What is ‘share’ in CPRA?

The California Privacy Rights Act (CPRA) redefines and expands the concept of “sharing” personal information, primarily in the context of cross-context behavioral advertising. The statutory language specifies that to “share, shared, or sharing” means: “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration” (Cal. Civ. Code § 1798.140(ah)(1)). This marks a significant extension beyond the California Consumer Privacy Act (CCPA), which focused mainly on “sale” as the transfer of data for monetary consideration.

Analysis of the CPRA’s definition shows that:

• “Sharing” includes any communication or transfer of personal information to a third party.
• The purpose of the transfer—specifically for cross-context behavioral advertising—is central. Such advertising is defined as targeting consumers based on their activities across different businesses, websites, applications, or services.
• There is no requirement for monetary value; any valuable consideration or even none at all suffices.
• The entity receiving the data is considered a “third party” if the consumer is not intentionally interacting with them (Cal. Civ. Code § 1798.140(ai)).

Results from reviewing operational implications demonstrate that:

• Businesses must treat disclosures for targeted advertising as “sharing,” regardless of whether payment is exchanged.
• Consumer rights are directly implicated; individuals may opt out of such “sharing” under CPRA (Cal. Civ. Code § 1798.120(a)).
• Compliance requires businesses to provide clear notice and opt-out mechanisms for consumers regarding such data practices.

The distinction between “sale” and “share” under CPRA becomes clear in practice: “sale” relates to data exchanged for value, while “share” encompasses a broader set of disclosures specifically for cross-context behavioral advertising. Entities cannot avoid obligations by structuring transactions as non-monetary if they involve third-party advertising.

In summary, CPRA’s treatment of “sharing” reflects a shift toward greater consumer protection and transparency in digital advertising ecosystems. Data transfers to third parties for targeted ads—whether or not money changes hands—fall squarely within regulatory scrutiny. This compels organizations to reassess their data flows and adjust compliance strategies accordingly (IAPP, 2023; Cal. Civ. Code § 1798.140).