Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Article

Selling and Sharing Personal Information

Maciej Piszcz Senior Assurance Program Manager, AI & Global Privacy, TrustArc

Privacy PowerUp #13

Selling and sharing personal information impacts more than data management—it affects accountability, transparency, and even a brand’s trustworthiness.

This article explains how privacy teams can manage the legal and operational nuances of selling and sharing personal information. We’ll dive into regulatory assessments, data inventory must-haves, transparency and individual rights, and how to operationalize it all like a pro.

Selling and sharing: What’s the difference?

Depending on the laws, selling and sharing include the following:

  • Selling includes transfer, disclosure, making available of personal information to a third party for “monetary or other valuable consideration”
  • Sharing includes disclosing, making available, transferring of personal information to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration

Note that disclosing personal information to service providers for business purposes may not trigger additional requirements.

1. Legal and regulatory assessment: Know your regulatory obligations

One of the first steps should be assessing where you process personal information and, consequently, which laws apply to your organization.

California is the only state in the U.S. that explicitly covers the definitions of “selling” and “sharing”. States such as Colorado, Virginia, Utah, and Connecticut use explicit definitions of “selling”, but do not include “sharing” explicitly. While definitions and enforcement priorities vary, most of these laws outline consumer rights and business obligations tied to these concepts, especially in the context of digital advertising and third-party data transfers.

Outside of the U.S., laws like the GDPR implicitly include concepts of “selling” and “sharing.” Under the definition of processing of personal information, which includes collection, use, disclosure, or making available of personal information.

Understanding which laws apply to your organization is the foundation of any effective privacy program. If you’re looking to simplify that process, Nymity Research offers expert-curated insights, daily updates, and multi-jurisdictional comparisons, helping you identify your obligations faster and with greater confidence. That includes NymityAI, which can save you hours and has been built on the work of over 25 years by trusted privacy experts.

Regulatory applicability depends on multiple factors, depending on the regulations, geographical location, or data you are collecting, using, or disclosing. For example, in California, there is a revenue and volume threshold. The GDPR has an extraterritorial reach, so your company may fall under the scope of this regulation if it has no physical presence in the EU.

What else to consider in your assessment:
  • Whether you collect sensitive personal information
  • Engaging vendors and your vendor assessment practices
  • Using personal information for cross-contextual advertising

Know your regulatory footprint

Multiple privacy regimes have a broad reach, and companies—including mid-sized businesses—need to know their obligations. If you operate in multiple jurisdictions, you will likely be covered by their privacy regulations. Understanding the concepts, such as “selling” and “sharing,” will be critical to designing scalable, compliant privacy operations.

If you’re collecting personal data, chances are you’re already in the game. The question is whether you’ve read the rulebook.

2. Data inventory: Build a map before you navigate

Data inventory is a critical element when thinking about data governance, data protection, and risk management.

You need to know:

  • What categories of personal information do you collect, use, and disclose?
  • Why do you process the data? What’s the purpose?
  • Who do you share it with, and whether they’re service providers or third parties?
  • Whether the data is sensitive and if these categories are necessary to achieve your goals?
  • Do you use or disclose personal information in a way that would fall under categories of “selling”, “sharing”, or other applicable terms?

3. Transparency and individual rights.

Privacy experts recognize that transparency is not just about making the privacy notice public, but about ensuring that it is comprehensive, relevant, and understandable.

Most regulations require you to:

  • Notify individuals at or before the point of data collection, use, and disclosure of personal information.
  • Provide choice for the collection, use, or disclosure of personal information.
  • Include the contact information for the organization.

Under the CCPA, among other requirements, companies need to provide:

  • A clear, conspicuous Do Not Sell or Share My Personal Information opt-out link on your website.
  • Categories of personal information sold or shared, and to whom.
  • Information on the individual rights and how to exercise these rights.

Enforcement agencies have been increasingly focusing their attention on the notice and transparency requirements. It is very important to get this right and ensure that your data processing practices are clear and that you have appropriate measures in place.

Remember: The privacy notice is the frontline of your data trust strategy.

4. Operationalization and technical implementation: Turn policy into practice

So you’ve assessed your obligations and updated your notice—great. Now ensure that the mechanisms described in the privacy notice are fully implemented and that your systems support privacy requests.

Here’s how to make it real:

  • Policies and procedures: Establish workflows for handling consumer rights requests; access, deletion, choice such as opt-out of sale/share.
  • Technical implementation: Create opt-out tools that are easy to use and aligned with regulatory expectations. Avoid dark patterns.
  • Minimization: Apply data minimization and ensure you do not collect personal information that is not necessary to achieve your goals. Always follow the regulations and best practices.
  • Training: Ensure internal teams know how to process requests and handle data according to policy and the applicable laws.

Operational oversight:

  • Monitor your systems for compliance drift.
  • Audit vendors regularly.
  • Update your internal documentation alongside public-facing policies.

A privacy program has many parts, some of which are visible, such as a privacy notice. But many others are unseen, such as staff training, internal policies and other documents, or ongoing monitoring. Always ensure that what you display publicly is matched by your practices behind the scenes.

Master the modern data exchange

Selling and sharing personal information touches everything from marketing and product design to customer service and executive decision-making. That’s why successful privacy programs aren’t reactive. They’re proactive, process-driven, and built on knowledge, communication, and control.

To thrive in today’s privacy-first landscape, you must:

  • Know your legal obligations across every relevant jurisdiction.
  • Inventory your data and understand how it flows.
  • Communicate transparently with customers and regulators alike.
  • Operationalize your opt-outs and rights mechanisms with precision.

Yes, the rules are evolving. But so are the tools, frameworks, and best practices to help you manage it. And when you get it right, you don’t just avoid fines—you earn customer trust, boost your brand, and position privacy as a competitive advantage.

Continue mastering the privacy essentials by reviewing all the resources in the Privacy PowerUp series.

Selling and Sharing: Privacy Rules You Can’t Ignore

View now

PowerUp Your Privacy

Watch all the videos in the Privacy PowerUp series – designed to help professionals master the privacy essentials.

Watch now

Read the next article in this series: #14 Building a Privacy Approved Vendor Management Program.

Read more from the Privacy PowerUp Series:

  1. Getting Started in Privacy
  2. Data Collection, Minimization, Retention, Deletion, and Necessity
  3. Data Inventories, Mapping, and Records of Process
  4. Understanding Data Subject Rights (Individual Rights) and Their Importance
  5. The Foundation of Privacy Contracting
  6. Choice and Consent: Key Strategies for Data Privacy
  7. Managing the Complexities of International Data Transfers and Onward Transfers
  8. Emerging Technologies in Privacy: AI and Machine Learning
  9. Privacy Program Management: Buy-In, Governance, and Hierarchy
  10. Managing Privacy Across the Organization
  11. Assess the Risk Before it Hits
  12. Contracts that Count: Mastering the 10 Most Negotiated Provisions in a Data Processing Agreement
  13. Selling and Sharing Personal Information
  14. Building a Privacy-Approved Vendor Management Program
  15. Tracking Technologies: The Hidden Backbone of AdTech and the Looming Privacy Minefield
  16. Data Inventory: Next-Level Classification for Privacy Professionals
  17. Incident Incoming–Now What?
Key Topics

Get the latest resources sent to your inbox

Subscribe

Related resources

View all resources
Webinars and Videos

Privacy PowerUp Series

Are you a compliance pro, lawyer, or just curious about privacy? The Privacy PowerUp series is the perfect launchpad for mastering all of the privacy essentials.
eBooks

Privacy PowerUp

Master data privacy essentials with the Privacy PowerUp eBook. Learn strategies, common regulations, and key insights to advance your career and protect data.
Back to Top