Why is the Trump administration imposing new Section 232 and Section 301 tariffs?

Following the IEEPA court ruling, the Trump administration imposed Section 122 tariffs effective February 24, 2026, set to expire July 24, 2026. As indefinite alternatives, new Section 232 tariffs were deployed on April 2, 2026. The Section 301 investigation process is expected to conclude in summer 2026.

What are Section 232 tariffs?

Section 232 tariffs are import taxes authorized under the Trade Expansion Act of 1962, imposed on national security grounds. Rarely invoked before 2018, their use has been upheld by the Supreme Court.

What are Section 301 tariffs?

Section 301 tariffs are levied on imports from specific countries under the Trade Act of 1974 to address unfair trade practices. The process involves investigation, negotiation, and potential retaliation against targeted trading partners.

Which goods are targeted under the new Section 232 tariffs?

Under the new Section 232 tariffs, steel, aluminum, and copper face tariffs of up to 50%, and pharmaceuticals face tariffs of up to 100%. Multiple carve-outs exist depending on the product category.

Which countries are targeted under the new Section 301 tariffs?

Approximately 100 countries are targeted across two investigations: one covering excess manufacturing capacity, which targets 14 countries plus the EU, and one covering forced labor practices, which targets approximately 60 trading partners.

How should businesses prepare for new Section 232 and Section 301 tariffs?

Businesses should take three steps: (1) Assess supply chain exposure by identifying import origins, quantities, and annual values, and update quotation processes to reflect potential tariff costs; (2) Evaluate internal systems to determine the ability to track tariff rate changes and cost impacts, and plan communication strategies for price adjustments; and (3) Seek ongoing guidance from internal departments and strategic advisors with experience in tariff policy and the manufacturing sector.

Are you unintentionally selling personal information under the CCPA?

Matt Dumiak

Mar 03, 2026

4 min read

Key takeaways

Under the CCPA, “selling” personal information includes sharing data for value — not just for money.
Many organizations unintentionally sell data through marketing, analytics and tracking technologies.
The biggest risk is not knowing how vendors use the data you share with them.

Most organizations don’t believe they sell personal information.

But under the California Consumer Privacy Act (CCPA), many already are.

The issue isn’t intentional data sales. It’s how modern digital ecosystems work. Data is shared across vendors, platforms and tools in ways that create business value — and that sharing may meet the legal definition of a sale.

For many organizations, the exposure isn’t obvious until it’s reviewed more closely.

What ‘selling’ personal information actually means

Under the CCPA, a “sale” is not limited to exchanging data for money. It includes sharing, disclosing or making personal information available to another party in exchange for “valuable consideration.”

That can include:

Targeted advertising and retargeting
Analytics and performance optimization
Data enrichment and audience building

In other words, if personal information is shared with a third party and that exchange creates value, it may qualify as a sale.

This definition is broader than most organizations expect — and it’s where many compliance gaps begin.

Why companies get this wrong

The most common misconception is that data sharing only counts as a sale when money changes hands.

In reality, the risk is tied to how data is used after it is shared.

Organizations often assume they are working with service providers, which would limit how vendors can use personal information. But that assumption is not always accurate.

In practice:

Vendors may use data for their own purposes
Contracts may not clearly restrict data use
Internal teams may not fully understand vendor behavior

This creates a disconnect between how companies think their data is handled and how it is actually used.

Where unintentional “selling” happens most often

This issue rarely shows up in one place. It’s typically spread across systems that were implemented over time. Here are four things to consider:

Website tracking and marketing tools: Tracking technologies such as pixels, analytics scripts and tag managers often share user behavior with third parties. If those tools operate without proper controls, they can trigger “sale” classifications under the CCPA.
Advertising and audience platforms: Retargeting and audience-building tools rely on sharing user data across platforms. That exchange of data for advertising value is one of the most common sources of unintentional selling.
Vendor ecosystems and integrations: Organizations rely on dozens of third-party vendors across marketing, IT and operations. If those vendors are not clearly restricted to service provider roles, data sharing may fall outside compliance boundaries.
Customer portals and digital experiences: Forms, portals and logged-in environments may capture personal information that is then shared through integrated tools. In some cases, that sharing is not fully visible to the organization.

How this connects to current enforcement trends

Recent enforcement actions and lawsuits are reinforcing how broadly “data sharing” is being interpreted.

In many cases, organizations believed they were using data for internal purposes. In reality, that data was being transmitted to third parties through tracking technologies or vendor relationships.

This is the same pattern seen in tracking-related lawsuits:

Data is collected during normal user interactions
That data is shared with external platforms
Disclosures and consent mechanisms don’t fully reflect what is happening

When those elements are misaligned, legal risk increases.

Real-world enforcement is expanding

Regulators are increasingly scrutinizing how organizations operationalize consumer data across marketing, analytics and connected technologies.

In 2026, General Motors was fined $12.75 million for alleged California Consumer Privacy Act (CCPA) violations tied to connected vehicle data practices — the largest CCPA-related fine to date. Regulators alleged the company collected, used and shared driver behavior data in ways consumers did not fully understand or meaningfully consent to.

The significance of the case extends beyond connected vehicles. It reflects a broader enforcement trend focused on how organizations collect, operationalize and share behavioral data across increasingly complex digital ecosystems.

For many organizations, the challenge is not intentional misconduct. It is that tracking technologies, vendor integrations and data-sharing practices evolve over time without centralized visibility or oversight.

Why vendor classification is a critical issue

A key factor in CCPA compliance is whether a vendor is acting as a service provider or a third party.

Service providers are restricted in how they use personal information.
Third parties may use the data more broadly, which can trigger “sale” requirements.

The challenge is that vendor roles are not always clearly defined.

Organizations often rely on vendor representations without verifying how data is actually used. If those assumptions are incorrect, the organization — not the vendor — carries the compliance risk.

The real problem: Lack of visibility

The underlying issue is not intent. It’s visibility.

Most organizations cannot clearly answer:

What data is being shared with each vendor
When that data is transmitted
How that data is used after it is shared
Whether that use aligns with disclosures and consent

Without that visibility, it’s difficult to determine whether a “sale” is occurring.

What to do next

Addressing this risk doesn’t require eliminating data sharing. It requires understanding and controlling it.

Organizations should focus on:

Mapping data flows across vendors and systems
Identifying where personal information is shared externally
Validating vendor roles and contractual restrictions
Aligning disclosures with actual data practices
Implementing and testing opt-out mechanisms where required

These steps help ensure that data practices match both regulatory expectations and user expectations.

How Wipfli can help

Wipfli helps organizations assess whether their data-sharing practices meet the definition of a “sale” under the CCPA and other state privacy laws.

Our services include:

Data flow and vendor analysis
CCPA and CPRA compliance assessments
Privacy notice and disclosure alignment
Consent and opt-out strategy
Ongoing privacy program support

To learn more about evaluating your data-sharing practices, explore our privacy and data protection services.

Are you unintentionally selling personal information under the CCPA?

What ‘selling’ personal information actually means

Why companies get this wrong

Where unintentional “selling” happens most often

How this connects to current enforcement trends

Real-world enforcement is expanding

Why vendor classification is a critical issue

The real problem: Lack of visibility

What to do next

How Wipfli can help

Author(s)

TOP PICKS

Article Download

Please Register

Contact Information