The CCPA defines selling and sharing personal information broadly, and the 2026 regulatory updates clarify how common digital tools fall under these categories. Selling includes any exchange of personal information for money or other valuable consideration, while sharing covers disclosures used for cross-context behavioral advertising. Businesses using analytics, ad tech, pixels, or data enrichment services may be selling or sharing information even without financial payments. The law applies whenever data is transferred to another party for purposes that benefit the business, especially advertising. Companies must provide opt-out mechanisms, honor signals, and update contracts with service providers. This guide explains how selling and sharing work in practice and links to deep-dive resources on each category.
CCPA Selling & Sharing in 2026: What Counts as a Sale or Share?
Introduction
The California Consumer Privacy Act (CCPA), as amended by the CPRA, gives residents the right to opt out of the sale or sharing of their personal information. But understanding what “selling” or “sharing” means under the law is not always straightforward. In 2026, updated regulations, enforcement priorities, and expanded advertising definitions make this an even more important topic for businesses operating online.
Many companies assume they are not “selling” information because no money changes hands. Others believe that analytics or advertising fall outside the scope of sharing. In practice, the CCPA’s definitions reach far beyond financial transactions, covering common marketing and website operations.
What does selling mean under the CCPA?
Under the CCPA, selling refers to disclosing or making personal information available to another party for monetary or other valuable consideration.
This covers far more than direct data sales. If a business receives value in return, analytics, ad optimization, audience insights, or services that depend on personal information, the transaction may qualify as a sale.
Common indicators that selling may be occurring
- Personal information is provided to a partner and the business receives a benefit.
- Data is used to improve marketing or deliver targeted content.
- A vendor is not bound by a service provider contract limiting data use.
When a transfer counts as a sale, businesses must offer consumers a “Do Not Sell My Personal Information” option.
Examples of data selling:
- Selling a list of customer email addresses to a data broker.
- Allowing a partner company to place a cookie on your website to collect user data in exchange for free analytics reports.
- Participating in a data co-op where you contribute customer insights to receive broader market intelligence.
What does sharing mean under the CCPA?
"Sharing" is defined as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to a "third party" for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
This definition targets the digital advertising ecosystem. If you use tracking pixels or cookies that track a user across the web to serve them targeted ads, you are "sharing" their personal information.
Examples of data sharing:
- Using the Meta (Facebook) Pixel to retarget website visitors on Instagram.
- Using Google Ads remarketing features to show ads to users who abandoned their shopping carts.
- Sharing hashed email lists (e.g., Custom Audiences) with an ad platform to find "lookalike" audiences.
Note: Sharing data with a Service Provider (a vendor bound by strict contractual limitations) generally does not count as selling or sharing.
Common indicators that sharing may be occurring
- Use of third-party advertising networks.
- Retargeting campaigns.
- Cross-site or cross-app tracking.
- Pixels or tags that collect unique identifiers for ad personalization.
When sharing occurs, businesses must display a “Do Not Sell or Share My Personal Information” link and honor opt-out requests.
Signs your business may be selling or sharing personal information
Determining whether your activity counts as selling or sharing requires reviewing how vendors, scripts, and marketing systems operate.
You may be selling or sharing if:
- Analytics, advertising, or engagement tools collect identifiers from visitors.
- Data is used by another company for its own purposes or algorithms.
- Retargeting or behavioral ads appear to your users.
- There are no restrictions preventing vendors from reusing collected information.
- You participate in data exchanges, enrichment, or lookalike audience programs.
For a complete set of real-world examples read our associated article on CCPA selling and sharing scenarios.
Critical CCPA updates for 2026: risk assessments & signals
As of January 1, 2026, businesses that sell or share personal information face two major new requirements enforced by the California Privacy Protection Agency (CPPA).
A. Mandatory risk assessments
If your business sells or shares personal information, you are now required to conduct a Risk Assessment before the processing begins.
- You must evaluate the benefits of the activity against the potential risks to the consumer (e.g., discrimination, loss of privacy).
- These assessments must be documented and made available to the CPPA upon request.
- Action Item: If you use third-party ad trackers, you likely trigger this "significant risk" category and must complete an assessment.
B. "Opt-out request honored" signal
Starting in 2026, it is no longer sufficient to simply process an opt-out silently. If you receive an opt-out signal (like the Global Privacy Control), you must explicitly display a confirmation to the user.
- Requirement: You may need to display a message like "Opt-Out Request Honored" or show a toggle in the user’s privacy settings indicating they have opted out.
- This allows consumers to know that their automated browser signals are working.
Common scenarios: Google, Meta, and analytics
Many businesses are unsure if their standard marketing stack triggers "selling" or "sharing." Here is the reality for the most common tools:
Does Google Analytics 4 (GA4) count as selling/sharing?
- Default Settings: Yes. If you have "Data Sharing" settings enabled or link GA4 to Google Ads for remarketing audiences, Google may use that data for its own purposes or for cross-context advertising. This counts as "sharing."
- Restricted Mode: No. If you sign a data processing amendment designating Google as a "Service Provider" and disable data sharing/remarketing features, it is generally considered a business purpose, not a sale/share.
Does the Meta (Facebook) pixel count?
- Almost Always Yes. The Meta Pixel is designed to track users for retargeting and to improve Meta’s own ad delivery algorithms. Because this data is used for cross-context behavioral advertising, it triggers the "Do Not Sell or Share" requirement.
Does Google Ads count?
- Yes. Using Customer Match (uploading email lists) or Remarketing Lists for Search Ads (RLSA) constitutes "sharing" because it uses personal information to target ads based on activity across different contexts (your site vs. Google Search).
For a deeper dive into configuring these tools, read our related article on CCPA and online tracking.
Do other common website tools count as selling or sharing?
Many businesses unintentionally fall into these categories.
- Advertising pixels: Ad networks typically use personal information for behavioral advertising. This often qualifies as sharing.
- Analytics platforms: If an analytics provider uses data for its own purposes, the transfer may become a sale unless governed by strict contracts.
- Affiliate or referral programs: Tracking IDs may constitute selling when used for mutual commercial benefit.
- Customer data platforms (CDPs): Depending on configuration, CDPs may involve both selling and sharing workflows.
What are your obligations when selling or sharing personal information?
Businesses that sell or share personal information must take several actions:
1. Provide opt-out choices
Display:
- Do Not Sell or Share My Personal Information
- A link in mobile app settings
- A method for submitting requests
2. Honor signals
Global Privacy Control (GPC) must be recognized as a valid opt-out signal.
3. Update your privacy notice
Your privacy notice should include:
- Whether you sell or share data
- Categories of personal information involved
- Third parties and business purposes
- How consumers can exercise their rights
4. Use proper contracts
Service provider and contractor agreements must restrict data use.
5. Avoid dark patterns
Consent, opt-out, and preference interfaces must follow symmetry and clarity requirements.
Selling vs. sharing: understanding the difference
Concept | Data selling | Data sharing |
|---|---|---|
Trigger | Monetary or valuable consideration | Cross-context behavioral advertising |
Financial exchange required? | No | No |
Typical examples | Data exchanges, analytics without restrictions, enrichment | Ad personalization, retargeting, ad network integrations |
Required link | Do Not Sell My Personal Information | Do Not Sell or Share My Personal Information |
Applies even without direct business benefit? | No | Yes, if the purpose is advertising |
Both categories often apply simultaneously.
Common mistakes businesses make
Businesses often misinterpret CCPA definitions. Mistakes include:
- Assuming no sale occurs because no money changes hands.
- Treating analytics tools as harmless without reviewing their data practices.
- Believing that a privacy policy alone satisfies requirements.
- Not honoring GPC signals.
- Using consent flows with more steps to opt out than to accept.
- Relying on outdated vendor contracts without data-use restrictions.
Next steps
If your business uses digital analytics, advertising tools, or marketing technologies, it is likely engaging in activities that qualify as selling or sharing under the CCPA.
Continue with the spoke articles for deeper analysis:
- What counts as selling
- What counts as sharing
- Examples of how selling/sharing occur in real environments
- Operational steps for handling selling and sharing
How businesses can manage selling and sharing settings with Clym
Handling selling and sharing under the CCPA often requires tools that can support opt-out choices, manage signals like Global Privacy Control, and organize vendor workflows. Clym provides features that can help businesses reduce manual work related to these obligations. Through Clym’s Consent Management and Privacy & Cookie Policy Management tools, website owners can configure opt-out options, present required links, manage region-based preferences, and publish up-to-date disclosures. These tools can also support tracking of visitor choices and help businesses align their data-sharing practices with documented policies.
FAQs about selling and sharing data under the CCPA in 2026
Selling involves making personal information available to another party in exchange for monetary or other beneficial value. Sharing refers specifically to disclosures made for cross-context behavioral advertising, even when no financial value is exchanged. Both activities trigger opt-out requirements and updated 2026 obligations.
No. A sale can occur even when no money changes hands. Any exchange that provides value, including analytics insights, audience matching, or access to advertising platforms, can qualify as a sale if personal information is part of the transaction.
This includes any advertising that relies on a consumer’s activities across multiple websites, apps, or digital environments. Retargeting, lookalike audience generation, multi-site tracking, and ad network personalization fall into this category.
Analytics tools may fall into selling if the vendor reuses data for its own purposes, or sharing if the data connects to advertising systems. The classification depends on contract terms, feature settings, and whether data is used in cross-context ad workflows.
Not all cookies qualify. Strictly necessary cookies do not count. Marketing, analytics, and behavioral tracking cookies are more likely to involve selling or sharing if they disclose identifiers to third parties.
If any selling or sharing occurs, including through ad pixels, analytics with unrestricted data use, or ad personalization tools, the link must be displayed at collection points. In most digital environments, selling or sharing is triggered by common tracking technologies.
Yes. GPC is treated as a valid opt-out signal. Businesses must detect the signal automatically and respond by blocking selling/sharing activities for that user. A confirmation message is required beginning in 2026.
You must stop transmitting that consumer’s personal information to partners in ways that qualify as selling or sharing. Third parties receiving the data must also be notified. Tracking technologies that trigger selling or sharing must adjust accordingly.
Businesses must complete a documented risk assessment before engaging in selling or sharing activities. Opt-out choices must display a confirmation when signals are received (e.g., “Opt-Out Request Honored”). Interfaces must avoid dark patterns and maintain symmetry.
This includes any benefit a business receives in return for disclosing personal information, such as analytics, matching, discounts, free platform features, or increased marketing performance.
Pixels and SDKs from Meta, Google Ads, TikTok, LinkedIn, Snap, and programmatic ad networks often trigger sharing because they collect identifiers for targeted advertising beyond the originating site.
A service provider must be contractually restricted from reusing personal information. If a vendor can repurpose data for its own algorithms or advertising ecosystem, it is considered a third party, and the transfer becomes selling or sharing.
Yes. Hashed identifiers remain personal information if they can be used to identify, infer, or match individuals. They are commonly used in advertising features like customer match and lookalike audiences.
Yes. A transfer may be considered selling because it provides value, and sharing because it supports cross-context behavioral advertising. Many ad-tech ecosystems fall into both categories simultaneously.
No. The “Do Not Sell or Share” obligations apply regardless of business size, as long as the company meets CCPA applicability thresholds. Even simple websites running standard advertising pixels may trigger the requirement.
Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.
Find out more about Alex