In the previous installment of this blog series, we explored the different privacy rights provided to consumers under the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (CDPA), and Colorado Privacy Act (CPA). While rights such as the right to be informed and the right to access are ubiquitous among modern privacy laws such as the GDPR, the right to opt-out of sale or share is more readily seen in US state privacy laws.

Organizations that need to comply with opt-out of sale or share obligations have many considerations that should be top of mind when respecting this privacy right. Firstly, there should be an understanding of the varying requirements that are outlined by the different state laws as well as paying close attention to the legal definitions of the terms ‘sale’ and ‘share.’ For example, the four laws all include succinct definitions of ‘sale’, however, they also include more detailed definitions of what activities are excluded from the term ’sale.’ While similar, some nuances should be considered. In the fourth part of this blog series, we will take a closer look at how the CCPA, CPRA, CDPA, and CPA define opt-out of sale or share requirements and how organizations should respect them.

Comparing Definitions of ‘Sale’ and ‘Share’ Under the CCPA, CPRA, CDPA, and CPA

Before being able to implement any processes relating to the right to opt-out of sale or share, it is important to understand how this right is defined across the different states. While definitions of ‘sale’ in California, Virginia, and Colorado all use similar language, there are some important nuances to note, including certain exceptions.

Starting in California, the CCPA currently gives consumers the right to direct organizations to not sell their personal information. The CCPA defines selling personal information as a business conducting an activity such as selling, renting, or disseminating a consumer’s personal information to a third party ‘for monetary or other valuable consideration’.

The CCPA also provides certain circumstances for selling the personal information of minors. Organizations are prohibited from selling the personal information of children under 16 without prior affirmative authorization and for minors under the age of 13, a parent or guardian is required to opt-in to the sale of personal information.

The CPRA will amend the CCPA’s opt-out of sale by introducing the term ‘share’ when it becomes effective on January 1, 2023. This addition does, however, have a limited application specific to sharing a consumer’s personal information in the context of behavioral advertising where no monetary or other valuable consideration is involved.

The CDPA and CPA have very similar definitions of ‘sale,’ each stating that the term covers ‘the exchange of personal data for monetary consideration by the controller to a third party.’ Notably, the CDPA and CPA have more succinct definitions than those found under the CCPA and the CPRA, which may lead to this term being interpreted more ambiguously. Additionally, in the context of the right to opt-out of sale, neither the CDPA nor the CPA reference selling the personal information of minors nor whether their opt-out rights differ from adults.

CCPA

“Sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

CPRA

“Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.

CDPA

“Sale of personal data” means the exchange of personal data for monetary consideration by the controller to a third party.

CPA

“Sale”, “sell”, or “sold” means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.

Comparing CCPA, CPRA, CDPA, and CPA Opt-Out of Sale Requirements

Businesses that fall under the scope of US state privacy laws should first understand the differences between what is covered by the right to opt-out in each jurisdiction. For example, the CCPA only gives consumers the right to opt-out of the sale of their personal information. The CPRA offers the right to opt-out of sale or sharing of personal information as well as the right to limit the use and disclosure of a consumers’ sensitive personal information. In comparison, the CDPA and CPA both allow consumers to opt-out of the processing of personal data for targeted advertising, the sale of personal information, and profiling.

Secondly, businesses will have certain requirements that they will have to meet to ensure they respect consumers’ right to opt-out of sale that differs from state to state. One commonality across all four laws is the need to host a conspicuous intake method for consumers to exercise their right to opt-out, although the specifics do differ between laws.

The CDPA offers the vaguest requirements for where an intake method should be hosted stating, ‘the controller shall clearly and conspicuously disclose such processing, as well as how a consumer may exercise the right to opt-out of such processing.’

The CCPA and CPRA both require organizations to include an intake method for consumer requests in the form of a conspicuous link on internet homepages and in public privacy policies. Additionally, the CCPA requires businesses to title this link Do Not Sell My Personal Information, while the CPRA requires businesses to title the link Do Not Sell or Share My Personal Information.

Finally, the CPA requires businesses that process personal data for purposes of targeted advertising or the sale of personal data to provide a ‘clear and conspicuous method’ for consumers to exercise their right to opt-out in privacy notices as well as in a ‘readily accessible location outside the privacy notice’ such as a webpage. The CPA also allows consumers to communicate their opt-out preferences through a ‘user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general.’

There are some other requirements relating to the right to opt-out that businesses should be aware of. The most notable is both the CCPA and CPRA requiring businesses to respect a consumer’s opt-out preference for 12 months before they can contact the consumer to ask if they would like to opt back in. Furthermore, the CPRA introduces clarity relating to liability for violating a consumer’s opt-out preference. Under the CPRA, if a business communicates an opt-out signal to a third party will be liable if they continue to sell or share information.

Compliance With Opt-Out of Sale Requirements

A major factor in preparing for the CPRA, CDPA, and CPA is ensuring that your business is providing consumers with the proper intake methods for opt-out requests, such as a conspicuous Do Not Sell or Share My Personal Information link on homepages and in privacy policies, where applicable. You should also consider automating the documentation of consumers’ preferences once they have been communicated to you and feed this information into your data map or data inventory.

As discussed in a previous blog, data mapping is an essential privacy practice for building a centralized view of data assets, processes, purposes for processing, vendors, and the many-to-many relationships between them. By maintaining an up-to-date data map, you can track and enforce opt-out preferences and communicate them downstream to vendors, service providers, and other third parties to ensure that a consumer’s right to opt-out has been exercised and respected.

OneTrust offers a suite of solutions to help get you up to speed with US state privacy law opt-out requirements, including preference managements solutions, automated data mapping, and consent management platform (CMP).

To learn more about how OneTrust can help with compliance with US state privacy laws, request a demo and speak to one of our data privacy experts today.


Join us at our annual conference and discover best practices to build trust within your company.

Register now