cpra-opt-out-signals
Implementing CPRA Opt-Out Preference Signals
Overview
CPRA Section 1798.135 requires businesses to treat opt-out preference signals (such as Global Privacy Control / GPC) as valid consumer requests to opt out of the sale and sharing of personal information. This skill covers the technical detection of GPC signals, automated honoring workflows, cross-device consistency requirements, and the interaction between browser-level signals and explicit consumer choices.
Legal Foundation
CPRA Section 1798.135 — Methods of Limiting Sale, Sharing, and Use
-
Section 1798.135(a) — A business that sells or shares consumers' personal information shall provide a clear and conspicuous link on its homepage titled "Do Not Sell or Share My Personal Information."
-
Section 1798.135(b)(1) — A business that sells or shares personal information shall treat the consumer's use of an opt-out preference signal as a valid request to opt out under Section 1798.120.
-
Section 1798.135(b)(3) — A business that complies with subsection (b)(1) is not required to post the "Do Not Sell or Share My Personal Information" link on its homepage, provided it instead posts a link to a page describing the consumer's opt-out rights.
-
Section 1798.135(e) — A business may not interpret the absence of an opt-out preference signal as consent to sell or share personal information.