of hashed emails to a platform for “Custom Audiences” is a classic example of “sharing” if that platform can use the match data for its own optimization.
  • Dark Patterns: Using double negatives (e.g., “Don’t not sell my info”) or making the “Decline” button a faint grey color while “Accept” is bright green is explicitly prohibited by CPRA regulations.

Statistics and scenario reads

The following data points reflect common patterns observed in compliance audits and regulatory sweeps. They illustrate the gap between theoretical compliance and the reality of ad-tech implementation. These figures act as risk indicators rather than absolute legal metrics.

When analyzing “sharing” compliance, we look at the distribution of third-party tags, the drop in addressable audiences after proper opt-out implementation, and the response times to GPC signals.

Tag categorization in typical e-commerce audits:

Marketing/Sharing (45%)
Analytics (25%)
Functional (20%)
Essential (10%)

Impact of GPC Enforcement:

  • Opt-in Rate Shift: 85% (Pre-GPC) → 65% (Post-GPC recognition). Honoring the signal automatically reduces the pool of trackable users significantly.
  • Consent Banner Interaction: 2% → 15%. When “Do Not Sell/Share” links are prominent, manual interaction increases.
  • Audience Match Rate: 60% → 45%. Restricted data processing (RDP) limits the ability to match users for retargeting.

Monitorable Metrics for Compliance Health:

  • Unclassified Cookies (Count): Should remain near zero; spikes indicate new vendor tools added without review.
  • GPC Response Time (ms): Should be under 500ms; delay implies the pixel fired before the signal was read.
  • Opt-Out Requests (Monthly): A sudden drop to zero usually suggests a technical failure in the CMP, not a change in user behavior.

Practical examples of Sharing compliance

Scenario A: The Compliant Implementation

A clothing retailer uses a “Do Not Sell or Share” link in the footer. When a user arrives with the GPC signal enabled, the website’s Consent Management Platform (CMP) automatically detects it. The CMP immediately suppresses the firing of the Facebook Pixel and the Criteo retargeting tag. A banner appears briefly stating, “We have processed your GPC opt-out request.” The retailer also passes a flag to their Google Analytics setup to enable “Restricted Data Processing,” ensuring that while analytics are collected, the data is not shared for cross-context ads. The user is not retargeted.

Scenario B: The “Service Provider” Failure

A media streaming site classifies its use of a third-party video recommendation engine as a “Service Provider” function to avoid the “sharing” label. However, the contract allows the recommendation engine to use the viewer’s history to improve its algorithm for other streaming clients. When the CPPA audits the site, they find that the vendor is building a cross-client interest graph. Because the vendor benefits from the data beyond the specific service to the publisher, this is deemed “sharing.” Since the site offered no opt-out, they are in violation.

Common mistakes in managing “Sharing”

Ignoring GPC Signals: Many businesses install a “Do Not Sell” link but fail to configure their website to automatically respect the browser-based Global Privacy Control signal, which is a primary enforcement target.

Conflating “Sharing” with “Selling”: Assuming that because no money is exchanged with an ad partner, no “Do Not Sell” obligations exist. “Sharing” captures non-monetary transfers for cross-context ads.

“Service Provider” Over-classification: Labeling all ad-tech vendors as service providers without verifying if the contract explicitly prohibits them from using data for their own profiling or for other clients.

Geofencing Errors: Failing to apply CPRA rights to California residents who are temporarily traveling, or applying the strict opt-out logic globally (hurting revenue) instead of geo-targeting the compliance mechanisms.

Broken “Do Not Sell” Links: Having the link in the footer, but having it lead to a generic privacy policy page rather than a specific interactive form or toggle to execute the request.

FAQ about Cross-Context Behavioral Ads

Does using Google Analytics 4 (GA4) count as “sharing”?

It depends on the configuration. If you have enabled “Google Signals” or linked GA4 to Google Ads for remarketing purposes, this likely constitutes “sharing” because Google uses the data to profile users across contexts. The data flows into the broader advertising ecosystem to enable targeting.

However, if you strictly use GA4 for measurement, disable data sharing settings, and sign the appropriate data processing terms that restrict Google’s use of the data, it may be classified as a “Service Provider” (or Processor) activity. Compliance rests on whether the data helps Google build its own graph or just gives you analytics.

Is the Global Privacy Control (GPC) mandatory?

Yes. The California Attorney General has explicitly stated that GPC signals must be honored as valid consumer opt-out requests. This was underscored in the Sephora settlement, where the failure to process these user-enabled browser signals was a key violation.

Technically, this means your website must detect the signal upon page load and automatically suppress “sharing” pixels or cookies for that session. You cannot ask the user to confirm the GPC signal; the signal itself is the confirmation.

Do we need to opt-out B2B contacts from sharing?

Generally, yes. The CPRA’s temporary exemptions for B2B data (and employee data) expired on January 1, 2023. This means that business contact information is treated as “Personal Information” if it identifies a California resident.

If you upload a list of B2B email addresses to LinkedIn for a “Matched Audience” campaign, this is considered “sharing” or “selling” unless a specific service provider exception applies. These individuals have the same right to opt-out as B2C consumers.

Does “Sharing” apply if I don’t pay the vendor?

Yes. The definition of “sharing” was specifically created to cover transfers of personal information for cross-context behavioral advertising where no money is exchanged. The regulator understands that data itself is the currency in these transactions.

For example, installing a free social media pixel that tracks user behavior to help the platform optimize its ads is “sharing.” The benefit you receive (better ad targeting) and the benefit the platform receives (more user data) constitute the exchange, triggering the regulation.

Can we use a “cookie banner” to handle opt-outs?

A cookie banner can be part of the solution, but it must be configured correctly. For CPRA, it’s an “opt-out” regime, meaning you can fire cookies by default (unlike GDPR’s opt-in), but you must allow the user to turn them off easily. The banner or a “Your Privacy Choices” link must be persistently available.

Crucially, the banner must not be a “dark pattern.” You cannot make the “Reject All” button difficult to find or harder to click than “Accept All.” The interface for opting out of sharing must be as seamless as the interface for opting in.

What is the difference between “First Party” and “Third Party” ads?

First-party advertising involves marketing to your own customers on your own properties using data you collected directly (e.g., recommending products on your homepage based on past purchases). This is generally not “sharing” or “selling.”

Third-party advertising (Cross-Context) involves using that same data to target the customer on a different site (e.g., showing them an ad on a news portal). The CPRA “sharing” rules specifically target this cross-context movement of data.

Does a “Service Provider” contract solve everything?

No, the contract is only valid if the actual data processing aligns with it. If you sign a Service Provider agreement but the vendor’s technology still scrapes data to build their own global profiles, the contract may be viewed as a sham or “void” regarding that exemption.

The business is responsible for conducting due diligence. If you know or should have known that the vendor uses the data for non-service provider purposes (like cross-context ads), you are liable for “sharing” without an opt-out.

How do we handle “Opt-Out Preference Signals” vs. Link clicks?

They must be treated effectively as the same request. If a user clicks your “Do Not Sell or Share” link, you opt them out. If a user arrives with a GPC signal, you opt them out. The result—suppressing the data transfer—must be identical.

However, the CPRA regulations suggest that if you process the opt-out preference signal in a “frictionless” manner (meaning it happens automatically without pestering the user), you might be exempt from displaying the link in certain contexts, though keeping the link is best practice for clarity.

What constitutes “valuable consideration”?

“Valuable consideration” is a broad legal term meaning any benefit, advantage, or profit. In the context of “selling,” it doesn’t need to be cash. Receiving analytics reports, discounted services, or access to a collaborative data pool in exchange for your data counts.

While “sharing” removes the need to prove “consideration,” understanding this concept is vital because many transactions are both a “sale” and a “share.” The distinction mostly matters for older contracts drafted before the “sharing” update.

Can we use “Legitimate Interest” to bypass this?

No. “Legitimate Interest” is a GDPR (European) concept and does not exist in the CPRA framework for “selling” or “sharing.” California law is based on notice and the right to opt-out, not on a balancing test of interests.

You cannot argue that your legitimate interest in marketing overrides the consumer’s right to opt-out. Once the consumer exercises that right, the sharing must stop, regardless of how important the data is to your business model.

How quickly must we process an opt-out?

The regulations require that the opt-out be implemented as soon as feasibly possible, generally expected to be immediate for website technologies (cookies/pixels) and within 15 business days for offline data flows.

For browser-based signals like GPC, the expectation is real-time processing. The user should not be tracked on that specific page view if the signal was present when the page loaded.

Does “Sharing” apply to measurement partners?

Pure measurement (counting impressions, clicks, or conversions) can often be classified under the “Business Purpose” exception if the vendor is a Service Provider. This requires strict contractual limits preventing the vendor from using that data for other clients.

However, if the measurement partner also offers “audience insights” or “benchmarking” derived from your data and shared with others, the exemption is lost, and the activity becomes “sharing” or “selling.”

References and next steps

  • Map your data flows: Identify every point where data leaves your ecosystem for advertising purposes.
  • Implement a CMP: Ensure your Consent Management Platform is configured for “US/California” mode, not just GDPR mode.
  • Test GPC: Use a browser extension or test suite to verify your site automatically respects the Global Privacy Control.
  • Review Contracts: Ensure all “Service Providers” have signed the necessary CPRA addendums (like the IAB MSPA).

Related Reading:

Normative and case-law basis

The concept of “sharing” is codified in the California Privacy Rights Act (CPRA), which amended the CCPA. Specifically, Civil Code § 1798.140(ah)(1) defines “sharing” explicitly in the context of cross-context behavioral advertising. This definition was added to close loopholes where businesses claimed that data transfers for advertising were not “sales.”

Enforcement precedents have been set by the California Attorney General and the newly formed California Privacy Protection Agency (CPPA). The landmark settlement with Sephora in 2022 established that the failure to process GPC signals and the failure to disclose the sale/sharing of data via analytics and ad pixels constitutes a violation of the act. This case law underscores that technical compliance (signals) is as important as the written privacy policy.

For official definitions and regulatory text, refer to the California Privacy Protection Agency (CPPA) and the California Office of the Attorney General.

Final considerations

The introduction of “sharing” into the California privacy lexicon effectively ended the era of ambiguity regarding third-party tracking. Businesses can no longer rely on the argument that “no money changed hands” to avoid offering an opt-out. If the data fuels the behavioral advertising ecosystem, it is regulated, and consumers must have the power to stop it.

Compliance is not just about avoiding fines; it is about signaling trust. As browser technologies and consumer awareness evolve, the ability to respect a “Do Not Share” request seamlessly will become a baseline expectation for user experience. The transition requires technical diligence, but it ultimately creates a more transparent relationship with your audience.

Key point 1: Treat the Global Privacy Control (GPC) as a mandatory, automated “Stop Sharing” instruction.

Key point 2: Audit all pixels and tags; if they target users across contexts, they trigger “sharing” rules.

Key point 3: Ensure your footer link explicitly says “Do Not Sell or Share My Personal Information.”

  • Verify your CMP is actually blocking tags when GPC is present.
  • Update vendor contracts to include CPRA Service Provider Addendums.
  • Document your classification logic for every third-party script.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Do you have any questions about this topic?

Join our legal community. Post your question and get guidance from other members.

⚖️ ACCESS GLOBAL FORUM

Leave a Reply

Your email address will not be published. Required fields are marked *