RatedWithAI

RatedWithAI

Accessibility scanner

Privacy LawJune 23, 2026

CCPA Opt-Out Rights for AI Behavioral Profiling: What Businesses Must Honor (2026)

California's CPRA amendments rewrote CCPA to cover the thing that actually powers modern advertising: AI-built behavioral profiles. If your platform uses AI to segment, score, or target California consumers — or shares data that helps someone else do it — you have opt-out obligations that many companies haven't built yet.

~$12M+
In CCPA fines issued since enforcement started, including ad-tech cases
'Sharing'
CPRA's new term covers AI data to ad networks — no money required
45 days
To honor an opt-out request once received (extendable once)

How CPRA Changed the AI Advertising Picture

The original CCPA gave Californians the right to opt out of the "sale" of their personal information. The problem: most AI-powered advertising doesn't look like a sale. Ad networks, data management platforms, and behavioral analytics tools trade consumer data under agreements framed as "sharing for joint marketing" or "service provider arrangements" — structures designed to avoid triggering the sale definition.

CPRA closed this gap by adding a separate opt-out right for the "sharing" of personal information — defined as disclosing personal information to a third party for cross-context behavioral advertising. Sharing doesn't require money to change hands. If consumer data flows to anyone outside your business for the purpose of serving targeted ads or building behavioral models for advertising, that's sharing for CCPA purposes.

AI behavioral profiling almost always constitutes sharing. Sending browsing data to a lookalike modeling platform, feeding purchase history into a demand-side platform's ML layer, or sharing email engagement signals with a behavioral prediction vendor — these are all sharing under CPRA.

What AI Profiling Activities Trigger CCPA Opt-Out Rights

The following activities involving California residents' data create opt-out obligations under current CCPA — even before the CPPA's forthcoming ADMT regulations add another layer:

Lookalike audience modeling via third-party platforms

Uploading hashed email lists or pixel data to Meta, Google, LinkedIn, or any DSP for lookalike modeling is sharing personal information for cross-context behavioral advertising. California residents in the seed list have opted-out rights.

Behavioral retargeting via ad pixels

Third-party ad pixels (Meta Pixel, Google Ads, TikTok Pixel) that collect behavioral data from your site and use it to build user profiles for retargeting are a sharing arrangement. Each pixel is effectively a data flow to a third party for advertising purposes.

AI predictive scoring sold or shared with partners

If you build purchase intent scores, churn propensity scores, or lifetime value predictions and share those inferences with third parties — even partners — those inferences are personal information under CPRA and sharing them triggers opt-out rights.

Customer data to data brokers or enrichment services

Sharing customer lists or behavioral data with enrichment vendors or data brokers for any advertising or marketing purpose qualifies. The opt-out right applies even if you receive the enriched data back.

Email co-registration and co-marketing programs

Sharing subscriber lists or behavioral profiles with co-marketing partners whose primary use is AI-powered targeting qualifies as sharing for cross-context behavioral advertising.

The CPPA's Pending ADMT Rules Add Another Layer

Beyond the existing sale/sharing opt-out, the California Privacy Protection Agency has been developing Automated Decision-Making Technology (ADMT) regulations that are expected to be finalized and take effect in 2025-2026. These rules would be significant for AI profiling because they would:

Opt-out right for behavioral advertising profiling

Consumers could opt out of any profiling for behavioral advertising purposes — not just when data is shared externally. This would reach purely internal AI modeling systems that never send data outside your company.

Opt-out right for significant-decision AI

For AI that makes or substantially contributes to significant decisions (access to financial services, housing, employment, healthcare), consumers would have the right to opt out entirely — not just the right to have a human review.

Access and explanation rights

Consumers could request information about what automated decisions were made about them, what data was used, and the logic of the AI system — similar to GDPR Article 22 rights but with California-specific definitions.

Pre-use risk assessments

Businesses deploying high-risk ADMT systems may need to conduct and retain risk assessments before deployment, documenting potential harms and the measures taken to mitigate them.

How to Build a Compliant Opt-Out Flow for AI Profiling

The mechanics of honoring opt-out rights for AI behavioral profiling are more complex than a simple cookie preference center. Here's what a compliant implementation looks like:

1

Map every AI profiling data flow

Before you can honor opt-outs, you need a complete inventory of where California consumer data flows for advertising purposes. This means tracking every pixel, every API call to ad platforms, every data enrichment service, and every lookalike audience upload. Most companies are surprised by how many flows exist.

2

Place a prominent 'Do Not Sell or Share My Personal Information' link

This link must appear in your website footer and any mobile app settings menu. It must be distinct from cookie consent and must be accessible without requiring login. The link text is specified by CCPA — you cannot paraphrase it into something less prominent.

3

Honor the opt-out within 45 days

When a California resident submits an opt-out, you have 45 days to stop selling or sharing their data for advertising. You can extend once by 45 additional days if you notify the consumer. The opt-out must be honored for all data flows, not just future ones — which means suppression lists must integrate with ad platforms.

4

Upload suppression lists to ad platforms

When a consumer opts out, their identifier needs to be added to suppression lists for Meta, Google, and any other platform where their data is used. Most major ad platforms support suppression list uploads, but the automation between your opt-out system and your ad accounts is work that many businesses skip.

5

Honor Global Privacy Control (GPC)

California law requires businesses to treat a consumer's GPC browser signal as a valid opt-out of sale and sharing. If you use advertising pixels and a California consumer has GPC enabled, you cannot fire those pixels for that user. Consent management platforms (CMPs) generally handle this but need to be configured correctly.

Sensitive Personal Information: A Stricter Tier for AI Profiling

CPRA created a new category — "sensitive personal information" — that carries stricter controls. For AI behavioral profiling, the categories most likely to be in play:

  • Precise geolocation data (within 1,850 feet)
  • Race or ethnic origin (if inferred by AI from names, browsing behavior, or purchase patterns)
  • Health or medical information
  • Financial account information
  • The contents of mail, email, and text messages
  • Biometric data used for identification

If your AI behavioral profiling uses or infers sensitive categories, consumers have the right to limit the use of their sensitive data — not just opt out. The limit right means you can only use sensitive data for the core purpose for which it was collected, not for secondary advertising use. Mixing AI inference from health-related signals into an advertising profile is a specific compliance problem.

Frequently Asked Questions

We're a B2B SaaS — our customers are businesses, not California consumers. Does CCPA's profiling opt-out apply to us?

It depends on whether you process data about California residents as individuals. If your AI profiling system analyzes behavior of California employees or end users — even in a B2B context — those individuals may have CCPA rights. The B2B exemption under original CCPA was narrow and has not fully expanded. If your pipeline touches California residents' personal information, assess CCPA applicability.

We use AI for lead scoring and sales prioritization internally. Is that in scope?

Internal lead scoring that doesn't involve sharing data externally and doesn't constitute cross-context behavioral advertising is generally not triggered by the sale/sharing opt-out right. However, if the CPPA's ADMT rules are finalized as proposed, there may be a separate opt-out right for profiling activities that significantly affect individuals — which could reach some lead-scoring systems depending on how they're used.

We contracted with a 'service provider' for our AI profiling. Does that shield us?

Using a service provider doesn't transfer liability — it shifts some of it, if the contract is properly structured. The service provider must contractually agree to CCPA restrictions and not use your data for their own purposes. But as the business, you retain responsibility for mapping the data flows, providing the opt-out mechanism, and ensuring the service provider honors suppression lists when you send them.

What's the penalty for not honoring AI profiling opt-outs?

The California Attorney General can seek civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. The CPPA can issue its own administrative fines. For advertising platforms that process millions of California records, systematic failure to honor opt-outs has resulted in seven-figure settlements. Consumers can also sue directly for data security breaches.

The Gap Most AI Marketing Teams Miss

Most companies have a "Do Not Sell" link. Far fewer have actually mapped every ad pixel, lookalike audience upload, and enrichment API call to a suppression system that fires when a California consumer opts out. That gap — between having the link and actually honoring the request — is where CCPA enforcement finds violations.

If you use AI behavioral profiling for advertising, run a data-flow audit now: every platform that receives California consumer data, every model that uses it, and whether your opt-out request flow actually reaches all of them. The CPPA's forthcoming ADMT rules will only add more layers — the companies building the infrastructure now will be ahead.