Clym Logo

What Counts as Selling Personal Information Under the CCPA?

~ 10 min read

Selling personal information under the CCPA covers more than financial transactions. In 2026, updated guidance makes it clear that selling includes sharing data in exchange for value, including analytics or marketing benefits. A transfer qualifies as a sale even if no money changes hands, as long as the business receives something beneficial in return. This often applies when websites use analytics providers, enrichment tools, or partnerships that rely on personal information. Determining whether selling is taking place depends on how vendors use the data and whether contracts restrict them from retaining or repurposing it. This guide explains the criteria for selling, provides common examples, and highlights steps businesses can take to handle opt-outs and notices.

Summarize full article with:

Introduction

Many businesses assume they are not “selling” personal information because they do not exchange data for money. However, the CCPA defines selling in a broad way that reaches common digital practices. In 2026, with updated regulations and increased enforcement, understanding whether your business is selling personal information is essential for offering opt-outs and communicating your practices accurately.

This guide explains what qualifies as selling, how value exchange is interpreted, and which everyday integrations may involve a sale under the CCPA.

The legal definition of selling personal information

The CCPA defines “selling” as making personal information available to another business for monetary or other valuable consideration. This includes:

  • Receiving a commercial benefit, even if indirect
  • Providing data that supports business operations, marketing, or performance
  • Disclosures made without restrictive service provider contracts

“Valuable consideration” can be broad. It includes insights, analytics services, data matching, audience creation, or anything that benefits the business through access to personal information.

What counts as selling?

Although the term “selling” suggests a financial transaction, the CCPA captures many non-monetary exchanges.

1. Transfers that benefit the business

If your business receives free analytics, ad optimization, or reporting in exchange for allowing a partner to collect personal information from your users, this may be selling.

2. Data sharing without service provider contracts

If a vendor can reuse data for its own purposes, the transfer may default into selling.

3. Participation in commercial partnerships

Affiliates, lead generation programs, and revenue-share models may involve selling if personal information is disclosed to partners.

4. Tools that collect identifiers

Cookies, pixels, and SDKs that collect unique identifiers often create value for the business and the vendor.

5. Data enrichment and matching services

Providing hashed identifiers to match user profiles can be considered selling.

Examples of selling in digital environments

Analytics without restrictive contracts

If your analytics provider uses the collected information to improve its own algorithms or services, this can be a sale.

Advertising platforms that use data for their own purposes

Platforms that receive identifiers for ad targeting may qualify as recipients of sold data.

Cross-brand collaborations

Sharing email lists or customer segments with partners.

Lead generation tools

If traffic or conversions are attributed using identifiers sent to partners, a sale may have occurred.

What does NOT count as selling?

Not every data transfer qualifies as a sale. Exclusions include:

  • Disclosures to service providers or contractors under compliant agreements
  • Consumer-directed transfers
  • Data shared for security, debugging, or essential operational purposes
  • Publicly available information
  • Internal sharing within a single controlled group of companies (with restrictions)

How to determine if your business is selling data

Ask the following:

1. Does the vendor reuse or repurpose the data?

If yes, the transfer may be a sale.

2. Does the arrangement create value for your business?

Value does not need to be monetary.

3. Are you using tags, pixels, or SDKs from partners?

These often involve selling unless restricted by contract.

4. Do you have contracts that limit vendor data use?

Without them, many transfers default to selling.

Business obligations if data selling occurs

Businesses that sell personal information must:

1. Provide a clear opt-out

Display a visible “Do Not Sell or Share My Personal Information” link.

2. Honor GPC signals

Opt-out preference signals must be recognized.

3. Update privacy notices

Your privacy notice should include:

  • The categories of personal information sold
  • The recipients
  • The business purposes
  • Consumers’ opt-out instructions

4. Review vendor contracts

Confirm whether partners qualify as service providers or third parties.

Personal data selling vs. service provider relationship

To avoid a transaction being considered a sale, a service provider agreement must:

  • Restrict the vendor from using data for purposes beyond the service
  • Require data deletion upon request
  • Prohibit retention or independent profiling
  • Limit subcontractor disclosures
  • Include specific statutory language

If such terms are missing, the vendor may be considered a third party, and the transfer may constitute selling.

Common misunderstandings about CCPA data selling

“We don’t sell data because we don’t receive money.”

Money is not required; value is enough.

“Analytics is harmless.”

Not always. Vendor-side reuse may turn it into selling.

“A privacy policy is enough.”

Businesses need both disclosures and operational opt-outs.

How businesses can monitor selling activity with Clym’s RealTime Compliance

Many businesses struggle to identify when a vendor integration, pixel, or script begins processing personal information in ways that may qualify as selling under the CCPA. These patterns can shift as platforms update their features, data-sharing models, or contractual terms.

Clym’s RealtimeCompliance™ solution provides ongoing visibility into how website tools collect and transmit personal information.

RealTime Compliance can support teams by detecting data flows, flagging when vendor behavior changes, and providing insights that help businesses review their selling-related obligations more efficiently.

FAQs about selling personal information under the CCPA

Selling occurs when a business makes personal information available to another entity in exchange for monetary or other beneficial value. The benefit can be indirect, such as receiving analytics services, access to an advertising platform, data enrichment, or technology features that rely on the user’s information.

No. The law does not require a financial transaction. If a business receives any benefit, advantage, or improved service in return for providing personal information, the transfer may classify as selling.

Valuable consideration includes non-monetary benefits such as:

  • Free or discounted services
  • Analytics insights
  • Access to advertising algorithms
  • Enhanced reporting or benchmarking
  • Participation in audience-matching ecosystems

If personal information enables these benefits, selling may occur.

Analytics tools may be considered selling when:

  • The provider reuses or aggregates your users’ data for its own services
  • Data sharing features are enabled
  • Identifiers flow into advertising or machine learning systems
  • Contracts do not restrict the provider’s data use

In these cases, your business is providing valuable data and receiving analytics in exchange.

Yes. If an advertising platform receives identifiers (cookies, email hashes, IP addresses) and uses them to optimize its own ad ecosystem, the transfer may be classified as selling, especially if the platform is considered a third party.

Yes. Sharing email lists, even hashed versions, may qualify as selling if the recipient uses the data to build profiles, create match lists, or enhance its algorithms.

A vendor may only avoid triggering selling if it is a service provider, meaning the contract:

  • Restricts use of personal information
  • Prohibits reuse or independent profiling
  • Requires deletion upon request
  • Defines clear, limited business purposes

If these conditions are not met, the vendor is treated as a third party, and selling may occur.

Often, yes. When GA4 is configured with data sharing, remarketing, or benchmarking features enabled, it allows Google to use the data for its own advertising ecosystem. This may classify the transfer as selling unless restricted through designated service provider settings.

You must:

  • Provide a “Do Not Sell or Share My Personal Information” link
  • Detect and honor GPC signals
  • Update privacy notices
  • Restrict vendor tracking when opt-outs are submitted
  • Complete a risk assessment before selling begins (new for 2026)

Collecting personal information for your own internal use does not qualify as selling. Selling occurs only when you disclose the information to another entity in exchange for value.

Yes. If you upload identifiers to a platform that returns enhanced demographic, behavioral, or interest insights, the transfer may be considered selling because you receive a commercial benefit.

Yes. Selling applies to both online and offline interactions, such as sharing loyalty program data, point-of-sale information, or customer lists with partners or vendors.

Yes. Frequency does not matter. If any selling occurs, you must provide the opt-out link.

When a consumer opts out, a business must:

  • Stop selling that consumer’s information
  • Prevent selling mechanisms (e.g., tracking pixels) from activating
  • Notify partners to halt downstream use
  • Maintain records of the opt-out event

If the business is subject to the CCPA (based on thresholds), it must follow selling rules regardless of size or revenue model. Eligibility is determined by consumer volume, revenue, or data broker activity.

Alex Margau

Content Manager

Alex is a Content Developer at Clym, where he researches and writes about everything related to data privacy and web accessibility compliance for businesses, helping them stay informed on their compliance needs and spreading awareness about making the web safer and more inclusive. When he’s not writing about compliance, Alex has his nose in a book or is hiking in the great outdoors.

Find out more about Alex

Related articles