Sale and Sharing of Personal Information for Advertising

What it is

The policy states that Target shares personal information including identifiers, browsing activity, and purchase history with advertising and social media companies, and acknowledges this activity may constitute a 'sale' or 'sharing' under state privacy laws, with an opt-out right provided.

Why it matters (compliance & governance perspective)

This provision triggers opt-out rights under CCPA/CPRA and analogous statutes in Colorado, Connecticut, Virginia, Texas, and other states; the terms require Target to process opt-out requests within 15 business days under CPRA and to honor Global Privacy Control signals, creating ongoing operational compliance obligations.

Consumer impact (what this means for users)

This provision establishes that Target shares consumer personal information with advertising partners and social media platforms for targeted advertising purposes, and consumers in California and several other states have the right to opt out of this sharing by using the opt-out link in the website footer or by enabling a GPC-compatible browser.

What you can do

Institutional analysis (Compliance & governance intelligence)

1. REGULATORY LANDSCAPE: This provision is directly regulated by the CCPA as amended by CPRA, enforced by the California Privacy Protection Agency (CPPA) and California Attorney General, as well as analogous state privacy statutes in Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Oregon, Montana, and others. The FTC Act governs deceptive representations about data sharing practices. CPRA regulations specify that opt-out requests must be honored within 15 business days and that GPC signals must be treated as valid opt-out requests. 2. GOVERNANCE EXPOSURE: High. The acknowledgment that data sharing with advertising partners may constitute a 'sale' or 'sharing' under state law requires functional, tested opt-out infrastructure across all digital surfaces. Failure to honor GPC signals consistently or to process opt-out requests within required timelines creates enforcement exposure with the CPPA, which has issued enforcement actions against companies for GPC non-compliance. 3. JURISDICTION FLAGS: California creates the most immediate exposure given CPPA enforcement authority and active regulatory posture on GPC compliance. Colorado, Connecticut, and Virginia create additional opt-out obligation compliance requirements. Illinois consumers may have additional rights if shared data includes inferences used for targeting. 4. CONTRACT AND VENDOR IMPLICATIONS: Advertising partners and social media platforms receiving personal information must be structured as third parties (not service providers) if they receive data for their own advertising purposes, meaning Target cannot restrict their further use under service provider contract terms alone. Data sharing agreements with these entities should be reviewed to confirm they do not create additional CPRA liability through onward transfer. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that: GPC signals are recognized and honored across all Target web properties; opt-out requests submitted via the footer link and privacy portal are processed within 15-business-day CPRA timelines; advertising tag configurations are audited to confirm that opted-out consumers' data is not transmitted to advertising partners; and contractual documentation with advertising partners reflects third-party (rather than service provider) status where appropriate.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Biometric Identifier Collection high
• Precise Geolocation Collection medium
• California and Multi-State Privacy Rights medium
• Target Plus Marketplace Seller Data Sharing medium
• Loyalty and Partner Program Data Sharing medium
• Inferences and Sensitive Personal Information Collection medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.