The California Consumer Privacy Act (“CCPA”) will be enforced by the California Attorney General beginning July 1st, 2020. Until then, companies required to comply with the CCPA will have to establish a clear understanding of seemingly unambiguous terms, including the definition of what it means to be selling personal information.
This article will discuss the following topics:
- What does it mean to sell information under the CCPA?
- Exceptions to sales under the CCPA
- Tracking sales of personal information
- Complying with the CCPA when selling personal information
What does it mean to sell information under the CCPA?:
A “sale” as defined by the CCPA includes “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business to another business or third party for monetary or other valuable consideration.”
On its face, this definition appears to be rather broad. In addition to exchanges of personal information for monetary compensation, a sale encompasses the disclosure, transferring, or communication of personal information to another business or third party for “other valuable consideration.” For covered entities under the CCPA, it is critical to understand that a broad range of exchanges of personal information will qualify as sales.
So what constitutes “other valuable consideration” as found in the definition of a sale? The CCPA does not define the phrase, although standard contract law may offer some hints. Essentially, consideration is exchanged whenever the transferor of personal information receives a “benefit” that it is entitled to under a contract.
To illustrate, imagine a business employs a third party’s cookie technology on its website. The information collected from the cookies is protected personal information under the CCPA. If the business allows the third party to access and collect this personal information pursuant to a contract, this too may constitute a “sale” of personal information. To date, the California Attorney General has not released any guidance pertaining to how a business’s use of cookie technology may result in sales of personal information. Until additional guidance is provided, businesses should review their cookie technology usage as well as identify the third parties, if any, that have access to the information collected by the cookies.
Exceptions to sales under the CCPA:
Although the definition of a sale of personal information may be broad, there are notable exceptions under the CCPA. For example, should a consumer instruct a business to disclose her personal information to a third party, a sale has not occurred.
Additionally, businesses that disclose a consumer’s personal information to service providers have not engaged in a sale so long as: (1) the exchange is necessary to perform a business purpose; (2) the service provider is performing a function on the business’s behalf; and (3) the service provider otherwise refrains from selling the personal information. Under the CCPA, a “service provider” is defined as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that . . . processes information on behalf of a business and [receives] a consumer’s personal information for a business purpose pursuant to a written contract.” The contract must prohibit the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”
Lastly, businesses that transfer personal information to third parties pursuant to a merger, acquisition, bankruptcy, or other transaction have not engaged in a sale of personal information, provided that the personal information is used or shared consistently with the business’s prior disclosures to the consumer.
Tracking sales of personal information:
To correctly identify whether a sale of personal information has occurred, businesses will need to critically assess the personal information’s “life cycle,” specifically who has access to the information and how that information is exchanged. To that end, creating a data inventory, defined as a method of documenting the flow of data in transit and storage, would help businesses identify the following:
(1) the third-parties that receive the personal information from the business;
(2) what personal information is included in those exchanges; and
(3) the contracts, if any, that govern those exchanges of personal information.
Ultimately, businesses that utilize data inventories will be in a better position to determine whether it has engaged in a sale of personal information with third parties. Mapping out the data’s life cycle will allow businesses to develop a clear picture of the data they are responsible for handling, in addition to keeping track of potentially large amounts of contractual relationships that govern the disclosure of personal information. As will be discussed, organizations with a comprehensive understanding of the data’s life cycle will be better situated to comply with the CCPA’s requirements regarding sales of personal information.
Complying with the CCPA when selling personal information:
Why is it so important for businesses to identify when they are engaged in sales of personal information? Two provisions under the CCPA are important to consider.
The first provision is Section 1798.120, which expressly states that consumers may “opt-out” of the sale of their personal information to third parties. After receiving an opt-out request from the consumer, businesses must cease the sale of the personal information to third parties.
The second provision is 1798.135, which details how businesses must comply with the right to opt-out. This provision requires covered entities under the CCPA to provide a clear and conspicuous link on their website entitled “Do Not Sell My Personal Information.” Consumers may click on this link to opt-out of the sale of their personal information.
To comply with opt-out requests, it is critical for businesses to have a comprehensive understanding of what qualifies as a sale of personal information. Referring back to the discussion of data inventories, businesses must be fully informed of the personal information they collect, where it is located, and who has access to it. This will aid in correctly identifying sales of personal information, thus allowing the business to respond accordingly.
Tyler is a third year law student attending Seton Hall University School of Law. He is a Certified Information Privacy Professional (CIPP/U.S.) as well as the Founder and President of the Cybersecurity and Privacy Society of his law school, a student organization dedicated to exploring major legal issues in all things technology, from data privacy to Artificial Intelligence. The organization is also dedicated to helping law students find career opportunities in the growing fields of cybersecurity and privacy.