If you have a consent banner, a Do Not Sell link, and a preferences database logging every opt-out, you’re CCPA compliant, right?
Not really.
In July 2025, Healthline Media settled with the California Attorney General for $1.55 million. That’s one of the largest CCPA fines to date. They had opt-out forms. They had GPC support. They had a preference database. Yet, after users exercised all three, investigators found that 118 cookies were still active and 82 tracking tags were still operating.
That’s not an outlier. Most privacy teams learned their craft under GDPR, so they reflexively overoptimize for consent banners and blocking everything until they get consent.
The irony? They block data flows that California law allows them to run, while failing to stop the sale and sharing that California actually requires them to halt.
The gap isn’t collecting opt-out requests. It’s what happens after that. CCPA allows you to collect by default, but the moment someone opts out, either by click or via GPC signal, sales and sharing must stop immediately, not in the next session, but from that very moment.
CCPA’s Opt-out framework explained
Unlike how it’s usually interpreted, CCPA isn’t built around consent before collection; it’s built on the right to opt out anytime. That distinction matters more than most privacy teams realize.
Your website can collect data without having explicit permissions from the user, the way it’s required in GDPR. The difference is in stopping it once they opt out, and in the ways you offer opt-out paths to the users. If you’re still assessing whether your business meets the thresholds that make you a covered business in the first place, this guide on CCPA applicability walks through each one.
The default for CCPA is that a covered business may collect and use personal information, including via cookies and tags, provided it offers:
- A right to opt out of the sale and sharing of PI
- A right to limit the use/disclosure of sensitive personal information
In other words, you can drop most cookies and begin processing on the first page load. But you must provide a Do Not Sell or Share My Personal Information mechanism and honor it, including via GPC and other opt‑out preference signals.
However, businesses need to know what sale and sharing actually mean under CCPA
CCPA/CPRA defines the term sale as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information for monetary or other valuable consideration.
Likewise, CPRA adds sharing, which focuses on disclosing PI for cross‑context behavioral advertising even without valuable consideration in the traditional sense.
In short, any transaction under which a business receives a benefit for sharing consumer information can be a sale for purposes of the CCPA.
Consent vs Opt-out comparison
Put simply, consent requires permission to start collecting. Opt-out requires the ability to stop.
This distinction determines when tracking can start, what users must do to control it, and how your systems need to respond and when. The difference shows up in your tag manager, cookie banner logic, and user signal handling.
Let’s look at different aspects:
| Aspect | Consent Model (GDPR) | Opt-Out Model (CCPA) |
| Default State | No collection without consent | Collection permitted by default |
| User Action Required | Affirmative consent to enable | Affirmative opt-out to disable |
| What It Controls | All personal data processing | Sale and sharing of data only |
| Timing | Before data collection begins | After the consumer exercises their right via the opt-out link or GPC. |
| Sensitive Data | Explicit consent required | Consent for some categories under CPRA |
| Mechanism | Accept/decline before access | Do Not Sell/Share link available |
What do most teams get wrong about CCPA Opt-out and consent mechanisms?
If you look closely enough, a few misconceptions keep costing teams their compliance repeatedly. That’s when compliance teams see a banner, a Do Not Sell link, logged preferences, and vendor attestations marked CCPA-ready, and assume compliance. But regulators figure out something different in investigations. They see a UI layer that promises control and an infrastructure layer that ignores it entirely.
Now, why does that happen?
Teams assume importing a strict GDPR consent model satisfies the CCPA
Teams coming from GDPR build banners that block all cookies until users click Accept. That solves a problem CCPA doesn’t have, while creating one it won’t forgive.
They’ll block all tracking for US visitors until consent is granted. However, they’ll miss providing a Do Not Sell or Share link in the footer. The tag managers and scripts on the page won’t be tweaked to respect GPC signals, and won’t treat them as valid opt-outs. And more often than not, cookie choices would be left unmapped to legal categories that matter the most under CCPA.
The result is over-compliance on the wrong axis. You’re requiring consent where California law allows default collection. Meanwhile, the actual enforcement requirement, which is stopping the sale and sharing of data when users opt out, goes unaddressed.
Consent and cookie banners never really reach the tag layer
When your website sports consent banners, toggles, and a Do Not Sell link, they need to control the systems that determine which tags fire, what identifiers get collected, and which third parties receive data.
Yet, in most cases, banner toggles write a preferences cookie, but tags are hard-coded in page templates and fire regardless. Privacy choices link opens into an interface that manages some tracking cookies but misses the full scope of activities CCPA defines as sale and sharing.
Things fail further when the cookie choices and non-cookie data flows run on separate systems. It makes users believe that they’ve opted out successfully, while CRM and ad-tech link continues.
Regulators have pointed that out. In one enforcement action, the AG held an organization accountable that offered privacy choices, but the link only controlled cookie-based sales and shares.
Preferences get recorded, but data transmission doesn’t stop
Companies offer opt-out mechanisms that recognize GPC signals while also allowing users to manually input their choices. But when users exercise it, some cookies and pixels stay active, tracking continues, and so does the sharing and selling of data.
When that happens, regulators notice. If you have a privacy mechanism on your website that’s not working, it’s a tell for regulators that you’re not paying attention. If they see that, they’re likely to assume further issues.
The enforcement gap: Recording vs honoring opt-outs
Recording opt-out preferences from the user isn’t the same as honoring them. Your opt-out flows need to initiate meaningful changes in the way tags fire, collect information, and share. It needs to change how your internal systems, like CRM, ingest data and what they do with it.
And most implementations don’t do that. They treat opt-out as a records management problem, limiting it to storing the timestamp, logging the user ID, and updating the preference table.
Regulators care about reality. Did the tracking pixels stop firing? Did the ad network calls cease? Did data transmission to third parties actually halt?
What your systems should do when they record opt-out
Once a consumer opts out of sale and sharing, a business must cease selling and sharing the consumer’s personal information from that very moment. And it must notify all third parties to whom it sold or shared data after the request and direct them to comply and propagate the opt-out downstream. The Do Not Sell or Share link must immediately effectuate the opt-out or take users directly to where that right can be exercised.
Understanding which ones matter, so let’s look at them:
Data transmission to ad networks must stop
That includes DSPs, SSPs, retargeting platforms, and any system that uses consumer identifiers for cross-context behavioral advertising. Enforcement has made clear that targeted advertising qualifies as a sale or sharing under CCPA.
Data sharing with data brokers must cease
Sharing between any data broker or any data enrichment provider that receives PI of your customers must stop. In a recent enforcement verdict on DoorDash, it was made clear that co-marketing, co-ops, and exchanging data for other mailing lists count as a sale.
The AG’s position is clear. Any transaction where a business receives a benefit for sharing consumer information can be a sale for purposes of CCPA.
Even cross-context behavioral advertising partners must not receive data once opt-out is exercised, as CPRA added the sharing category specifically to address this.
So, what can you continue?
Activities that don’t involve cross-context profiling or exchanging data between two parties can continue. You may still collect data…but if that’s used to enrich your ad targeting, then it violates CCPA.
Things like first-party analytics, security and fraud prevention, debugging, and more can continue.
Regulators usually draw a line at selling and sharing to third parties for your benefit, even if it doesn’t include money. Collecting PI for core functionalities is okay.
Sensitive personal information under CPRA
In 2023, the CPRA amendments officially went into effect, establishing SPI as a specific sub-category of personal information. This granted consumers the right to limit the use and disclosure of their sensitive data.
You can understand sensitive personal information as any data that reveals intimate details about a person’s identity, health, or beliefs. Thus, government IDs, social security numbers, financial details, biometric identifiers, and health information come under this category.
Outside of business accounts and emails, personal text messages, emails, and mail also come under this category.
Under CPRA, users get special rights regarding SPI
For this category, consumers get the right to limit use and disclosure. That means directing a business to use their sensitive data only for what’s necessary to provide the goods or services reasonably expected, plus narrow business purposes like security and short-term transient use.
Once a consumer exercises that right, the business is prohibited from using or disclosing the sensitive personal information for any other purpose unless it obtains fresh consent.
Put simply, customers can direct businesses to only use their sensitive personal information for limited purposes, such as providing the services they requested.
This creates a hybrid enforcement model. You can collect information by default under the opt-out rules until a user explicitly opts out manually or via GPC and stops you from sharing or selling it. But for SPI, it functions more like consent.
If you want to use health data, precise location, or financial identifiers for purposes beyond core service delivery, you need either not to collect it at all or to build mechanisms that let consumers limit that use.
Building a compliant user choice implementation
Understanding where implementations fail is one thing. Building one that actually works, one that survives network forensics, honors GPC in real-time, and stops transmission across server-side systems is another.
The difference comes down to whether your technical architecture treats user choices as preferences to log or controls to enforce.
Here’s how you can build for the latter.
Step – 1: Know what you’re controlling
You can’t enforce opt-out if you don’t know which activities constitute sale or sharing. So it’s a good idea to start by mapping your data flows to CCPA’s definitions of sharing and selling data, and what constitutes sensitive personal information.
Once that’s done, you’ll need to know:
- Which tracking technologies send identifiers to ad networks?
- Which integrations participate in data co-ops or list exchanges?
- Which analytics vendors operate outside true service provider contracts and use your data to build their own profiles?
Don’t guess. Document it. Maintain a catalog of every tag, SDK, and server-side integration, mapping each to legal categories, like sale, sharing, sensitive personal information use, service provider relationship, or strictly necessary function. This inventory becomes your enforcement blueprint.
Step – 2: Enforce at the tag layer, not the policy layer
Once you know what needs to stop, enforce it where data actually moves. That’s the tag management layer for client-side tracking and the API gateway or event pipeline for server-side flows.
Before the tags and tracking scripts load, check for GPC and existing preferences. If sales and sharing are disallowed, ensure that tags don’t fire before that. Only strictly necessary and first-party operational tags should run.
And when a user clicks Do Not Sell or Share or sends a limit request for sensitive data, immediately update local and central state, then re-evaluate all active tags and disable any that transmit sale or sharing data. The effect should be immediate, in that very session. Not from the next session.
Regulations state that the Do Not Sell or Share link must immediately effectuate the opt-out.
Step – 3: Verify with network inspection, not assumptions
Lessons from the Healthline settlement suggest programs to assess and monitor the effectiveness of opt-out methods regularly. If you want to understand exactly what evidence regulators will ask for when they investigate, our CCPA audit preparation guide breaks down every category.
And to make sure that things are working like they are meant to on paper, verification needs to move beyond QA checklists to observable behavior. Browser developer tools and automated scanners can help you capture all requests before and after opt-out or GPC activation. And you can use those logs to confirm that requests to ad and measurement domains either stop or contain only allowed, non-sale data when opt-out is active.
Contract checks matter too. Ensure agreements with ad tech and analytics partners explicitly require honoring opt-out preference signals.
Step – 4: Don’t over-build where CPRA doesn’t require it
CCPA allows first-party data collection, security functions, and operational analytics without consent. You only need consent or limit-use mechanisms for sensitive personal information used beyond core service delivery.
Focus enforcement where the law demands it, that’s about stopping sales and sharing of data when consumers opt out, and sensitive data use must be limited when requested.
The gap between compliant-looking and actually-compliant is the instrumentation that ties your policies and intent to technical execution, stopping tags and scripts from skimming data when they fire before GPC signals can be recognized, or an opt-out choice can be matched.
How AlphaPrivacy AI ensures opt-out enforcement
CCPA’s expectations are clear. Opt-outs must stop sale and sharing in real-time, GPC signals must be honored within the same session, and preference changes must propagate across tags, APIs, and third-party feeds before the next network call fires.
That’s where traditional consent management platforms falter. They capture user choices but lack the instrumentation to enforce them at the transmission layer. That jeopardizes compliance.
AlphaPrivacy AI was purpose-built to close it. It treats opt-out as a real-time control signal, not a preference to log, and translates it into technical execution according to jurisdiction-specific rules.
It monitors data collection in real-time, tracking what scripts load, what tags fire, and what personal information gets transmitted to whom and on what basis. Then, it suppresses data flows that violate opt-out states or don’t respect GPC signals.
Then, it helps enforce contractual and regulatory requirements on vendor integrations, ensuring that opt-out preferences don’t just stop at your tag manager but propagate to the ad networks, analytics platforms, and data brokers actually receiving the data.
The bottom line
CCPA allows you to collect by default, but when someone opts out, data flows must stop immediately. Not next session. That same session. The gap between compliant-looking and actually-compliant is execution at the technical layer. AlphaPrivacy AI detects and plugs that gap.
Schedule a demo to evaluate whether your opt-out mechanisms control data transmission in real-time or just log preferences.
