Benchmark Your Company’s Handling of Personal Data. Click here for your free Privacy Grade. Read more about PrivacyGrader in our recent TechCrunch coverage.

X

What Constitutes a “Sale” of Privacy Information under CPRA/CCPA?

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, are applicable to any for-profit business in California that meets any one of the following thresholds:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA)
  • Earning more than half of your annual revenue from selling personal information

If your revenue is less than $25 million, your customer base doesn’t exceed the threshold for the number of consumers or households, and you’re not earning revenue by selling personal information, you probably think that your business is exempt. However, under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather is broadly defined. That means you could technically be selling personal information, even if you don’t think you are. It’s therefore important to know what constitutes a “sale.” 

What’s in a Word?

CCPA/CPRA defines a “sale” of privacy information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” 

While this remains a vague aspect of the law, one can conclude based on the definition that even if your business is not directly being paid for consumer personal information (i.e., name, social security number, email or IP address, Internet browsing history, etc.), any such information that you make available by other means could still be considered a sale if you’re receiving “valuable consideration” in return. But what exactly is valuable consideration?

California law defines valuable consideration as any benefit, meaning it can be non-monetary such as assets, inventory, a service, discounts, promotion, or intellectual property. Really any tangible or nontangible business asset can potentially have valuable consideration. This includes targeted advertising based on a consumer’s behavior or preferences acquired via Internet analytics or tracking cookies. But there are exceptions.

Exceptions to Every Rule

First of all, under CCPA/CPRA, “selling” only refers to providing privacy data to third parties, which does not include service providers or contractors that perform a service required for your business to function. For example, if in selling your product or service, you provide personal information to a credit check bureau or fraud detection service to protect your business, this does not constitute a sale. In this scenario, service providers and contactors are also prohibited from “selling” personal information, and it’s up to you to ensure this requirement is covered in any terms and conditions. 

Another exception to disseminating privacy data occurs if your business has previously provided personal information to third-party entities and a customer then chooses to opt out—you’ll need to provide that customer’s identification information (i.e., email, account numbers, etc.) to third parties so they too can comply with the opt-out request. Additionally, if you’re selling assets as part of a business merger or acquisition to a third party that will take over control of the business, the transfer of personal information does not constitute a sale. And of course, if a consumer opts in, disseminating that user’s personal information also does not constitute a sale.

How Can You Be Sure?

At this time, it remains somewhat unclear as to whether all disclosures of personal information to third parties constitutes a “sale” under CCPA/CPRA. As specific legal cases arise and the California Privacy Protection Agency (CPPA) ramps up audits, enforcement, and education, it may become increasingly clear what constitutes a sale, but that doesn’t mean compliance can be put off until tomorrow. Rather than waiting for clarification and risking the penalties of non-compliance, any business handling privacy data would be wise to assess their risk today. And in today’s data-driven economy where information drives business decisions, it’s more than likely that you’re handling personal information.  

With cybersecurity attacks on the rise and users becoming increasingly concerned about how their data is used, you need to be sure that you’re maintaining consumer trust. To that end, it is recommended to engage with CCPA/CPRA legal and data experts to conduct a thorough data mapping that identifies all the ways your business systems acquire and disseminate personal information. These experts can help assess your risk and implement necessary orchestration policies and procedures to prevent any potential non-compliant “sale” of information. Because even if your business is unknowingly selling information per the definition of CCPA/CPRA, you can be held liable. 

CCPA/CPRA privacy data compliance is complicated. But with Ketch, it doesn’t have to be. Learn how we can help your business with data privacy today to reduce your risk tomorrow.

Are You Complying with CPRA/CCPA Opt-Out Rights?

Under the California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, California residents have the right to opt-out of a business selling or sharing any of their personal information.

That means that if you are a for-profit entity with an annual gross revenue in excess of $25 million and handling personal information of more than 100,000 California consumers or households, you are required by law to provide a clear and conspicuous way for your customers to opt-out. But what exactly does the right to opt out mean, how is it implemented, and how can you ensure your business complies?

What Does it Mean?

When you give customers the option to opt out, it limits the extent to which your company can sell or share a customers’ personal information. Under CCPA/CPRA, personal information is considered any information that identifies, relates to, or could be linked to an individual or household. This includes information like name, social security number, email or IP address, Internet browsing history, product purchases, geolocation data, and professional or employment-related information—essentially any information that is not publicly available via federal, state or local government records. According to Section 1798.140 of the CCPA, personal information also includes any information used to create a customer profile that reflects preferences, characteristics, behavior, or attitude.

The opt-out requirement doesn’t preclude you from collecting personal information in the normal course of doing business. After all, your business needs personal data to fulfill purchases and enable transactions. Opting out just means that you can’t sell or share this information with any other entity—unless it is a service provider that is necessary to perform a business function. 

It’s important to note that any disclosing of personal information deemed as providing monetary or other valuable consideration is considered a “sale” under CCPA. While often disputed, this broad definition includes the use of third-party advertising and analytics cookies that track a user’s browsing behavior. This does not apply to first-party cookies required to perform essential functions on your website, like remembering which products a customer has placed into an online shopping cart. 

How is it Implemented?

Under CCPA/CPRA, businesses needing to comply must provide two or more methods for submitting requests to opt-out, including an interactive form accessible via a clear and conspicuous “Do Not Sell or Share My Personal Information” link on the business’ homepage. Other acceptable methods include a toll-free phone number, designated email address, forms submitted in person or by mail, and user-enabled privacy controls such as a browser plugins or settings.

One way of providing an opt-out method is via an interactive cookie banner on a website that allows users to decline or accept any non-essential cookies that collect personal information. Some also get a bit more specific and allows users to select only necessary cookies that enable core functionality to help improve the customer experience while preventing the sale or sharing of data for marketing analytics or targeted advertising. 

CCPA/CPRA also has more restrictive “opt-in” requirements for children. This means that businesses cannot sell or share personal information for consumers less than 16 years of age without specific affirmative consent, with parental consent required for anyone under the age of 13. Unlike the opt-out option, opting in means that consumers are opted out by default and must take action to opt in. While this is contingent upon the business having knowledge of the age of the consumer, CCPA/CPRA does not allow a business to deliberately disregard a consumer’s age. Any business that targets children would therefore be wise to only use the “opt-in” option or implement a means to identify age to turn off any default selling or sharing of information for anyone under 16. 

A privacy policy is also mandatory under CCPA/CPRA Per CCPA/CPRA, and to collect any personal information, businesses must provide notice or disclosure about information being collected and for what purpose at or before the point of collection. If a business wants to collect different personal information than what was originally disclosed, they must provide a new notice. It therefore makes sense for privacy policies provided at the first point of collection to be broad enough to cover all information being collected. Businesses can meet the notice/disclosure requirement by providing a link to their privacy policy as part of an initial cookie banner. 

How Can You Ensure Compliance?

While providing customers with the option to opt out may seem straightforward, it isn’t enough to just include an opt-out option and privacy policy on your website—you also must immediately stop selling or sharing personal information as soon as a user chooses to opt out. You also need to wait a year before requesting authorization to once again sell or share their personal information. And if you are the third party purchasing information, it’s your responsibility to ensure that the data is from individuals who were given the opt-out option and clearly chose to opt in.

It is also recommended to conduct a thorough data mapping to identify all the ways your business and its systems handle personal information. This can help you determine if any third-party cookies are enabled on your website or if any of your data handling constitutes selling or sharing personal information. Because even if you think you aren’t selling or sharing personal information, it’s not always as obvious as disclosing data to third-party advertisers—think credit checking, identify verification services and other cloud-based services. And if you are unknowingly selling or sharing personal information, you’re still liable. 


To see just how compliant (or not) your business is with CCPA/CPRA opt-out rights, start with a free assessment of your website at www.privacygrader.com.