CCPA "sell" definition

  • by Dennis Dayman
  • · posted on March 3, 2020
  • · 4 min read
CCPA "sell" definition

Many companies state they do not sell customer data. Still, the California Consumer Privacy Act (CCPA) broadly defines the term “sell” to include any arrangement involving an exchange of value ("consideration") between the business and a third party or another company for the personal information. These include the act of "disclosing" or "making available" personal information "for monetary or other valuable consideration."

Sale within the context of the CCPA is defined as: selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration. The broad scope creates challenges for companies that may transfer personal data between two entities without selling it in the classic sense of the word. Nevertheless, the CCPA definition is written this way to no doubt attempt to limit bad actors from circumventing the right to opt-out. It may also be written so broadly because most individuals don't understand that marketing intelligence and social media platforms are constantly sharing consumer browsing habits and analytics with brands. CCPA imposes strict requirements on the "sale" of personal information (e.g. "Do Not Sell My Personal Information" button on homepages, rights to opt-out, and the like).

Under contract law, one of the requirements for the formation of a contract is the existence of valuable consideration. Now, this is important to think about in terms of trading data for data, so stay with me here. The definition of consideration by California law is somewhat difficult to understand, but it basically says that a one party does not necessarily need to sell data to another party in order to enter into a contract. Instead, if both parties agree in writing to exchange something of equal value, in this case, data, they are entering into a contract defines consideration Under California contract law, mutual consideration (the exchange of value) is an essential element in the formation of a contract. California law provides that “a written instrument is presumptive evidence of consideration.”

Try Osano Free!

If the reference in the CCPA to “valuable consideration” is interpreted in a manner consistent with existing contract law doctrine, all agreements where personal information is exchanged and the transferring entity receives any benefit to which it is not legally entitled absent the agreement will be considered a “sale” under the CCPA.

There are many examples of contract formation when there is no monetary consideration. For instance, in a nondisclosure agreement, one party agrees to allow another party to access confidential information in exchange for service (a benefit). If the reference in the CCPA to "valuable consideration" is interpreted in this manner, any agreement where personal information is exchanged and the transferring entity receives a benefit to which it is not legally entitled is considered a "sale."

There are a few items to consider when evaluating whether a transaction is a sale under the CCPA and whether it falls under one of the exceptions to the definition of "sale."

  1. Transfers directed by the consumer;
    1. A sale does not occur when a consumer intentionally directs or uses a business to disclose their personal information. Adequate consent for the purposes of this exception is yet to be determined. The recipient of the data is prohibited from selling such data unless such disclosure is compliant with the CCPA.
  2. Use of data to alert third parties of opt-outs
    1. A sale does not occur where a business uses or shares an "identifier" to alert third parties that a consumer has opted out of the sale of its data. It is unclear what this provision may cover, but it could potentially apply to limit online tracking.
  3. Disclosure of data to "service provider"
    1. A sale does not occur where data is disclosed to a "service provider." Several requirements need to be met for this exception to apply:
      1. The transfer must be necessary to perform a task that has a "business purpose";
      2. The transfer must take place "pursuant to a written contract" that prohibits the service provider from "selling, retaining, using, or disclosing the personal information";
      3. The business has provided compliant notice to consumers of the fact that it intends to share with service providers; and
      4. The service provider does not further "collect, sell, or use" the personal information of the consumer except as necessary to perform the "business purpose." It is important to note that, because the CCPA defines "service provider" to exclude nonprofits, sharing consumer personal information with public interest research organizations can be considered a sale. This means that the data is subject to consumer opt-out under the CCPA, even if all of the above conditions are met, provided that there is an exchange of consideration (for example, an acknowledgment of sponsorship of a research project).
  4. Transfers of data in transactions where the acquirer assumes control of the business
    1. A sale does not occur where a business transfers personal information to a third party as an asset that is part of a "transaction in which the third party assumes control of all or part of the business" (e.g., merger, acquisition, or bankruptcy situations) provided that "information is used or shared consistent with the rights to be informed under CCPA."
The plaintiffs' attorneys are likely to argue that the act of authorizing a third party behavioral network to access information transmitted by a consumer is synonymous with "making available" the information and, thus, constitutes a "sale" under the CCPA.

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Many websites are asking consumers for opt-in consent to the use of behavioral advertising cookies through cookie banners to mitigate the risk that permitting behavioral advertising networks to deploy cookies on a website will be interpreted as a "sale." As a result, if a website deploys a cookie banner and a consumer agrees or "opt-ins" to the use of tracking cookies, the site arguably has not "sold" information to behavioral advertisers. CCPA excepts from the definition of "sale" the situation where a "consumer uses or directs the business to intentionally disclose personal information."

This is why Osano is giving a choice to its customers to either obtain explicit consent (Restrictive CCPA mode) from US/California visitors or to obtain express consent (Relaxed CCPA mode) based on the determination from their legal departments.

CCPA's definition of "sale" remains unresolved until the California attorney general establishes enforcement rules.

About The Author · Dennis Dayman

Dennis is the Chief Privacy Officer for Osano. He is a Certified Information Privacy Professional (CIPP/E CIPP/US FIP). Previously he was Return Path’s Chief Privacy and Security Officer. Prior to Return Path, he was Eloqua’s Chief Privacy and Security Officer. Dennis serves on the US Data Privacy and Integrity Committee for the Department of Homeland Security and is an advisory board member for the IAPP.