Businesses often engage in selling or sharing personal information under the CCPA without realizing it, especially as modern tools, pixels, analytics platforms, CDPs, and enrichment services, collect and transmit identifiers in ways that fall under 2026 guidance. Selling occurs when personal information is disclosed in exchange for value, while sharing applies specifically to cross-context behavioral advertising. Common real-world examples include free analytics tools that reuse data, retargeting pixels, hashed email uploads for audience targeting, and partnerships that exchange customer segments. Some technologies trigger both selling and sharing because they blend analytics, enrichment, and advertising activation. The article also explains scenarios that do not qualify, such as contextual advertising or strict service-provider relationships. A simple evaluation framework helps teams examine their digital stack for potential CCPA implications.
CCPA Selling & Sharing Examples: Real-World Scenarios Businesses Face in 2026
Introduction
Many businesses believe they do not sell or share personal information, even though the digital tools they rely on, pixels, SDKs, analytics products, audience builders, enrichment platforms, and partner integrations, often fall directly within the CCPA’s definitions. With updated 2026 expectations and enforcement priorities, understanding how these activities show up in real environments is becoming more important.
This article provides practical, easy-to-recognize examples showing where selling and sharing occur across websites, mobile apps, advertising systems, and partner workflows.
What selling looks like under the CCPA
For a deeper explanation of what qualifies as selling, read our associated article on what counts as selling personal information under the CCPA.
Selling occurs when a business discloses personal information in exchange for value. That value may be analytical insights, advertising efficiencies, enriched data points, or other commercial benefits. Below are common patterns that represent selling in modern digital environments.
Analytics-driven selling
Free analytics tools that reuse visitor identifiers
A business implements a free analytics tool. The platform collects IP addresses, cookie IDs, device signals, and page interactions. The vendor may reuse this information to improve its broader analytics or advertising products. Because the business receives analytics and the vendor receives data, this exchange may qualify as selling.
Analytics platforms connected to advertising ecosystems
Some providers combine analytics with advertising optimization. Even if the business only uses analytics features, the vendor may still reuse the data elsewhere. This reuse may classify the disclosure as selling unless service-provider restrictions prevent it.
Practical scenario example: SaaS onboarding analytics
A SaaS platform offers a free trial and uses a free analytics tool to understand product onboarding behavior. The tool collects IP addresses, device identifiers, and user interaction events. The provider reuses this information to improve its analytics and advertising products.
Why it matters: The SaaS receives analytics value, and the provider receives behavioral data. This exchange may qualify as selling under the CCPA.
Practical scenario example: Mobile app SDK data reuse
A mobile app integrates an SDK for crash reporting and messaging. The SDK provider uses aggregated device IDs and behavioral logs to strengthen its broader ecosystem.
Why it matters: If the provider reuses data beyond the app’s scope, this pattern may fall within selling.
Data enrichment selling
Uploading hashed emails for enrichment
A business uploads hashed customer identifiers to a data platform that returns demographic or behavioral insights while enhancing its own dataset. This exchange may constitute selling.
Enrichment APIs returning appended attributes
Some APIs return appended fields, location, interests, modeled purchase probability. If identifiers are reused outside the business relationship, selling may occur.
Practical scenario example: B2B enrichment for lead scoring
A B2B software company uploads hashed emails to a data enrichment API to obtain job titles, industry tags, and company revenue estimates. The platform retains the hashed identifiers to strengthen its own dataset.
Why it matters: The exchange of value, insights in return for identifiers, may qualify as selling.
Practical scenario example: CRM-to-enrichment sync
A marketing team connects its CRM to an enrichment tool that appends behavioral or demographic data. The enrichment vendor adds the identifiers to its master graph.
Why it matters: The vendor benefits from new identifiers, which may create a selling scenario.
Revenue or partner-driven selling
Affiliate program tracking
Affiliate links often transmit identifiers such as cookie IDs or device signals to partners. Because these identifiers contribute to revenue attribution, this may fall within selling depending on the arrangement.
Co-marketing or sponsorship partnerships
When partners exchange customer segments to coordinate campaigns, the data disclosure may represent selling if personal information contributes to the benefit received.
Practical scenario example: Lifestyle brand co-marketing
Two lifestyle brands collaborate on a seasonal promotion. Each shares customer segment data, such as “customers aged 25–40 interested in wellness”, to coordinate email campaigns and track engagement.
Why it matters: Because both parties receive promotional benefits from exchanging personal information, this may fall within selling.
Practical scenario example: Affiliate tracking in retail
A retail site uses affiliate tracking links. Each click passes cookie identifiers and session parameters to affiliate partners so conversions can be attributed.
Why it matters: The shared identifiers contribute to commercial value, which may align with selling.
What sharing looks like under the CCPA
Sharing is narrower than selling and applies when personal information is disclosed for cross-context behavioral advertising, even when no value is exchanged. You can explore the legal details of sharing personal information under the CCPA in our related article.
Ad pixel-based sharing
Retargeting pixels
A user views a product and later sees ads for it on another platform. The pixel transmits identifiers to an ad network to support personalized advertising. This is sharing under the CCPA.
Practical scenario example: E-commerce retargeting
An e-commerce business installs a retargeting pixel. When a visitor views a product, identifiers are sent to an ad platform. The visitor later sees personalized ads on other sites.
Why it matters: This is a classic sharing scenario because identifiers support cross-context behavioral ads.
Audience-building sharing
Lookalike audience creation
A business uploads hashed emails to a platform to build a lookalike audience. The platform matches the data to broader behavioral patterns to find similar users. This is a common form of sharing.
Custom audience activation
Identifiers collected on the website are synced to an advertising platform to support personalized ads. This qualifies as sharing even without a monetary exchange.
Practical scenario example: SaaS lookalike audiences
A SaaS company uploads hashed customer emails to an advertising platform to create a lookalike audience. The platform compares uploaded users to behavioral data across its ecosystem to find similar prospects.
Why it matters: The platform uses identifiers for cross-context behavioral advertising, which fits sharing.
Practical scenario example: Subscription business engagement audiences
A subscription-based publisher exports a list of active readers to an ad platform for “engagement-based targeting.” The platform uses browsing behavior across unrelated sites to refine audience segments.
Why it matters: Cross-site behavioral advertising = sharing.
Cross-site tracking sharing
Ad services tracking behavior across domains
Third-party ad networks may track browsing across multiple websites. Ads are then personalized based on activity outside the original site. This qualifies as sharing.
Social login widgets connected to ad systems
Embedded login buttons or widgets may transmit identifiers even when users do not interact with them. If those identifiers support behavioral advertising, the activity is sharing.
Practical scenario example: Publisher using a programmatic ad stack
A news publisher uses a programmatic ad stack with multiple third-party tags. These partners track users across domains to optimize real-time bidding and deliver targeted ads.
Why it matters: Cross-domain identifiers supporting behavioral ads qualify as sharing.
Practical scenario example: Social login embedded on a service site
A learning platform embeds social login buttons. Even without interaction, the widget sends identifiers back to the social platform, where they may contribute to ad personalization.
Why it matters: Identifiers flowing into an advertising ecosystem are typically considered sharing.
Examples that may count as both selling and sharing
Some tools combine analytics, enrichment, modeling, and advertising activation.
Practical scenario example: B2B company combining enrichment and lookalike workflows
A B2B platform uploads hashed emails to enrich CRM records and then uses the enriched list to build lookalike audiences in an advertising tool.
Why it matters: Enrichment can represent selling, and lookalike activation represents sharing.
Practical scenario example: CDP feeding multiple destinations
A company uses a CDP that enriches profiles with third-party data and then distributes those profiles to advertising platforms.
Why it matters: Enrichment may fall within selling; activation may fall within sharing.
Examples that do not qualify as selling or sharing
Contextual advertising: Ads based solely on page content do not count as sharing.
Strict service-provider arrangements: If a vendor is restricted contractually and functionally to perform tasks for the business, the disclosure is not considered selling or sharing.
Consumer-directed disclosures: If the user intentionally directs the business to disclose information, the transfer falls outside both definitions.
How to evaluate your own website or app
If you are determining whether the CCPA applies to your business, our CCPA applicability guide may be helpful. For broader requirements, see our CCPA Compliance Guide.
To understand how selling or sharing may appear in your digital environment, consider the following approach:
- Map all tools that collect identifiers, including pixels, cookies, SDKs, and embedded widgets.
- Check vendor data use policies for reuse, enrichment, aggregation, or ad network participation.
- Review contracts to determine whether vendors classify as service providers or third parties.
- Identify cross-site tracking, since this pattern often aligns with sharing.
- Assess whether value is exchanged, which may indicate selling.
Practical scenario example: Mid-size SaaS privacy audit
A mid-size SaaS reviews its marketing stack and discovers that its analytics tool reuses identifiers, its advertising pixel supports personalized ads across platforms, and its enrichment sync adds customer attributes from a third-party provider.
How this maps to CCPA concepts: Analytics reuse → potential selling; Advertising pixel → sharing; Enrichment → selling.
Find out more about CCPA and online tracking, including GPC and opt-outs in 2026 in our associated resource.
Visual summary: Examples of selling & sharing of personal information under the CCPA
Category | Example | Why it qualifies |
|---|---|---|
Selling | Free analytics tools reusing identifiers | Vendor gains data; business gains analytics insights |
Hashed email enrichment | Identifiers exchanged for appended insights | |
Affiliate tracking parameters | Data contributes to revenue attribution | |
Co-marketing partnerships | Customer segments exchanged for value | |
Sharing | Retargeting pixels | Identifiers used for cross-context ads |
Lookalike audience creation | Uploaded identifiers support personalized ads | |
Cross-site ad tracking | Third-party networks track behavior across sites | |
Social login widgets | Identifiers used in advertising ecosystems | |
Both | CDPs with enrichment + activation | Enrichment (selling) + behavioral ads (sharing) |
Ad networks reusing data | Data supports vendor networks and advertising | |
Analytics + advertising ecosystems | Multi-use data flows across components | |
Not selling / sharing | Contextual ads | No behavioral targeting |
Service provider contracts | Vendor restricted to defined purposes | |
Consumer-directed disclosures | User intentionally directs disclosure |
How Clym supports data selling and/or sharing evaluations
Businesses often look for tools that help them understand how their digital stack collects identifiers, interacts with vendors, or participates in advertising ecosystems. Clym offers features that support these efforts, including:
- Clym Scanner, which identifies cookies, scripts, and services that may contribute to selling or sharing.
- Clym’s Consent Management Platform, which interprets regional privacy rules and applies the relevant consent models.
- RealtimeCompliance™, which reviews services in real time.
- The Control Center, which centralizes settings and jurisdiction-specific configurations.
These capabilities may assist teams in assessing data flows as part of their privacy program.
FAQs about selling or sharing personal information under the CCPA
Selling commonly appears when businesses provide personal information to partners in exchange for services or value. Examples include data enrichment platforms, analytics tools that reuse identifiers, lead-generation partnerships, co-branded marketing campaigns, and platforms offering free solutions in return for collecting user interaction data.
Sharing frequently occurs in advertising ecosystems, especially with retargeting pixels or audience-building tools. Examples include cross-site personalization, remarketing lists, custom audiences, lookalike audiences, and tracking tools used to deliver targeted ads.
Advertising pixels collect identifiers such as cookie IDs, device details, and interaction patterns. When these identifiers are transmitted to advertising platforms that use them for personalization or optimization, the activity may fall under selling or sharing depending on the presence of value exchange.
Yes. Uploading hashed emails or customer lists for targeting or audience expansion may be considered sharing because the data supports cross-context personalized ads. In some cases, the activity may also represent selling.
Yes. Analytics tools that reuse identifiers for product improvement may fall within selling, while tools connected to ad networks or remarketing systems may fall within sharing. Some tools may trigger both depending on configuration.
Selling may occur when a business exchanges data with a partner or platform for insights, service credits, or enhanced analytics without any advertising involvement.
A business using a retargeting pixel to show ads across other websites is engaging in sharing, even if there is no value exchange.
Yes. Cookies that transmit identifiers to third parties for analytics, advertising, or behavioral profiling may create selling or sharing obligations.
CDPs may ingest identifiers, enrich them with third-party data, and activate personalized campaigns. If both enrichment and advertising activation occur, the workflow may involve both selling and sharing.
It can. Embedded widgets often collect identifiers even when users do not interact with them. If the identifiers support behavioral advertising or personalization, the activity may fall under sharing.
Yes. Co-marketing, sponsorships, and similar programs may involve sharing user information between partners in ways that bring mutual commercial benefit.
Workflows that combine enrichment, analytics, and advertising activation, such as lookalike audience generation based on enriched profiles, may trigger both selling and sharing.
Yes. Offline activities such as sharing loyalty program lists, customer mailing lists, or partner promotion records may fall into selling or sharing depending on how the data is used.
Teams can review privacy documentation, inspect network activity, assess vendor contracts, and use scanning tools to detect pixels, cookies, identifiers, and data destinations.
Ask two questions:
- Does the business receive value from the disclosure? → May indicate selling.
- Is the information used for cross-context behavioral advertising? → May indicate sharing.
If both elements appear, the activity may fall under both selling and sharing.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex