The main purpose of the California Consumer Privacy Act (CCPA/CPRA) is to enable consumers to opt out of the sale of their personal information.

However, there was a lot of debate about what constitutes a "sale" of personal information.

Given the serious consequences of violating the CCPA (CPRA), this ambiguity is a problem. But a close reading of the law can help us understand what "selling" really means.

(The CCPA was updated by the CPRA. The CPRA's amendments took effect January 1, 2023.)



Main Definition of "Sale"

Here's the main part of the definition of "sale," at Section 1798.140 (t) of the CCPA (CPRA):

California Legislative Information: CCPA AB-375 - Definition of sell, selling, sale, sold

There are three key elements to this definition:

  • Communicating a consumer's personal information
  • To a third party
  • For valuable consideration

Let's consider each of these elements in turn.

What Types of Communications are Covered?

The types of communications of personal information that might constitute a "sale" include:

  • Selling
  • Renting
  • Releasing
  • Disclosing
  • Disseminating
  • Making available
  • Transferring
  • Otherwise communicating

There are a lot of synonymous verbs here, suggesting that the CCPA (CPRA) intends to provide a "catch-all" definition. The presence of the term "or otherwise communicating" confirms this.

Any communication of personal information can potentially be a "sale" under the CCPA (CPRA). The purpose of the communication is more important than the means of communication.

What is a Third Party?

Disclosing personal information to "another business or a third party" could constitute a sale.

The definition of a "business" is central to the CCPA (CPRA), and we won't examine that here.

But what's a third party? The CCPA (CPRA) defines "third party" by excluding what a third party isn't, at Section 1798.140 (w):

California Legislative Information: CCPA AB-375 - Definition of third party

So, a third party can be anyone other than your business, except the type of person described at Section 1798.140 (w)(2).

We'll look at what Section 1798.140 (w)(2) means for your business below.

What is Monetary or Other Valuable Consideration?

Besides money, it's possible to "sell" personal information for any "valuable consideration."

"Consideration" is a concept central to contract law. It describes the thing for which the object of the contract (in this case, personal information) is exchanged.

In California law, "consideration" is defined in the California Civil Code Section 1605 (available here):

California Legislative Information: Civil Code Section 1605 - Definition of consideration

The takeaway from this part of the CCPA/CPRA's definition of "sale" is that you don't need to be receiving money in exchange for personal information in order to "sell" it. You might be exchanging it for a product, service, or anything else that benefits your business.

This would appear to include using third-party cookies, as we'll explore below.

Exceptions to Selling

Exceptions to Selling

The CCPA (CPRA) offers several exceptions to (or "safe harbors" from) the definition of "sale." In these circumstances, businesses can derive benefits from the communication of personal information without being deemed to have "sold" it.

Consumer Intent

Here's the first exception to the definition of "selling":

california-legislative-information-ccpa-ab-375-sale-exception-consumer-direction

This covers situations where the consumer directs your business to disclose their personal information to a third party or intends to interact with a third party via your business.

This exception might apply to service comparison websites (e.g. comparing insurance quotes) or affiliate websites.

Note that there are preconditions to meeting the requirements under this exception:

  • The third party receiving the consumer's personal information must not sell the personal information unless it does so in a CCPA/CPRA-compliant manner (providing the right to opt out, etc).
  • The consumer must take "one or more deliberate actions" to demonstrate their intention to interact with the third party. Such actions must clearly signify the consumer's intention and do not include "hovering over, muting, pausing or closing a given piece of content."

Alerting Third Parties of an Opt-Out Request

Here's the next exception:

California Legislative Information: CCPA AB-375 - Sale exception: Opt-out identifier

This exception ensures that you can continue to lawfully transfer personal information to a third party after the consumer has opted out, but only for the purposes of informing that third party that the consumer's personal information is no longer for sale.

Service Providers

Here's the "service providers" exception:

California Legislative Information: CCPA AB-375 - Sale exception: Service providers

Disclosing a consumer's personal information to a service provider, if it is necessary to do so for a business purpose, does not constitute the "sale" of personal information:

Sharing personal information for a business purpose must be a "reasonably necessary and proportionate" means of:

  • Fulfilling the purposes for which the personal information was collected, or
  • Fulfilling another operational purpose that is compatible with the context in which the personal information was collected

Bear in mind that service providers must be engaged under a contract that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the purposes specified in the contract, or any other purposes permitted under the CCPA (CPRA).

For more information, see our articles The Complete Guide to CCPA (CPRA) Service Providers.

There are certain requirements for meeting this threshold listed, including that:

  • The business must provide CCPA/CPRA-compliant notice of how it shares personal information for business purposes in its Privacy Policy. The CCPA (CPRA) uses the phrase "Terms and Conditions" here but this is inconsistent with language used elsewhere.
  • The service provider does not further process the consumer's personal information unless it is necessary in order to perform the business purpose.

Mergers, Acquisitions, and Bankruptcies

Here's the "mergers, acquisitions, and bankruptcies" exception:

California Legislative Information: CCPA AB-375 - Sale exception: Mergers, acquisitions and bankruptcies

If another company acquires all or part of your business or its assets, and consumers' personal information is among your business's assets, you can disclose that personal information to the acquiring company. This doesn't constitute a "sale" of personal information, if:

  • The consumers can still exercise their "right to know" under Sections 1798.110 and 1798.115 of the CCPA (CPRA).
  • The consumer receives notice if the acquiring company uses the consumer's personal information in a way that is materially different from the purposes for which it was collected.
  • The acquiring company allows the consumer the right to opt out of any sale of their personal information.
  • Any changes in how the consumer's personal information is processed do not violate the Unfair and Deceptive Practices Act (available here).

Section 1798.140 (w)(2)

A sale of personal information can occur when your business transfers personal information to any other business or third party. Under the CCPA (CPRA), a "third party" can be anyone except a particular type of "person," defined at Section 1798.140 (w)(2):

California Legislative Information: CCPA AB-375 - Definition of third party

It's worth exploring this definition. Disclosing personal information to the following type of person will not constitute a "sale":

  • A person to whom your business discloses personal information for a business purpose pursuant to a written contract

    • The contract must prohibit the person from:

      • Selling the personal information
      • Retaining, using, or disclosing the personal information for any reason other than providing the services specified in the contract
      • Retaining, using, or disclosing the information outside of the direct business relationship between them and your business
    • The contract must contain a certification confirming that the person understands the restrictions under the contract and will comply with them

For the purposes of this exception to the "selling" of personal information, this type of person must also not be a "business" (under the CCPA/CPRA's definition). A sale of personal information can occur between a business and a third party or another business.

The type of person described at Section 1798.140(w)(2) is very similar to a service provider. However, there are several important differences:

Service provider "Person" under 1798.140(w)(2)
Legal entity operating for profit Any person
Processes personal information on behalf of a business Not restricted to processing personal information on behalf of a business
Must be bound by a contract but this contract does not need to contain a certification Must be bound by a contract containing a certification confirming that the person understands the restrictions under the contract and will comply with them

It's possible that the intention here is to allow businesses to disclose personal information for business purposes to a broader range of entities than service providers. A service provider must operate for profit and be a "legal person."

Such "persons" might include public bodies, charities, or legal advisers. You might benefit from disclosing personal information to them. But if the disclosure is covered by an appropriate contract then it will not qualify as a "sale."

Remember that disclosing personal information to this broader range of entities comes with added protection: the contract must include a certification.

Do Cookies Count?

Do Cookies Count?

Let's address one of the most hotly-debated questions when it comes to the sale of personal information under the CCPA: Does the transfer of cookie data to third-parties count as selling personal information?

Cookies, IP addresses and online identifiers are specifically listed among the types of personal information in the CCPA (CPRA). But does a running third-party cookie program constitute a commercial communication in exchange for valuable consideration?

This is still an open question among some businesses. However, on balance, it would appear that using third-party cookies can constitute the sale of personal information.

In support of this view, see Section 999.315 of the CCPA (CPRA) Proposed Regulations (available here), which suggests the following as an appropriate means of facilitating "the right to opt out":

"[...] user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information"

If using third-party cookies means "selling" personal information, this brings many, many companies under the jurisdiction of the CCPA (CPRA). This is because of the second of the three criteria used to define a "business," at Section 1798.140 (c)(1)(B) of the CCPA (CPRA):

"[the company] alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices."

Many companies will find that they "sell" the personal information of more than 50,000 (California) consumers, households, or devices via their targeted advertising or third-party analytics programs.

As such, there are three possible approaches to dealing with cookies under the CCPA (CPRA).

Provide Notice of the Right to Opt Out

If we accept that using third-party cookies amounts to selling personal information, you can fulfill your obligations under the CCPA (CPRA) by prominently displaying a link to a "Do Not Sell My Personal Information" page on each page where you set third-party cookies.

This is probably the safest and most straightforward means of complying with the CCPA (CPRA).

For more information, see our article "Do Not Sell My Personal Information" Page.

You could consider using a GDPR-style cookie consent solution to obtain consent from users before setting cookies.

This could qualify as a "direction" from the consumer for you to make a transfer of their personal information to the relevant ad network, thus bringing the transfer under the "consumer intent" exception.

Note, however, that merely "closing a given piece of content does not constitute a consumer's intent to interact with a third party."

Implement a Service Provider Contract With the Third-Party Ad Network

Certain businesses that reject the broad interpretation of the "selling" personal information have attempted to engage their advertising partners in a "service provider" arrangement, so as to bring their use of third-party cookies under the "service provider" exemption.

This supposes that using third-party cookies amounts to a "business purpose." Among the CCPA/CPRA's business purposes is "performing services on behalf of the business," including "providing advertising or marketing services" and "providing analytic services."

Remember that disclosing personal information for a business purpose must be "reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected," or other compatible contexts.

Obligations on Businesses That Sell Personal Information

Obligations on Businesses That Sell Personal Information

If your business sells personal information, the CCPA (CPRA) imposes several obligations.

Set Up a "Do Not Sell My Personal Information Page"

You must place a link on your homepage reading "Do Not Sell My Personal Information" or "Do Not Sell My Info." The link must lead to a page wherein consumers can exercise their right to opt out.

You must comply with requests under the right to opt out by stopping any sale of the consumer's personal information as soon as is reasonably possible, and within 15 business days at the latest. You may invite the consumer to opt back in after 12 months have passed.

Provide Another Designated Opt-Out Method

In addition to your "Do Not Sell My Personal Information" page, you must provide at least one other designated method by which consumers can submit a request to opt out of the sale of their personal information.

The CCPA (CPRA) Proposed Regulations suggest the following possible methods:

  • A toll-free phone number
  • An email address
  • A paper form submitted in person or through the mail
  • User-enabled privacy controls

You should choose a method that is compatible with the context in which you collect personal information.

Update Your Privacy Policy

If you sell personal information, you must update your Privacy Policy to disclose the categories of personal information that you have sold in the preceding 12 months.

For more information, see our article CCPA (CPRA) Privacy Policy Checklist.

Comply With "Right to Know" Requests

Upon receiving a verifiable consumer request under the right to know, you must disclose to a consumer (among other things):

  • The categories of personal information you have sold about the consumer
  • The categories of third parties to which each category of personal information was sold

For more information, see our article CCPA (CPRA) Consumer Rights.

Comply With the "Right to Opt In"

You may not sell the personal information of minors aged 13-16 unless they have opted in to the sale of their personal information.

You may not sell the personal information of minors aged under 13 unless you have received parental consent.

For more information, see our article CCPA (CPRA) Consumer Rights.

Additional Requirements for Larger Businesses

If your business "alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers," there are additional obligations under the CCPA Proposed Regulations.

First, your Privacy Policy must detail certain metrics about how your company has complied with requests under the CCPA (CPRA) consumer rights, including:

  • With respect to the right to know, delete, and opt-out over the past 12 months, how many requests you:

    • Received
    • Complied with in whole or in part
    • Denied
  • The median number of days within which you substantively responded to such requests

You must also:

"establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests or the business's compliance with the CCPA are informed of all the requirements in these regulations and the CCPA."

Summary

Selling personal information under the CCPA (CPRA) means communicating personal information to another business or third party for any valuable consideration.

This is a broad definition that would appear to include using third-party cookies.

There are several exceptions, including:

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy