Third-Party Data Sharing Under US State Privacy Laws: Rules, Requirements, and Compliance Guide

Every US state privacy law regulates how businesses share consumer personal data with third parties. Whether you call it “selling,” “sharing,” or “disclosing,” the rules are clear: consumers have the right to know who gets their data and to say no. In 2026, with 21 state privacy laws now in effect, the obligations around third-party data sharing have never been more complex — or more aggressively enforced.

This guide breaks down exactly what “third-party data sharing” means under US state privacy laws, what your obligations are, and how to build a compliant data-sharing program. Use our Privacy Law Calculator to determine which state laws apply to your business before diving in.

What Counts as “Third-Party Data Sharing” Under State Privacy Laws?

State privacy laws use different terms for what most businesses think of as “sharing data with third parties.” Understanding these distinctions is critical because each term carries different obligations:

• Sale of personal data — Most state laws define “sale” broadly as exchanging personal data for monetary or other valuable consideration. Under California’s CCPA/CPRA, this includes data broker transactions, ad-tech data exchanges, and even some analytics arrangements. All 21 state laws give consumers the right to opt out of sales.
• Sharing for cross-context behavioral advertising — California uniquely distinguishes “sharing” from “selling.” Sharing covers disclosing personal information to a third party for targeted advertising, even without monetary exchange. This is why passing data to advertising partners through tracking pixels triggers CCPA obligations.
• Targeted advertising — Most non-California state laws (Virginia, Colorado, Connecticut, and others) use “targeted advertising” as the key concept instead of “sharing.” Consumers can opt out of having their data used for ads based on their activities across different websites or applications.
• Disclosure to processors vs. third parties — All state laws distinguish between “processors” (who handle data on your behalf under a contract) and true “third parties” (who use data for their own purposes). Sharing with processors is generally permitted, but you must have a data processing agreement in place.

The Three Consumer Opt-Out Rights That Govern Data Sharing

Across all 21 state privacy laws, consumers have three overlapping opt-out rights that directly affect third-party data sharing:

1. Right to Opt Out of Sale

Every state privacy law gives consumers the right to tell businesses: “Stop selling my personal data.” This is the most fundamental restriction on third-party data sharing. Under California, the iconic “Do Not Sell My Personal Information” link is required on your website. Our Opt-Out Link Generator can help you create compliant opt-out mechanisms.

2. Right to Opt Out of Targeted Advertising

Virginia, Colorado, Connecticut, and 16 other states give consumers the right to opt out of targeted advertising specifically. This means even if you don’t technically “sell” data, passing personal information to ad networks for behavioral targeting requires honoring consumer opt-outs.

3. Right to Opt Out via Universal Opt-Out Mechanisms

An increasing number of states now require businesses to honor universal opt-out mechanisms like Global Privacy Control (GPC). California, Colorado, Connecticut, Montana, Texas, Delaware, Oregon, Nebraska, New Hampshire, and New Jersey all mandate GPC compliance. Check your obligations with our GPC Compliance Checker.

State-by-State Data Sharing Requirements: Key Differences

While the 21 state privacy laws share a common framework, important differences affect how you handle third-party data sharing. Use our State Law Comparison Tool to see these side by side.

California (CCPA/CPRA) — The Strictest Standard

California goes further than any other state in regulating third-party data sharing:

• Broadest definition of “sale” and a separate category of “sharing” for cross-context behavioral advertising
• Mandatory “Do Not Sell or Share” link on websites
• Must honor Global Privacy Control signals
• Restrictions on sharing data of consumers under 16 (opt-in required for minors)
• The Delete Act adds special obligations for data brokers

The Disney enforcement action ($2.75M settlement) showed that failing to apply opt-out requests across all linked services constitutes a violation. See our Disney settlement analysis.

Maryland (MODPA) — Data Minimization Changes Everything

Maryland’s Online Data Privacy Act, which began enforcement on April 1, 2026, is the first US state law to require data minimization for third-party sharing. You cannot share more data than is “reasonably necessary and proportionate” for the disclosed purpose. This effectively limits what you can share with third parties even if the consumer hasn’t opted out. Read our Maryland MODPA enforcement guide for details.

States with Universal Opt-Out Requirements

Ten states now require businesses to honor browser-based opt-out signals (GPC): California, Colorado, Connecticut, Montana, Texas, Delaware, Oregon, Nebraska, New Hampshire, and New Jersey. In these states, a consumer’s GPC signal must be treated as a valid opt-out of both sale and targeted advertising — no additional action required from the consumer.

States with Cure Periods

If you discover you’ve been sharing data in violation of a state law, some states still give you time to fix the problem before penalties apply. But these cure periods are disappearing — Colorado, Connecticut, Montana, and Oregon have already eliminated theirs. Virginia and most other states still provide a 30- or 60-day cure period.

Building a Compliant Third-Party Data Sharing Program

Follow these five steps to bring your data sharing practices into compliance across all applicable state laws:

Step 1: Map Your Data Flows

Before you can comply, you need to know exactly where consumer data goes. Document every third party that receives personal data from your systems, including:

• Advertising and analytics partners (Google Analytics, Meta Pixel, ad networks)
• Data brokers and list vendors
• Marketing automation platforms
• Payment processors and fraud prevention services
• Cloud service providers and hosting companies
• CRM and customer service tools

Step 2: Classify Each Relationship

For each third party, determine whether the relationship is a “processor” arrangement (they act on your instructions under contract) or a true “third-party” arrangement (they use data for their own purposes). This classification determines your obligations:

• Processors: Require a data processing agreement. Consumer opt-out rights generally don’t apply because the processor acts on your behalf.
• Third parties: Consumer opt-out rights apply. You must provide mechanisms for consumers to stop the sharing, and you must honor universal opt-out signals in applicable states.

Step 3: Implement Opt-Out Mechanisms

At a minimum, you need:

• A “Do Not Sell or Share My Personal Information” link on your website (required in California; good practice everywhere)
• GPC signal detection and honoring (required in 10 states)
• A process to propagate opt-out requests to all downstream third parties
• A mechanism to verify that third parties actually stop processing opted-out consumers’ data

Our Opt-Out Link Generator creates compliant opt-out page templates and GPC detection code.

Step 4: Execute Data Processing Agreements

Every state privacy law requires contractual safeguards when you share data with processors. A compliant data processing agreement must include:

• Clear instructions on what the processor may do with the data
• Confidentiality obligations
• Deletion or return of data upon termination
• Right for you to audit the processor’s compliance
• Prohibition on the processor combining your data with data from other sources

Step 5: Update Your Privacy Policy

Your privacy policy must disclose the categories of third parties that receive personal data, the purposes for sharing, and how consumers can opt out. Check your policy against state-specific requirements using our privacy policy requirements guide.

Enforcement Trends: Third-Party Data Sharing Under the Microscope

Third-party data sharing is the most-enforced area of US state privacy law in 2026. Recent enforcement actions make clear that regulators are watching:

• Disney ($2.75M) — Failed to propagate opt-out requests across linked streaming services. The AG found that opting out on one Disney platform did not stop data sharing on others.
• PlayOn Sports ($1.1M) — Shared student and parent data with advertising partners through tracking technologies without providing an effective opt-out mechanism. See our analysis.
• Ford ($375K) — Required email verification to process opt-out requests, adding unnecessary friction to the opt-out process.
• Tilting Point ($500K) — Mobile game developer fined for sharing children’s data with third-party ad networks.

See our Enforcement Actions Database for the full list of privacy enforcement actions and fines.

Common Mistakes to Avoid

• Treating all third-party relationships as “processor” arrangements — If a vendor uses your customer data for their own analytics, product improvement, or ad targeting, they are a third party, not a processor — regardless of what the contract says.
• Honoring opt-outs only at the cookie level — Opt-out rights extend beyond cookies to any form of data sharing, including server-to-server data transfers, offline data sales, and API-based integrations.
• Ignoring GPC signals — In 10 states, ignoring GPC is a per-consumer, per-pageview violation. The California AG’s GPC enforcement sweep has already resulted in dozens of compliance letters.
• Assuming consent equals compliance — Under US state privacy laws, the default is opt-out, not opt-in. A pre-checked “I agree to data sharing” box does not satisfy opt-out obligations.
• Failing to verify downstream compliance — You are responsible for ensuring that third parties honor the opt-out requests you pass through. Build verification into your vendor management process.

Frequently Asked Questions

What is third-party data sharing under US privacy law?

Third-party data sharing refers to disclosing, selling, or otherwise transferring consumer personal data to an entity that is not the business that collected it and is not acting as a processor under contract. Under US state privacy laws, consumers have the right to opt out of most forms of third-party data sharing, particularly when data is sold or used for targeted advertising.

Do I need consumer consent to share data with third parties?

Under most US state privacy laws, you do not need affirmative consent (opt-in) for general third-party data sharing — but you must provide consumers the ability to opt out. There are exceptions: sharing sensitive data categories (health, biometrics, precise geolocation, children’s data) typically requires opt-in consent. Maryland’s data minimization requirement also limits sharing regardless of consent.

What is the difference between a processor and a third party?

A processor handles personal data on your behalf, under your instructions, governed by a contract. A third party receives data and uses it for their own independent purposes. The distinction matters because consumer opt-out rights generally apply to third-party sharing but not to processor arrangements. The key test: does the recipient determine the purposes and means of processing, or do you?

How do I handle third-party data sharing across multiple states?

The most practical approach is to implement the strictest standard (California’s) as your baseline and then layer on state-specific requirements. Use our Privacy Law Calculator to determine which states apply to your business, and our Comparison Tool to identify differences in opt-out requirements, cure periods, and enforcement mechanisms.

What penalties can I face for non-compliant data sharing?

Penalties vary by state: California imposes up to $7,500 per intentional violation, while most other states range from $7,500 to $25,000 per violation. In practice, fines for data sharing violations have ranged from $375,000 (Ford) to $2.75 million (Disney). See our penalties guide for the full breakdown.

Last updated: March 29, 2026.