Are you unintentionally selling personal information under the CCPA?
- Under the CCPA, “selling” personal information includes sharing data for value — not just for money.
- Many organizations unintentionally sell data through marketing, analytics and tracking technologies.
- The biggest risk is not knowing how vendors use the data you share with them.
Most organizations don’t believe they sell personal information.
But under the California Consumer Privacy Act (CCPA), many already are.
The issue isn’t intentional data sales. It’s how modern digital ecosystems work. Data is shared across vendors, platforms and tools in ways that create business value — and that sharing may meet the legal definition of a sale.
For many organizations, the exposure isn’t obvious until it’s reviewed more closely.
What ‘selling’ personal information actually means
Under the CCPA, a “sale” is not limited to exchanging data for money. It includes sharing, disclosing or making personal information available to another party in exchange for “valuable consideration.”
That can include:
- Targeted advertising and retargeting
- Analytics and performance optimization
- Data enrichment and audience building
In other words, if personal information is shared with a third party and that exchange creates value, it may qualify as a sale.
This definition is broader than most organizations expect — and it’s where many compliance gaps begin.
Why companies get this wrong
The most common misconception is that data sharing only counts as a sale when money changes hands.
In reality, the risk is tied to how data is used after it is shared.
Organizations often assume they are working with service providers, which would limit how vendors can use personal information. But that assumption is not always accurate.
In practice:
- Vendors may use data for their own purposes
- Contracts may not clearly restrict data use
- Internal teams may not fully understand vendor behavior
This creates a disconnect between how companies think their data is handled and how it is actually used.
Where unintentional “selling” happens most often
This issue rarely shows up in one place. It’s typically spread across systems that were implemented over time. Here are four things to consider:
- Website tracking and marketing tools: Tracking technologies such as pixels, analytics scripts and tag managers often share user behavior with third parties. If those tools operate without proper controls, they can trigger “sale” classifications under the CCPA.
- Advertising and audience platforms: Retargeting and audience-building tools rely on sharing user data across platforms. That exchange of data for advertising value is one of the most common sources of unintentional selling.
- Vendor ecosystems and integrations: Organizations rely on dozens of third-party vendors across marketing, IT and operations. If those vendors are not clearly restricted to service provider roles, data sharing may fall outside compliance boundaries.
- Customer portals and digital experiences: Forms, portals and logged-in environments may capture personal information that is then shared through integrated tools. In some cases, that sharing is not fully visible to the organization.
How this connects to current enforcement trends
Recent enforcement actions and lawsuits are reinforcing how broadly “data sharing” is being interpreted.
In many cases, organizations believed they were using data for internal purposes. In reality, that data was being transmitted to third parties through tracking technologies or vendor relationships.
This is the same pattern seen in tracking-related lawsuits:
- Data is collected during normal user interactions
- That data is shared with external platforms
- Disclosures and consent mechanisms don’t fully reflect what is happening
When those elements are misaligned, legal risk increases.
Why vendor classification is a critical issue
A key factor in CCPA compliance is whether a vendor is acting as a service provider or a third party.
- Service providers are restricted in how they use personal information.
- Third parties may use the data more broadly, which can trigger “sale” requirements.
The challenge is that vendor roles are not always clearly defined.
Organizations often rely on vendor representations without verifying how data is actually used. If those assumptions are incorrect, the organization — not the vendor — carries the compliance risk.
The real problem: Lack of visibility
The underlying issue is not intent. It’s visibility.
Most organizations cannot clearly answer:
- What data is being shared with each vendor
- When that data is transmitted
- How that data is used after it is shared
- Whether that use aligns with disclosures and consent
Without that visibility, it’s difficult to determine whether a “sale” is occurring.
What to do next
Addressing this risk doesn’t require eliminating data sharing. It requires understanding and controlling it.
Organizations should focus on:
- Mapping data flows across vendors and systems
- Identifying where personal information is shared externally
- Validating vendor roles and contractual restrictions
- Aligning disclosures with actual data practices
- Implementing and testing opt-out mechanisms where required
These steps help ensure that data practices match both regulatory expectations and user expectations.
How Wipfli can help
Wipfli helps organizations assess whether their data-sharing practices meet the definition of a “sale” under the CCPA and other state privacy laws.
Our services include:
- Data flow and vendor analysis
- CCPA and CPRA compliance assessments
- Privacy notice and disclosure alignment
- Consent and opt-out strategy
- Ongoing privacy program support
To learn more about evaluating your data-sharing practices, explore our privacy and data protection services.
