California's comprehensive privacy law gives consumers the right to opt out of the 'sale' and 'sharing' of their data — which is exactly what many ad pixels do.
The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives California consumers rights to know, delete, correct, and opt out of the "sale" or "sharing" of their personal information. It also created a category of "sensitive personal information" with additional limits.
For websites, the friction point is that transmitting visitor data to advertising partners via pixels and tags can qualify as "sharing" for cross-context behavioral advertising. Sites are expected to honor opt-out signals — including the Global Privacy Control (GPC) browser signal — and to provide a clear "Do Not Sell or Share My Personal Information" mechanism.
In 2022 the California Attorney General reached a $1.2 million settlement with Sephora over allegations it failed to disclose the sale of personal information and did not honor opt-out signals — a concrete example of enforcement in this area.
Whatever the statute, the underlying test is practical: do third-party trackers collect or transmit visitor data before the visitor consents? RegSentry runs a real browser against your site and shows you exactly that — which scripts fire, when, and whether a consent banner actually held them back.
See what fires on your site before consent — free, 30 seconds, no signup.
Real browser scan, no signup to run it. You see a summary of the findings; the full report with every tracker unlocks with your email.