The headline provision of the California Consumer Privacy Act (CCPA/CPRA) is the "right to opt out:" the right of consumers to object to the sale of their personal information.
Since the CCPA came into force, its broad scope has become increasingly clear. And then the CPRA amended the CCPA by expanding it even further. Big tech firms like Facebook and Google have been adjusting their business practices to ensure they are compliant with the new standard of privacy in the United States.
In this article, we'll look at the steps you must take if you sell consumers' personal information, to help ensure you are CCPA/CPRA-compliant.
- 1. Are You Selling Personal Information?
- 2. How to Avoid "Selling" Personal Information
- 2.1. Getting Express Consent
- 2.2. Setting Up a Service Provider Contract
- 3. Steps to Take Before Selling Personal Information
- 3.1. Update Your Privacy Policy
- 3.2. Set Up a "Do Not Sell My Personal Information Page"
- 4. Provide Another Designated Opt-Out Method
- 5. Facilitate Requests Under the "Right to Know"
- 6. Ensure You Obtain Opt-In Consent From Minors
- 7. Note for Companies Undergoing a Merger, Acquisition, or Bankruptcy
- 8. Summary
Are You Selling Personal Information?
The CCPA (CPRA) has a very broad definition of "sale" that has caught some businesses by surprise. You might be "selling" personal information without even realizing it.
Here's the core definition of "sale," at Section 1798.140 (t) (1):
We can break this definition down into three parts:
- Communicating personal information
- To a third party
- For "valuable consideration"
The CCPA (CPRA) provides the following examples of "communication:"
- Selling
- Renting
- Releasing
- Disclosing
- Disseminating
- Making available
- Transferring
- Otherwise communicating
In other words, communicating personal information via any means might constitute "selling" it. It all depends on the nature of the recipient, and what you receive in return.
If you receive money in exchange for a consumer's personal information, this is clearly a sale. But the CCPA (CPRA) states that receiving any type of "valuable consideration" in exchange for personal information can also give rise to a sale.
Practically any benefit you receive in exchange for personal information can constitute "valuable consideration," including increased publicity, improved sales, or better knowledge of your users' activities (e.g. via analytics insights).
This means that using third-party cookies can almost certainly constitute selling personal information.
How to Avoid "Selling" Personal Information
You can avoid jumping through several of the CCPA/CPRA's hoops if you adjust your business practices to avoid "selling" personal information altogether.
It is possible to exchange personal information for valuable consideration without selling it. You can achieve this by ensuring that the exchange falls under one of the CCPA/CPRA's exemptions.
Getting Express Consent
An important exemption from the CCPA/CPRA's definition of "sale" is where the consumer directs a business to disclose their personal information at Section 1798.140 (t) (2) (A):
To comply with this exemption you would need to ensure that you have the express consent of the consumer, demonstrated via "one or more deliberate actions" that do not include "hovering over, muting, pausing or closing a given piece of content."
Clicking "agree" on a GDPR-compliant cookie banner may be sufficient for a consumer to demonstrate that they have "directed [your] business to intentionally disclose [their] personal information."
Note that the third party to whom you disclose the personal information may not sell it. You would need to set up a contract with the receiving party to make this clear.
Setting Up a Service Provider Contract
If you disclose personal information for business purposes to a service provider, this does not count as a sale.
There must be a contract between your business and the service provider, warranting that the service provider will not use, disclose, or retain, the personal information for any purpose other than that stipulated in the contract.
Your intended use of the personal information must fall within one of the CCPA/CPRA's "business purposes." One of the CCPA/CPRA's enumerated business purposes is "performing services on behalf of the business," including "marketing or advertising" and "analytics."
You must ensure that you notify consumers before sharing their personal information for business purposes.
To qualify as a "disclosure for business purposes" rather than a "sale," your use of the personal information must be:
- Reasonably necessary and proportionate to achieve the operational purposes for which you collected the personal information, or
- Compatible with the purpose for which you collected the personal information
Steps to Take Before Selling Personal Information
If you've determined that you are selling personal information and can't rely on an exemption, here are the steps you need to take to help ensure your business remains CCPA/CPRA-compliant.
Update Your Privacy Policy
As a CCPA/CPRA-covered business, you must have a clear, comprehensive, and up-to-date Privacy Policy notifying consumers of how you collect, use, and share their personal information. Businesses that sell personal information must include specific disclosures about their practices.
If you sell personal information, your Privacy Policy must include a section including:
- A disclosure that your business sells personal information
- A list of the categories of personal information you have sold over the past 12 months
- An explanation of your commercial purposes for selling personal information
- A list of the categories of third parties with which you share personal information
For more information, see our article CCPA (CPRA) Privacy Policy Checklist.
Set Up a "Do Not Sell My Personal Information Page"
Businesses that sell personal information must provide a link on their homepage and/or mobile app titled "Do Not Sell My Personal Information" or "Do Not Sell My Info." This link must lead to a page that allows consumers to exercise their right to opt out.
Here's an example from T-Mobile:
For more information, see our article "Do Not Sell My Personal Information" Page.
Provide Another Designated Opt-Out Method
You must also provide at least one other method in addition to your "Do Not Sell My Personal Information" page via which consumers can exercise their right to opt out.
The following are acceptable methods under the CCPA (CPRA):
- Toll-free telephone number
- Email address
- A paper form
- Privacy controls integrated into your website or app
Choose the method your customers are most likely to use.
Facilitate Requests Under the "Right to Know"
Businesses that sell personal information must disclose certain information to consumers who have submitted a request under the "right to know," including:
- Which categories of personal information you have sold about the consumer
- The categories of third parties to which you sold each category of personal information
For more information, see our article CCPA (CPRA) Consumer Rights.
Ensure You Obtain Opt-In Consent From Minors
The "right to opt out" turns on its head for minors under the age of 16, who instead have a right to opt in. This means:
- You must not sell personal information collected from minors aged 13-16 unless you have obtained their explicit consent
- You must not sell personal information collected from minors aged under 13 unless you have received their parents' explicit consent
Under the CCPA (CPRA), you must seek opt-in consent from anyone whose personal information you have collected if you have "active knowledge" that they are a minor. You will be considered to have active knowledge of a minor's age if you "willfully disregard" their age.
In other words, if you have any reason to believe that your services are used by minors, you must take steps such as age verification checks to ensure you don't sell their personal information without consent.
Note for Companies Undergoing a Merger, Acquisition, or Bankruptcy
If your business is acquired by another company, you may be asked to transfer the personal information in your possession as an asset.
This may qualify as a disclosure of personal information to a third party in exchange for valuable consideration, i.e., a sale. Therefore, you must take the necessary steps to ensure that consumers receive proper notice of your actions, and are offered the right to opt out.
These steps are necessary where:
"The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business."
In such a scenario, you must ensure you have provided your Privacy Policy and notice at collection to the affected consumers.
If the acquiring business plans to use the personal information in a way that is "materially inconsistent with the promises made at the time of collection," the acquiring business must give the consumers notice and offer them the opportunity to opt out.
This might be necessary if for example, the new business plans to sell the personal information, but your Privacy Policy states that you do not sell personal information.
Summary
If you sell personal information under the CCPA (CPRA), you need to take certain steps to ensure you don't break the law. These include:
- Updating your Privacy Policy
- Setting up a "Do Not Sell My Personal Information" page
- Providing another designated method of submitting an opt-out request
- Providing information about your practices if a consumer makes a request under the "right to know"
- Ensuring you obtain opt-in consent from minors
You may wish to check whether you can benefit from one of the CCPA/CPRA's exemptions, e.g. by setting up a service provider contract or obtaining express consent from consumers.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.