If you have a website for your business, you are probably collecting personal information such as names, email addresses, phone numbers and IP addresses. In fact, most modern websites will collect at least some of this information through features such as contact forms, email newsletter subscription forms, analytics or advertising. Many privacy laws that require websites that collect personal information to have a Privacy Policy also require that Privacy Policy to state whether this personal information is shared or sold. Naturally, as the business owner, you may be wondering whether you are actually sharing or selling the personal information that you collect and what the difference is between sharing vs. selling. You may even be 100% sure that you would never share the personal information with anyone outside of your company, nor sell it. However, you may be surprised by the fact that most small business websites actually share personal information and that the definition of “sale” is much more broad than you may initially think. In this article, we will break down sharing vs. selling personal information so that you can accurately determine whether you engage in such actions. Doing so will also help you make sure that your Privacy Policy properly reflects your business and privacy practices.
Are you sharing personal information?
“Sharing” personal information means sending that personal information to any third party (i.e. anyone outside of your business). When asked whether they share personal information, most small business owners will provide a resounding answer of “no.” However, most website features actually require the sharing of personal information with third parties to actually work.
Below are some common examples of sharing personal information:
- When a customer submits a contact form, the business owner receives an email with the customer’s contact information and questions. The contact information has been shared with the email service provider (e.g. Gmail) and the CMS (e.g. WordPress, which can store a copy of the form and the personal information within that form);
- When a customer subscribes to an email newsletter, their contact information is often shared with a third party email marketing tool such as MailChimp or ConstantContact, which store that customer’s name and email address to send them email marketing in the future;
- When a customer places an order for a physical product, their names and physical addresses are shared with the shipping company (e.g. USPS or FedEx) to ship them their order;
- When a business uses a website design firm, the website designer may log in to the website to troubleshoot issues and see customer personal information stored on the CMS. This means that the personal information has been shared with the website design firm;
- When a customer uses a website that has analytics features installed (e.g. Google Analytics or Hotjar Analytics), their personal information such as IP address will be shared with the analytics provider to analyze the analytics;
- When a customer interacts with an embedded social media feature such as a list of Tweets or Facebook posts on your website, that customer’s personal information will be shared with the social media company.
As you can see from the above, any time that your website visitors’ personal information is provided to a third party, that would be considered the “sharing” of that personal information. The fact is that sharing personal information is extremely common and is not necessarily a bad thing. However, if you do share personal information (chances are that you do), you must disclose this accurately within your Privacy Policy. Your Privacy Policy will need to include this disclosure if the following privacy laws apply to you:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Privacy Rights Act (CPRA);
- Nevada Revised Statutes Chapter 603A;
- Delaware Online Privacy and Protection Act (DOPPA);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act;
- Utah Consumer Privacy Act (UCPA);
- Connecticut SB6;
- Iowa SF262 (effective January 1, 2025);
- Indiana SB5 (effective July 1, 2026);
- Tennessee Information Protection Act (TIPA – effective July 1, 2025);
- Montana Consumer Data Privacy Act (MCDPA – effective October 1, 2024);
- Texas Data Privacy and Security Act (TDPSA – effective July 1, 2024);
- Oregon Consumer Privacy Act (effective July 1, 2024);
- Delaware Personal Data Privacy Act (DPDPA – effective January 1, 2025);
- NJ SB332 (effective January 16, 2025);
- New Hampshire SB 255 (effective January 1, 2025);
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25;
- Australia Privacy Act of 1988.
In addition, if you do share personal information, your Privacy Policy will also need to list the categories of third parties with whom you share that personal information.
Are you selling personal information?
While sharing personal information is very common, selling personal information used to be much more rare. This is due to the fact that different privacy laws define the sale of personal information in different ways. For example, Nevada Revised Statutes Chapter 603A defines the sale of personal information as “the exchange of the personal information for monetary consideration by the operator of the website to a person to sell or license the personal information to additional persons.” This means that to sell personal information, you would need to package it into a list (e.g. a list of email addresses) and sell it to a third party such as a data broker who will give you money for the list. Under this definition, most small businesses do not sell personal information.
However, the sale of personal information can also be defined more broadly by other privacy laws changing it from an exchange of money to an exchange of anything valuable. For example, the California Privacy Rights Act (CPRA) defines the sale of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing, or by electronic means, a consumer’s personal information by the business for monetary or other valuable consideration.” For example, if you use Facebook advertising on your website and thus exchange personal information for more valuable advertising insights (e.g. who clicked on your ad), that may be considered a “sale” as you are receiving a valuable service in exchange for personal information. This means that under certain privacy laws, sharing and selling may actually mean the same thing in practice due to how broadly selling personal information is defined.
Your Privacy Policy must disclose whether you sell personal information if the following privacy laws apply to you:
- California Online Privacy and Protection Act of 2003 (CalOPPA);
- California Privacy Rights Act (CPRA);
- Nevada Revised Statutes Chapter 603A;
- Delaware Online Privacy and Protection Act (DOPPA);
- Virginia Consumer Data Protection Act (VCDPA);
- Colorado Privacy Act;
- Utah Consumer Privacy Act (UCPA);
- Connecticut SB6;
- General Data Protection Regulation (GDPR);
- United Kingdom Data Protection Act (UK DPA);
- Personal Information Protection and Electronic Documents Act (PIPEDA);
- Quebec Law 25;
- Australia Privacy Act of 1988.
If you do sell personal information, your Privacy Policy may also need to state the categories or names of the third parties who you sold it to as well as how consumers may opt out of the sale of their personal information.
As you can see from the above, while most small businesses do share personal information, most do not sell it (although some actions may be considered a sale under a broad definition). Regardless of whether you sell or share personal information though, you should ensure that your Privacy Policy clearly informs your website visitors of these practices. If you do not currently have a Privacy Policy or your Privacy Policy is not up to date with the latest legislation, make sure to check out the Termageddon Privacy Policy generator today.
