The one sentence version
California gives people the right to stop businesses from selling or sharing their personal information. The catch is that under the CPRA, common adtech behavior counts as a sale or share even when no money changes hands. Loading an advertising pixel that passes identifiers to a third party is usually a share. That is why a Do Not Sell or Share control, on its own, is not enough if your tags still fire on page load.
What counts as a sale or share
A sale is disclosing personal information to a third party for money or other value. A share is disclosing it for cross-context behavioral advertising, which is the technical name for retargeting and most programmatic ads. Cookie IDs, device identifiers and the data a pixel collects are personal information. So a Meta pixel, a Google Ads tag or a LinkedIn Insight tag that runs before the visitor opts out is the exact pattern regulators care about.
What your site actually needs
- A clear, conspicuous Do Not Sell or Share link, or the combined Your Privacy Choices control, reachable from every page.
- Recognition of the Global Privacy Control signal. Under the CPRA a GPC signal from the browser must be treated as a valid opt-out, automatically, with no extra clicks.
- A way to actually stop the sharing, which means holding advertising and sharing tags until the opt-out preference is known, not just recording a choice after the tags already ran.
- A path to handle consumer rights requests to know, delete and correct, within the statutory windows.
- Limits on the use of sensitive personal information when a consumer asks for them.
Opt-out, not opt-in
CCPA is an opt-out regime, unlike GDPR which is opt-in. You do not need a consent banner before analytics in California the way you do in the EU. What you do need is to make opting out easy, to honor GPC, and to make sure that once someone opts out, the sale and sharing genuinely stop.
How to check your own site
Open your homepage as a fresh visitor and watch what loads. If advertising or social tags fire before any opt-out, and there is no Do Not Sell or Share link or GPC handling, that is the gap to close first. You can do this in seconds with the free CCPA and CPRA scanner, which flags advertising and sharing tags that fire on load and checks for a Do Not Sell link. For a broader inventory of every tracker on the page, use the cookie scanner.
How ConsentX helps
ConsentX reads the Global Privacy Control signal natively and applies the opt-out automatically, gives you a Do Not Sell or Share preference control, and holds sale and sharing tags until the preference is resolved. It also ships a DSAR workflow with a 45-day CCPA timer so rights requests do not slip. Read more on the CCPA compliance page or start free.