Sale of Personal Information
Under CCPA/CPRA, any disclosure of personal information to a third party for monetary or other valuable consideration — a definition broad enough to sweep in targeted advertising, data cooperatives, and most analytics integrations absent a service-provider contract.
Overview
The "sale" of personal information is a legal term of art in US privacy law — not the everyday sense of a cash transaction. Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), a "sale" is the selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to a third party for monetary or other valuable consideration.
"Other valuable consideration" is the hinge. It is what converts routine integrations — feeding data into an ad-tech pixel, contributing to a shared attribution graph, exchanging audience segments with a partner — into regulated sales that require opt-out notice and GPC honoring.
The CPRA added a parallel concept, "sharing for cross-context behavioral advertising," to close a loophole in the original CCPA where controllers argued that ad-tech data flows were not "sales" because no money changed hands. After CPRA, sharing for targeted advertising triggers the same opt-out regardless of whether consideration is exchanged.
When It Applies
A disclosure of personal information qualifies as a sale (or share) when all of the following are true:
- The data moves from the business to a third party (not a service provider under contract — see Controller vs Processor)
- Either monetary or other valuable consideration flows, or the data is used to deliver cross-context behavioral advertising
- The consumer has not directed the disclosure themselves (a user-initiated share is not a sale)
Typical examples that count as sales or shares:
- Feeding personal identifiers into Meta, Google, or TikTok advertising pixels for retargeting
- Contributing customer emails to a co-op or data cooperative in exchange for match rates
- Allowing an analytics SDK to use event data for its own product improvement
- Integrating a marketing automation tool that enriches the list from its own graph
Examples that typically are not sales:
- Transferring data to a processor under a DPA that prohibits using the data for the processor's purposes
- Sharing at the consumer's explicit direction (e.g., "connect my account to X")
- Transferring data in a merger or acquisition (subject to notice requirements)
Variations Across Jurisdictions
| Jurisdiction | Definition | Opt-Out Right |
|---|---|---|
| California (CCPA/CPRA) | Broad — "monetary or other valuable consideration"; "share" adds cross-context behavioral advertising | Yes; Do Not Sell or Share My Personal Information link required; GPC honored |
| Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas | Narrower — usually "monetary consideration" only; targeted advertising is a separate opt-out right | Yes; GPC honored |
| Virginia | Monetary consideration only | Yes; no GPC mandate |
| Utah | Monetary consideration only | Yes; no GPC mandate |
| Florida, Kentucky, Iowa, Indiana, Tennessee, Rhode Island | Monetary consideration only | Yes; targeted-advertising opt-out separate |
| Nevada SB 220 | Narrow — restricted to "exchange for monetary consideration" | Yes; website-specific right |
California remains the strictest and most expansive definition. A data flow that is not a "sale" in Virginia may very well be a "sale or share" in California. Multi-state controllers typically configure their systems to treat the California posture as the baseline.
How Inori Handles This
Inori does not sell or share personal information under any statutory definition. The business model is subscription SaaS; there is no ad-tech, no data cooperative, no audience-enrichment flow.
Grounding in code:
- No sale declaration —
src/content/legal/privacy.mdxv1.2 contains an affirmative "We do not sell or share your personal information" statement that meets the CCPA notice-at-collection requirement. - GPC honored —
middleware.ts:respectGpcdetects theSec-GPC: 1header on every request and sets a server-sidegpc_opt_outflag that disables any opt-out-sensitive behaviors for that consumer. This covers the 12 states where GPC is a mandatory universal opt-out mechanism per RIGHTS_AND_CONSENT.md Table 2. - Analytics opt-out —
notification_preferences.analytics_opt_outis a per-consumer flag that disables Inori's own product analytics for that user, complementing GPC for tools that are not directly triggered by the header. - Processor discipline — every downstream vendor operates under a DPA with a no-sale clause (see DPA), preserving the processor classification and keeping those flows out of the sale/share definition entirely.
- Subprocessor transparency —
/legal/subprocessorsdiscloses every recipient so consumers can independently verify the absence of ad-tech flows.
Related Concepts
The sale/share analysis turns entirely on the Controller vs Processor classification of the recipient. The opt-out mechanism consumers use to exercise the right is typically GPC for browser-based flows and a request form for others. The foundational law is CCPA/CPRA.
See how Inori handles sale of personal information
Try our free COI checker first, or start a free trial of the full platform.