CertScore.ai
Open navigation menu
Finding reference

CPRA / privacy choice opt-out review signal

Retained public-surface and runtime evidence showed advertising, cross-context behavioral advertising, or sale/share-related review signals without a clearly observed California privacy choice, Do Not Sell or Share, opt-out, or comparable privacy-choice path in the observed scan scope. Review the evidence context, methodology, common causes, and reviewer questions for this CertScore finding.

Selected finding

CPRA / privacy choice opt-out review signal

HighReview Signal evidenceAbsence observationDisclosure gapsSeen on ~4% of scanned top sites

Benchmark frequency is directional market context only. It is not a compliance benchmark, legal conclusion, or severity score. Rare findings may be top-ranked only when retained evidence is strong; common findings may remain medium when evidence is automated or context-dependent. Rarity is not severity, and prevalence is not compliance risk.

Observed

Retained public-surface and runtime evidence showed advertising, cross-context behavioral advertising, or sale/share-related review signals without a clearly observed California privacy choice, Do Not Sell or Share, opt-out, or comparable privacy-choice path in the observed scan scope.

Why this matters

When advertising, cross-context behavioral advertising, sale/share, or similar privacy-choice signals appear on a site, reviewers may need to confirm whether applicable opt-out paths are present, discoverable, and connected to the relevant data uses. For privacy and product teams, this signal can help identify footer, privacy-policy, preference-center, CMP, GPC, and state-specific rights-flow gaps that may require CPRA or privacy-choice review.

Detection methodology

CertScore compares retained public-surface evidence for privacy links, footer links, policy language, state-specific rights references, Do Not Sell or Share wording, opt-out links, preference centers, and privacy-choice controls with retained runtime or page-surface signals that may be relevant to advertising, cross-context behavioral advertising, sale/share, tracking, or vendor-governance review. The finding is surfaced when retained evidence indicates relevant advertising or privacy-choice context, but a clear California privacy choice, Do Not Sell or Share, opt-out, or comparable choice path was not observed in the scanned public-page scope. CertScore treats CPRA opt-out availability results as review signals. The scanner does not determine legal status, CPRA applicability, sale/share status, cross-context behavioral advertising status, opt-out failure, GPC handling, or compliance status. GPC handling is not determined unless a GPC-specific request state was sent and retained. Reviewers should consider organization scope, user region, purpose, vendor role, policy text, footer links, preference-center behavior, GPC-specific scan state, CMP configuration, exemptions, and whether the retained evidence reflects the relevant public user journey.

Confidence semantics: Good when retained evidence includes advertising or sale/share-related review signals, public page context, footer or privacy-link observations, policy or choice-link context, and enough detail for reviewer inspection; stronger when retained evidence also includes state-specific rights path context, GPC-specific request state or preference-center context where retained, repeated observations across pages, and usable coverage. Manual review is still needed for CPRA applicability, sale/share status, opt-out sufficiency, GPC handling, exemptions, and remediation quality.

Top-finding calibrationWhat must be retained to surface, top-rank, demote, or suppress this finding.

Minimum to surface

  • Advertising, cross-context behavioral advertising, or sale/share review signal plus retained public-surface search with no opt-out path observed.

High confidence requires

  • Footer, policy, CMP, state-rights, and preference-center coverage.

Top ranking requires

  • GPC scan state sent plus likely cross-context behavioral advertising or sale/share context plus no handling/path.

Demote or suppress when

  • Adtech vendor only.
  • No link coverage.
  • No policy coverage.
  • No region/context.

These rules describe ranking calibration for already-projected findings. They do not create findings from raw signals.

Example evidence

Privacy choice review signal

  • artifact=privacy_choice_001
  • role=finding_supporting_artifact
  • url=https://example.com/
  • observed_surface=footer_and_privacy_links
  • advertising_or_cross_context_signal=true [manual_review_recommended]
  • do_not_sell_or_share_link_observed=false
  • state_privacy_choice_link_observed=false
  • privacy_policy_url=https://example.com/privacy
  • gpc_specific_request_state=not_sent_or_not_retained
  • gpc_handling=not_determined
  • review_caveat=manual review should confirm CPRA applicability, sale/share or cross-context behavioral advertising status, opt-out path availability, GPC-specific scan state, exemptions, and regional configuration

Review context

  • possible_source=footer_privacy_links_or_preference_center
  • paths_to_review=footer, privacy_policy, cookie_settings, state_privacy_notice, do_not_sell_or_share, preference_center
  • runtime_context=advertising_or_cross_context_review_signal
  • coverage_status=usable
  • manual_review_needed=true

What should not count by itself

  • adtech_vendor_present=true [insufficient_without_choice_path_context]
  • policy_mentions_california [audit_only_without_runtime_or_link_context]
  • privacy_policy_present=true [insufficient_without_opt_out_path_review]
  • missing_dns_link_claim [insufficient_without_retained_public_surface_evidence]
View redacted sample JSON
Redacted sample JSON
{
  "findingId": "cpra_cba_opt_out_missing",
  "label": "CPRA / privacy choice opt-out review signal",
  "category": "Disclosure gaps",
  "criticality": "high",
  "evidenceConfidence": "review_signal",
  "directVsInferred": "absence_observation",
  "evidence": {
    "summary": "Retained public-surface and runtime evidence showed advertising, cross-context behavioral advertising, or sale/share-related review signals without a clearly observed California privacy choice, Do Not Sell or Share, opt-out, or comparable privacy-choice path in the observed scan scope.",
    "examples": [
      {
        "title": "Privacy choice review signal",
        "lines": [
          "artifact=privacy_choice_001",
          "role=finding_supporting_artifact",
          "url=https://example.com/",
          "observed_surface=footer_and_privacy_links",
          "advertising_or_cross_context_signal=true [manual_review_recommended]",
          "do_not_sell_or_share_link_observed=false",
          "state_privacy_choice_link_observed=false",
          "privacy_policy_url=https://example.com/privacy",
          "gpc_specific_request_state=not_sent_or_not_retained",
          "gpc_handling=not_determined",
          "review_caveat=manual review should confirm CPRA applicability, sale/share or cross-context behavioral advertising status, opt-out path availability, GPC-specific scan state, exemptions, and regional configuration"
        ]
      },
      {
        "title": "Review context",
        "lines": [
          "possible_source=footer_privacy_links_or_preference_center",
          "paths_to_review=footer, privacy_policy, cookie_settings, state_privacy_notice, do_not_sell_or_share, preference_center",
          "runtime_context=advertising_or_cross_context_review_signal",
          "coverage_status=usable",
          "manual_review_needed=true"
        ]
      },
      {
        "title": "What should not count by itself",
        "lines": [
          "adtech_vendor_present=true [insufficient_without_choice_path_context]",
          "policy_mentions_california [audit_only_without_runtime_or_link_context]",
          "privacy_policy_present=true [insufficient_without_opt_out_path_review]",
          "missing_dns_link_claim [insufficient_without_retained_public_surface_evidence]"
        ]
      }
    ]
  }
}

Regulatory review context

California privacy choices: sale/share or cross-context advertising opt-out review

Retained public-surface and runtime evidence showed privacy-choice, advertising, cross-context behavioral advertising, or sale/share-related review signals that may be relevant to CPRA, opt-out, GPC, disclosure, consent, and vendor-governance review. Applicability depends on organization scope, user region, purpose, vendor role, sale/share or cross-context behavioral advertising analysis, exemptions, GPC-specific scan state, and manual review.

CPRA Do Not Sell or Share review contextGlobal Privacy Control / privacy-choice honoring reviewCalifornia privacy notice and rights-flow reviewCCPA/CPRA opt-out / privacy choice reviewFTC privacy claims / choice architecture review contextePrivacy / consent review where cookies or trackers are connected to the choice interface
View applicability notes

Legal and regulatory frameworks

  • CPRA Do Not Sell or Share review contextCalifornia users and the observed advertising, cross-context behavioral advertising, sale/share-related, or privacy-choice context may be relevant depending on organization scope, user region, data purpose, vendor role, exemptions, GPC-specific scan state, and manual review.
  • Global Privacy Control / privacy-choice honoring reviewGPC handling is relevant only when a GPC-specific request state was sent and retained; otherwise privacy-choice handling requires manual review of retained public-surface evidence, choice paths, and opt-out context.
  • California privacy notice and rights-flow reviewRetained policy, footer, preference-center, or privacy-link evidence may require review against the observed runtime or public-surface context.

Jurisdictional contexts

  • CCPA/CPRA opt-out / privacy choice reviewCalifornia privacy-choice review may be relevant depending on organization scope, user region, data purpose, vendor role, sale/share analysis, cross-context behavioral advertising context, GPC-specific scan state, and exemptions.
  • FTC privacy claims / choice architecture review contextPublic privacy statements, consent choices, opt-out paths, or runtime behavior may be relevant to consumer-protection review without determining deception, unfairness, or legal status.
  • ePrivacy / consent review where cookies or trackers are connected to the choice interfaceCookie, tracker, consent, or similar-technology context may be relevant where retained runtime evidence is connected to the privacy-choice interface.

This finding does not determine legal status, CPRA applicability, sale/share status, cross-context behavioral advertising status, opt-out sufficiency, GPC handling, exemption status, or compliance status. GPC handling is not determined unless a GPC-specific request state was sent and retained. Review the retained public-surface evidence, privacy links, policy text, preference-center behavior, runtime context, user region, organization scope, and applicable exemptions.

Evidence standard

Strong

  • Retained evidence includes public page URL, advertising/cross-context/sale-share-related review signal, and scanned public-surface context for privacy or footer links.
  • Retained evidence shows no clearly observed California privacy choice, Do Not Sell or Share, opt-out, or comparable privacy-choice path in the observed scan scope.
  • Evidence includes enough link text, policy heading, footer, CMP, or preference-center context for a reviewer to locate the relevant public choice path manually.
  • Evidence includes runtime or page-surface context that may be relevant to advertising, cross-context behavioral advertising, sale/share, tracking, or vendor governance.
  • Coverage context indicates the relevant public surface was not materially blocked, truncated, or replaced by unrelated overlays.

Good

  • Retained evidence suggests advertising or privacy-choice context and lacks an observed opt-out path, but policy wording, state-specific rights flow, GPC behavior, or preference-center coverage requires manual review.
  • The retained example is enough for a reviewer to inspect footer links, privacy-policy paths, CMP settings, or preference-center behavior manually.
  • The evidence is likely relevant to CPRA/privacy-choice review, but organization scope, sale/share status, cross-context behavioral advertising status, exemptions, and legal interpretation require manual review.

Audit-only

  • Advertising, analytics, or third-party tracking context exists, but retained evidence does not establish sale/share or cross-context behavioral advertising relevance.
  • Policy text references California rights or opt-out concepts, but retained evidence does not show whether the linked choice path is present, absent, or functional.
  • Footer or privacy links exist, but retained evidence lacks enough context to determine whether an opt-out path was discoverable in the scanned scope.

Insufficient

  • Vendor name alone.
  • Third-party request alone without advertising/sale-share/privacy-choice context.
  • Policy text alone without retained public-surface or runtime context.
  • Missing footer link assertion without retained page-surface evidence.
  • Snapshot boolean without retained link, policy, or runtime anchors.
  • Claiming legal status, CPRA applicability, sale/share status, opt-out sufficiency, GPC handling, or compliance status based only on automated evidence.

Evidence levels explain how CertScore treats retained public-surface and runtime artifacts. They are not legal conclusions.

Common causes

  • Footer or privacy navigation lacks a state-specific privacy choice link.
  • Do Not Sell or Share wording exists only inside a policy page and is not discoverable from common public surfaces.
  • CMP or preference-center controls are not connected to California privacy-choice flows.
  • Advertising or cross-context vendor tags are present, but state-specific rights links are not configured for the scanned region or viewport.
  • GPC, opt-out, and cookie-preference flows are implemented separately and not consistently linked.

Recommended review questions

  • Which public page, footer, privacy link, policy page, or preference-center surface was retained?
  • Which advertising, cross-context, sale/share, tracking, or vendor-governance signal made this relevant for review?
  • Was a Do Not Sell or Share, Your Privacy Choices, state privacy rights, opt-out, or comparable link observed?
  • Was the choice path discoverable from the footer, privacy policy, CMP, cookie settings, or preference center?
  • Does the site process data in ways that could be sale/share or cross-context behavioral advertising under applicable context?
  • Does the organization fall within CPRA scope, and do exemptions or thresholds apply?
  • Was a GPC-specific request state sent and retained, or is GPC handling not determined by this scan?
  • Could region, viewport, language, prior consent state, or CMP configuration affect whether the choice path appears?
  • Should privacy and legal review confirm applicability, opt-out sufficiency, GPC handling, exemptions, and remediation quality?

Limitations and cautions

  • This finding is an automated privacy-choice review signal, not a legal conclusion, certification, compliance determination, CPRA applicability determination, sale/share determination, GPC determination, or opt-out failure determination.
  • Automated public-surface checks can identify link, policy, preference-center, CMP, and runtime context, but they may miss authenticated rights flows, region-specific links, GPC handling, preference-center behavior, mobile layouts, A/B tests, localization, and backend preference-state handling.
  • Automated evidence may not determine whether advertising or vendor activity qualifies as sale, sharing, cross-context behavioral advertising, or targeted advertising under applicable law.
  • Manual review is needed to confirm organization scope, applicable law, data purpose, vendor role, public choice paths, GPC handling, exemptions, user region, and remediation quality.
  • CertScore retains representative evidence for review and may not list every privacy path, footer variant, policy page, preference-center state, or regional configuration.
  • Findings should be evaluated with implementation context and applicable privacy, consent, accessibility, and consumer-protection requirements before operational or legal reliance.
  • Automated findings may contain errors and should be reviewed with the retained evidence.
  • Not detected means not observed in the scan scope; it is not proof of absence.
  • Findings are runtime evidence and public-surface observations for review, not legal conclusions.

Related reading

Cookie consent enforcementTracking before consentCookie banner requirementsThird-party cookies before consentPrivacy policy requirements

Reference notes

  • CertScore uses findings, evidence, signals, and observations consistently: signals are raw runtime or page-surface events, evidence is retained support, observations are interpreted evidence context, and findings are promoted review items.
  • Findings are runtime evidence and public-surface observations for review. Observed signals may surface possible concerns, but review is recommended before operational or legal reliance.
  • Finding reference content is reviewed periodically and updated when material guidance changes. CertScore monitors guidance families such as EDPB consent and ePrivacy materials, ICO cookie guidance, CNIL tracker recommendations, FTC privacy and dark-pattern materials, and relevant accessibility guidance where applicable.
  • CPRA opt-out, Do Not Sell or Share, and privacy-choice obligations may depend on organization scope, user region, data purpose, sale/share analysis, cross-context behavioral advertising context, exemptions, and manual review.
  • GPC handling may require region-specific and implementation-specific review; this public finding does not determine backend preference handling.
  • FTC privacy claims and choice-architecture materials may be relevant where public statements, opt-out paths, or runtime behavior affect user expectations, but this finding does not determine deception, unfairness, legal status, or compliance status.
  • Prevalence labels use the Tranco top 1-2500 calibration set, an approximately 2,505-scan directional calibration set.