Codigo Alpha

Entenda a lei com clareza

Codigo Alpha

Entenda a lei com clareza

Digital & Privacy Law

CPRA sale share opt-out and sensitive data limits

Código Alpha

The CPRA closes the “sharing” loophole, empowering consumers to stop behavioral tracking and restrict the use of their most sensitive data with a single signal.

For years, the digital advertising ecosystem thrived on a semantic technicality. Under the original CCPA, businesses claimed that transferring user data to ad networks for retargeting wasn’t a “sale” because no money changed hands. The California Privacy Rights Act (CPRA) aggressively closed this gap by introducing the concept of “Sharing.” Now, “Sharing” explicitly covers the transfer of data for “cross-context behavioral advertising,” regardless of whether money is exchanged. If you use third-party cookies or tracking pixels to follow users across the web, you are “sharing” data, and you must give users a way to stop it.

Simultaneously, the CPRA introduced a new tier of protection for “Sensitive Personal Information” (SPI). This category includes “radioactive” data points like precise geolocation, genetic data, social security numbers, and contents of communications. The new “Right to Limit” allows consumers to tell a business: “You can use my location to deliver my pizza, but you cannot use it to build a profile of where I sleep or work.” This bifurcated opt-out mechanism—stopping the “Share” and limiting the “SPI”—creates a complex compliance burden that goes far beyond a simple cookie banner.

This article dissects the operational reality of the “Do Not Sell or Share” and “Limit the Use of My Sensitive Personal Information” mandates. We will explore the technical implementation of the Global Privacy Control (GPC), the difference between “necessary” and “secondary” uses of SPI, and how to build a preference center that satisfies the California Privacy Protection Agency (CPPA) without destroying your marketing analytics.

Critical Checkpoints for CPRA Opt-Out Compliance:

  • The “Share” Definition: If you use Meta Pixel, Google Ads, or Criteo for retargeting, you are “sharing.” You must have an opt-out link.
  • Global Privacy Control (GPC): Recognizing the GPC browser signal is mandatory. It must automatically trigger the opt-out without forcing the user to click a link.
  • SPI Limitation: You must provide a “Limit the Use of My Sensitive Personal Information” link unless you only use SPI for specifically exempted “business purposes.”
  • Frictionless Exception: You can skip the footer links if you fully honor the GPC signal in a “frictionless” manner.

See more in this category: Digital & Privacy Law

In this article:

Last updated: October 27, 2023.

Quick definition: Two distinct consumer rights under CPRA: the right to opt-out of the sale/sharing of data for behavioral ads, and the right to restrict the use of sensitive data (SPI) to essential business functions.

Who it applies to: For-profit entities doing business in California with >$25M revenue, or those buying/selling/sharing data of >100k consumers.

Time, cost, and documents:

  • Implementation: Immediate (Enforcement began July 2023).
  • Cost: Technical implementation of Consent Management Platform (CMP).
  • Key Documents: Privacy Policy updated with SPI disclosures; Notice at Collection.

Key takeaways that usually decide disputes:

  • Whether the GPC signal was honored automatically.
  • Classification of “Cross-Context Behavioral Advertising.”
  • Whether SPI use went beyond “reasonable expectations.”

Quick guide to “Sale/Share” and SPI Limits

  • “Share” targets AdTech: The primary target of the “Share” opt-out is the real-time bidding ecosystem. If you send a user’s hashed email to Facebook to find them on Instagram, that is “Sharing.”
  • SPI is not just Health: While health data is SPI, so is your driver’s license number, union membership, and precise geolocation (within 1,850 feet). Know your data map.
  • The “Alternative Opt-out Link”: Instead of two separate links (“Do Not Sell/Share” AND “Limit SPI”), you can use a single “Your Privacy Choices” link that leads to a toggle for both.
  • Wait 12 Months: Once a user opts out or limits SPI, you cannot ask them to opt back in for at least 12 months.
  • Downstream Notification: When a user opts out, you must notify the third parties you shared the data with to also stop selling/sharing it. This is the hardest operational step.

Understanding the Opt-Out Mechanisms in Practice

The distinction between “Sale” and “Share” is crucial for compliance. Under CCPA, “Sale” meant exchanging data for money or “other valuable consideration.” Many businesses argued that letting Google track users in exchange for free analytics wasn’t a “sale.” The CPRA added “Share” specifically to regulate Cross-Context Behavioral Advertising. This is defined as targeting advertising to a consumer based on their personal information obtained from their activity across businesses, distinctly-branded websites, or services. If you engage in retargeting, you are sharing. Period.

The Limit Use of Sensitive Personal Information (SPI) is a narrower but more potent right. It does not stop you from collecting SPI; it stops you from using it for inferential or secondary purposes. For example, a navigation app needs precise geolocation to function. They can collect it. However, if they use that geolocation to determine that a user visits a dialysis clinic and then sell that inference to an insurance company, they have violated the “Limit Use” right (if the user exercised it). The law permits the use of SPI for “average consumer expectations” (i.e., providing the requested service) without an opt-out, but anything beyond that triggers the right.

The “Frictionless” Preference Signal Pathway:

  • The Rule: If you process the Global Privacy Control (GPC) signal in a “frictionless” manner, you do not need to display the “Do Not Sell/Share” and “Limit SPI” links in your footer.
  • What is “Frictionless”? It means the opt-out happens automatically, without the user having to create an account, pay a fee, or click through pop-ups.
  • The Catch: You still must disclose the rights in your Privacy Policy. Most businesses still keep the links to be safe, using a “belt and suspenders” approach.

Legal and practical angles that change the outcome

The “Notice at Collection” requirement is often messed up in relation to SPI. You cannot just bury the SPI use case in paragraph 40 of your policy. At the point of collection (e.g., the sign-up form asking for geolocation), you must provide notice that this data is SPI and explain if it is used for profiling. If you fail to disclose the “profiling” use case here, you might be barred from using the data for that purpose entirely, regardless of opt-outs.

Practically, the Consent Management Platform (CMP) (like OneTrust, Ketch, or Osano) is the engine of compliance. These tools must be configured to distinguish between “Strictly Necessary” cookies (exempt) and “Targeting” cookies (subject to opt-out). A common failure is installing a CMP but failing to classify the tags correctly, meaning the “Do Not Share” button is a placebo that doesn’t actually stop the data flow to Meta or Google.

Workable paths for managing mixed signals

What happens if a user is logged in (known user) but sends a GPC signal from a browser where they are logged out? The workable path is to treat the GPC signal as applying to the browser/device and, if you can link it, to the user profile. The CPRA regulations suggest that if you know the user, the browser signal should propagate to their account settings (“pseudonymous profile”). If you can’t link them, you must at least honor it for that specific browser session.

Practical application: Implementing the Links

Compliance is visible on the footer of your website. Here is the standard implementation workflow.

  1. Audit Your Tags: Use a tool like Ghostery or built-in developer tools to see what pixels are firing. Identify which ones are “Cross-Context” (retargeting).
  2. Identify SPI: Map where you collect SSN, Geolocation, Genetics, Biometrics, Health info, or Sexual Orientation. Determine if you use these for anything other than the core service.
  3. Configure the CMP: Set up your cookie banner. It must have a toggle for “Do Not Sell or Share My Personal Information.”
  4. The Footer Links: You must have a link titled “Do Not Sell or Share My Personal Information” AND a link titled “Limit the Use of My Sensitive Personal Information.” OR, a single link titled “Your Privacy Choices” (with the specific blue toggle icon) that leads to a page controlling both.
  5. GPC Listener: Ensure your website listens for the `navigator.globalPrivacyControl` signal. If detected (value = 1), automatically toggle the preferences to “Opt-Out” without user intervention.
  6. Vendor Notification: When an opt-out is received, your system should ideally send a signal (like US Privacy String) to downstream vendors telling them “restricted processing only.”

Technical details and relevant updates

The Global Privacy Control (GPC) is not optional in California. The Attorney General settled with Sephora in 2022 specifically over the failure to honor GPC. Technically, GPC is an HTTP header or JavaScript property (`navigator.globalPrivacyControl`). Your site code must check for this boolean. If true, you must suppress tracking pixels immediately.

Regarding SPI Categories (Civ. Code § 1798.140(ae)), “Precise Geolocation” is defined strictly as data locating a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet. If you only collect “City” or “Zip Code,” that is usually not SPI. If you collect GPS coordinates, it is.

  • Dark Patterns: The interface for opting out cannot be more difficult than the interface for opting in. You cannot use double negatives (“Don’t not sell my data”) or confusing colors to discourage the choice.
  • Pseudonymous Data: Even if you hash emails (e.g., SHA-256) before sending them to Facebook Custom Audiences, this is still “Sharing” because the intent is re-identification for advertising.

Statistics and scenario reads

Adoption of privacy rights is increasing, driven largely by automated browser signals rather than manual clicks.

Scenario analysis shows that “Sharing” opt-outs are significantly higher than “Sale” opt-outs because “Sharing” affects the visible ads users see, making the cause-and-effect more tangible.

GPC Signal Opt-Outs

70%

Manual Footer Clicks

10%

CMP Banner Interaction

20%

Monitorable points for Compliance Teams:

  • GPC Recognition Rate: Test monthly if GPC-enabled browsers are auto-opted out.
  • Opt-Out Persistence: Does the opt-out survive a page reload? (It should).
  • Vendor Contracts: Do contracts explicitly restrict SPI use for vendors receiving sensitive data?

Practical examples of Sale/Share and SPI

Scenario A: The Compliant Retailer

A user visits a shoe store site with GPC enabled. The site automatically displays a banner: “Global Privacy Control detected; you have been opted out of data sharing.” The Facebook Pixel on the page fires but includes a “Limited Data Use” (LDU) flag, telling Facebook not to use this data for retargeting.

Verdict: Compliant. The friction was zero, and the downstream vendor (Facebook) was notified via the LDU flag.

Scenario B: The SPI Violation

A dating app collects “Sexual Orientation” (SPI) to match users. This is a primary purpose. However, the app also shares this data with an advertising network to target “LGBT-friendly travel ads.” The user clicks “Limit the Use of My SPI.” The app continues to share the data for ads.

Verdict: Violation. Advertising is a secondary purpose. Once the “Limit” right is exercised, SPI can only be used for the core matching service, not ads.

Common mistakes in Opt-Out Implementation

Assuming “Service Provider” Means Safe: Just calling a vendor a “Service Provider” in a contract doesn’t work if you technically allow them to use your data for their own profiling (e.g., Google Analytics without IP anonymization).

Hiding the Links: Putting the “Do Not Sell” link inside the Privacy Policy instead of on the footer of the homepage is a direct violation of the visibility rules.

Ignoring GPC: Many businesses install a cookie banner but fail to wire it up to the GPC signal. This is the low-hanging fruit for regulators testing compliance.

Conflating “Limit SPI” with “Delete”: Limiting SPI doesn’t delete it. It just freezes it for non-essential uses. Do not delete the data if the user only asked to limit it.

FAQ about Sale/Share & SPI Limits

Do I need the “Do Not Share” link if I don’t sell data?

Likely, yes. If you use third-party marketing cookies (Meta Pixel, LinkedIn Insight Tag) that track users for retargeting, you are “sharing” under CPRA even if no money is exchanged.

The definition of “Share” captures almost all modern digital advertising that uses cross-site tracking.

Is Google Analytics 4 (GA4) considered “sharing”?

It depends on configuration. If you link GA4 to Google Ads for remarketing audiences, it is definitely “sharing.”

If you use it strictly for aggregate measurement and disable data sharing settings with Google, it may function as a Service Provider, potentially avoiding the “share” label.

What if I use SPI only for the service provided?

If you only use Sensitive Personal Information (SPI) for purposes specifically exempted (e.g., providing the requested service, security, quality control), you do not need to provide the “Limit Use of SPI” link.

However, you must document this exemption in your Privacy Policy.

Does the “Your Privacy Choices” icon replace the text?

No. You can use the specific blue icon (the checkmark privacy options icon) alongside the text “Your Privacy Choices,” but you cannot use the icon alone.

The text link is mandatory; the icon is optional but recommended for recognizability.

How long must I honor an opt-out?

You must honor it for at least 12 months. After 12 months, you may request the consumer to opt back in, but you cannot badger them before that.

If the user clears their cookies (and you haven’t linked the opt-out to a login), they may inadvertently opt back in, which is a technical limitation, not a legal one.

Does this apply to employee data?

Yes. Employees have the right to limit the use of their SPI (e.g., biometric data, diversity info) if it is used for secondary purposes.

However, employers generally do not “sell” or “share” employee data for ads, so the “Do Not Share” right is less commonly triggered in HR contexts.

What is a “dark pattern” in opt-outs?

A dark pattern is a user interface designed to subvert choice. Examples include making the “Reject All” button invisible or grey, using confusing language (“Click here if you do not want to not share”), or forcing users to click through 10 screens to opt out.

These are explicitly banned by CPRA regulations.

Do I have to notify past recipients of data?

For a Request to Delete, yes. For a Request to Opt-Out of Sale/Share, you must stop future sharing.

However, best practice involves notifying downstream partners that the user has opted out, often done via signals like the IAB CCPA Compliance Framework.

Can I charge for privacy?

Generally, no. You cannot discriminate against a user for opting out (e.g., charging a higher price).

However, you can offer financial incentives (e.g., a discount) for the collection/sale of data if the value is reasonably related to the value of the data, and you obtain prior opt-in consent.

What if I am a non-profit?

Most provisions of CPRA apply to for-profit entities. However, if a non-profit is controlled by or shares common branding with a for-profit that is subject to the act, it may also be liable.

Always review your corporate structure and data flows to confirm exemption.

References and next steps

  • Test Your GPC: Visit the Global Privacy Control website with your browser to see if your signal is active, then test your own site to see if it responds.
  • Update Your Footer: Ensure the link says exactly “Do Not Sell or Share My Personal Information” or utilizes the “Your Privacy Choices” alternative.
  • Map Your SPI: Create a data inventory specifically for Sensitive Personal Information to determine if you need the “Limit Use” link.

Related reading:

  • California Civil Code § 1798.121 (Right to Limit Use of SPI)
  • California Civil Code § 1798.135 (Methods of Limiting Sale/Share)
  • The Sephora Settlement: Lessons on GPC Enforcement
  • CPPA Regulations on Dark Patterns

Legal basis

The “Right to Opt-Out of Sale or Sharing” is codified in California Civil Code § 1798.120, while the specific requirements for the links and preference signals are detailed in § 1798.135. The “Right to Limit Use and Disclosure of Sensitive Personal Information” is found in § 1798.121.

The regulations regarding Global Privacy Control (GPC) and Frictionless Preference Signals are established by the California Privacy Protection Agency (CPPA) in 11 CCR § 7025 and § 7026. These regulations clarify that processing the GPC signal is mandatory and serves as a valid consumer request.

Final considerations

The CPRA’s “Sale/Share” and SPI provisions are not just about adding links to a footer; they are about fundamentally respecting the user’s intent to remain private in a surveillance economy. The transition from “Sale” to “Share” destroys the plausibility of the “we don’t sell data” defense for companies using behavioral ads. Similarly, the SPI limitation forces businesses to justify why they need precise data, moving away from data hoarding.

Compliance here is binary. Either your website respects the GPC signal, or it doesn’t. Either your “Do Not Share” link actually stops the Meta Pixel, or it’s a fake button. Regulators are now using automated tools to scan for these exact failures. The path of least resistance is to embrace the “frictionless” model: honor the signal, minimize the data, and build trust through transparency rather than trapping users in a maze of toggles.

Key point 1: “Sharing” covers almost all retargeting and behavioral advertising.

Key point 2: GPC signals must be honored automatically; ignore them at your peril.

Key point 3: SPI use must be limited to “necessary” functions unless you offer an opt-out.

  • Review your “Notice at Collection” for SPI disclosures.
  • Verify your CMP is actually blocking “Sharing” tags when toggled.
  • Train marketing teams on the restrictions of “Limited” SPI.

This content is for informational purposes only and does not replace individualized legal analysis by a licensed attorney or qualified professional.

Deixe um comentário

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *