Data Privacy & CCPA — Compliance Scenario

We Share Customer Data With Analytics Vendors but Never Charge for It. Legal Says We Might Still Be “Selling” It Under California Law. How Is That Possible?

A real workplace compliance scenario — with three decision options and the right answer.

The Situation

Your marketing team shares customer and prospect data with several third-party platforms as part of standard operations: a programmatic advertising platform that uses customer data to target ads and build lookalike audiences, a web analytics vendor that tracks user behavior across the site, and a data enrichment service that appends additional demographic and firmographic data to your contact records. No money changes hands in any of these arrangements — these are service providers your company pays for access to their platforms.

Your legal team flags that these arrangements may constitute a “sale” or “sharing” of personal information under the CPRA and that California residents may have the right to opt out of them. Your marketing director pushes back: “We’re not selling data. We’re using vendor tools. We pay them — they don’t pay us.”

Choice AContinue current practices. No money changes hands so no sale has occurred. CCPA’s sale provisions don’t apply to standard vendor tool usage where the company is the customer, not the seller.

Choice BEscalate to Legal and conduct a review of each vendor relationship. Determine whether any of the data sharing arrangements constitute “selling” or “sharing” under CPRA, update privacy notices accordingly, implement opt-out mechanisms for California residents, and ensure vendor contracts include required data processing terms.

Choice CStop sharing data with all three vendors immediately until Legal provides a definitive answer. The risk of a potential violation is too high to continue while the question is unresolved.

The Right Call

Choice B — Escalate and conduct a structured review of each vendor relationship.

Choice A proceeds on a definition of “sale” that the CPRA has explicitly expanded beyond. Choice C is an overreaction — not all vendor data sharing is regulated, and stopping all sharing without analysis creates operational disruption without a compliance rationale. The right answer is to analyze which arrangements fall within the CPRA definitions, update the compliance infrastructure accordingly, and build opt-out mechanisms for those that do.

The original CCPA definition of “sale” was broad — CPRA made it broader.

The original CCPA defined “sale” to include disclosing personal information to a third party for “valuable consideration,” which courts and regulators interpreted to include non-monetary benefits such as data access, improved targeting, or enhanced services. The CPRA went further by adding “sharing” as a separate category: disclosing personal information to a third party for cross-context behavioral advertising, regardless of whether any consideration is exchanged. The programmatic advertising platform in this scenario almost certainly falls within the “sharing” definition.

The three vendor relationships in this scenario have different risk profiles.

The advertising platform that uses customer data to build lookalike audiences and target ads is the clearest example of cross-context behavioral advertising that triggers opt-out rights under the CPRA. The analytics vendor that tracks behavior across a single website may qualify as a service provider rather than a third party if its use of the data is limited to providing services to the company. The data enrichment service depends on whether the vendor uses the data for its own purposes or solely to provide the contracted service. The analysis matters — not all vendor relationships are equal under the law.

The service provider exception is real — but it requires a contract.

CCPA and CPRA create a “service provider” category that exempts certain vendor data sharing from the sale and sharing definitions — but only when the vendor is contractually prohibited from using the data for any purpose other than providing services to the business, and only when the contract explicitly includes CCPA-required terms. A vendor that processes data under a contract without those terms is a “third party” rather than a “service provider” — and the sharing triggers consumer opt-out rights regardless of how the relationship is described internally.

Does sharing data with an advertising platform count as selling it under CCPA/CPRA?

Likely yes. The CPRA defines “sharing” as disclosing personal information to a third party for cross-context behavioral advertising regardless of whether any money changes hands. Sharing customer data with a programmatic advertising platform to build lookalike audiences or target ads almost certainly falls within this definition and triggers California consumers’ right to opt out of the sharing.

What is cross-context behavioral advertising under CPRA?

Cross-context behavioral advertising means targeting advertising to a consumer based on personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services — other than the business with which the consumer intentionally interacted. Using customer data from your CRM or website to target ads on third-party platforms is a common example.

What is the difference between a service provider and a third party under CCPA?

A service provider is an entity that processes personal information on behalf of a business pursuant to a written contract that prohibits the vendor from retaining, using, or disclosing the data for any purpose other than providing the contracted services. Data disclosed to a service provider is not a “sale” or “sharing” under CCPA/CPRA. A third party is any entity that does not meet these requirements — and data disclosed to a third party triggers consumer opt-out rights if it falls within the sale or sharing definitions.

What does a consumer’s right to opt out of sale or sharing actually require of a business?

Businesses that sell or share personal information must provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their homepage, honor opt-out requests within 15 business days, not require the consumer to create an account to submit an opt-out, and configure their systems and vendor relationships to stop the sale or sharing for consumers who opt out. The opt-out must also be honored through Global Privacy Control signals.

What should a company do if it discovers its vendor contracts don’t include required CCPA terms?

Update the contracts to include the required data processing terms as soon as possible. Until the contracts are updated, the vendors may be legally classified as third parties rather than service providers, which means the data sharing may constitute a regulated sale or sharing. Legal counsel should review the existing contracts and identify which vendors need data processing addenda. Many major technology vendors have standard CCPA/CPRA data processing addenda available on request.

How to Use This Scenario in Training

Data privacy policy training or Code of Conduct training establishes the law. This scenario makes it stick.

Xcelus recommends this scenario for marketing, IT, data teams, and anyone involved in vendor management or technology purchasing decisions. The recognition skill is understanding that sharing data for advertising purposes triggers CCPA opt-out obligations regardless of whether money changes hands — and that the service provider exception requires a contract, not just an assumption.

More Compliance Scenarios

Want the Full Data Privacy & CCPA Training?

Xcelus builds scenario-based data privacy training covering CCPA/CPRA obligations for marketing, IT, and operations teams — including the distinction between sales and sharing, data subject request workflows, and vendor contract requirements.

View Compliance Programs →
Contact Xcelus