← Marketplace

GPC / CCPA "Do Not Sell" Cases

California's CCPA/CPRA require a business to treat a Global Privacy Control (GPC) signal as a valid request to opt out of the sale or sharing of personal information — and the rules say so explicitly (11 CCR §7025). The violation is provable without any user interaction: load the site with GPC asserted (the Sec-GPC header and navigator.globalPrivacyControl), and if the advertising and data-broker trackers keep firing, the business ignored the opt-out.

Elements & controlling authority

1. Defendant is a "business" subject to the CCPA/CPRA
   Cal. Civ. Code §1798.140(d); §1798.100.
2. Defendant sells or shares personal information with third parties
   Cal. Civ. Code §1798.140(ad)(sale), (ah)(share); §1798.115.
3. A consumer transmitted a Global Privacy Control opt-out signal
   11 CCR §7025 (must treat GPC as a valid opt-out); CPRA §1798.135(b).
4. Defendant failed to honor it — sharing continued under GPC
   11 CCR §7025(c); §1798.135.
5. Statutory remedy / concrete privacy injury
   Cal. Civ. Code §1798.155; UCL §17200 predicate; TransUnion v. Ramirez (2021).

The evidence you need — and what we capture

• A fresh-context load with GPC asserted (Sec-GPC header + navigator.globalPrivacyControl)
• Every advertising / data-broker service that fired anyway, identified by owner entity, sealed and timestamped
• The list of continued disclosures is the dispositive non-honoring fact — no user interaction required

Every capture is sealed at collection: SHA-256 hash-chained artifacts with RFC 3161 trusted timestamps, a methodology block, and a documented scope of audit. If the defendant changes the site tomorrow, the record of today survives.

Damages framework

CCPA administrative penalties and, as a UCL §17200 "unlawful" predicate, restitution and injunctive relief; the opt-out-ignored class is California consumers who transmitted GPC.

Frequently asked