Anonymize CCPA opt-out-of-sale and sharing records for third-party disclosure review – CCPA/HIPAA-compliant de-identification per Cal. Civ. Code §1798.120
CCPA §1798.120 gives California consumers the right to opt out of the sale or sharing of their personal information with third parties. Opt-out records contain the consumer's identity and specific data-sharing preferences. anonym.legal pseudonymizes these records so businesses can audit opt-out processing and share compliance evidence without exposing consumer identities.
When this applies
Use this workflow when opt-out preference records must be shared with third-party data recipients, ad-tech vendors, or outside counsel to demonstrate that consumer opt-outs have been honored, or when auditing opt-out propagation across a data supply chain.
How anonym.legal handles it
- Upload opt-out records, preference-signal logs, or Global Privacy Control (GPC) receipt logs to anonym.legal.
- The engine identifies the consumer identifier in each record: device ID, email, IP address, account number, or cookie ID.
- Each unique consumer identifier is replaced with a consistent pseudonym across all opt-out events and downstream propagation records.
- The opt-out preference flag, third-party recipient identifiers, and propagation timestamps are retained as structural compliance content.
- Batch processing can cover millions of GPC or opt-out signals while preserving per-consumer consistency through the pseudonym mapping.
- The reversible mapping key is encrypted and stored with US data residency.
- Pseudonymized records are exported for vendor notification verification, audit, or outside-counsel review.
What you provide
- Opt-out preference records or Global Privacy Control signal logs in CSV, JSON, or structured export format
- Third-party recipient identifiers to be retained for downstream propagation verification
- Date range for the opt-out records to be processed
Limitations & cautions
- anonym.legal does not verify that opt-outs were propagated to all downstream third parties; that requires a separate vendor-notification audit.
- The tool does not assess whether opt-out signals received via GPC were processed within the required timeframe; deadline compliance must be tracked separately.
- Ad-tech identifiers that are probabilistically linked across devices may carry residual re-identification risk even after pseudonymization.
- This workflow covers CCPA/CPRA opt-out rights; analogous opt-out rights under other state laws are out of scope.
FAQ
Does this workflow cover both the 'Do Not Sell' right (pre-CPRA) and the 'Do Not Share' right added by CPRA?
Yes. §1798.120 as amended by CPRA covers both the right to opt out of sale and the right to opt out of sharing for cross-context behavioral advertising. The workflow processes opt-out records for both rights and retains the right-category flag as a structural field.
How does the tool handle Global Privacy Control signals at scale?
GPC signal logs are typically large structured files keyed on device or user identifiers. The batch-processing pipeline pseudonymizes each unique identifier while preserving the signal timestamp and originating domain, enabling compliance analytics at scale without individual consumer exposure.
Can pseudonymized opt-out logs be shared with advertising partners to confirm opt-out implementation?
Yes. Sharing pseudonymized logs with partners allows verification that the partner has applied the opt-out flag without disclosing the real consumer identifiers. The partner can confirm the flag status against their own pseudonymous records using the shared pseudonym.