13 November 2020
The headline provision of the California Consumer Privacy Act (CCPA) is the "right to opt out:" the right of consumers to object to the sale of their personal information.
Since the CCPA came into force, its broad scope has become increasingly clear. Big tech firms like Facebook and Google have been adjusting their business practices to ensure they are compliant with the new standard of privacy in the United States.
In this article, we'll look at the steps you must take if you sell consumers' personal information, to help ensure you are CCPA-compliant.
The CCPA has a very broad definition of "sale" that has caught some businesses by surprise. You might be "selling" personal information without even realizing it.
Here's the core definition of "sale," at Section 1798.140 (t) (1):
We can break this definition down into three parts:
The CCPA provides the following examples of "communication:"
In other words, communicating personal information via any means might constitute "selling" it. It all depends on the nature of the recipient, and what you receive in return.
If you receive money in exchange for a consumer's personal information, this is clearly a sale. But the CCPA states that receiving any type of "valuable consideration" in exchange for personal information can also give rise to a sale.
Practically any benefit you receive in exchange for personal information can constitute "valuable consideration," including increased publicity, improved sales, or better knowledge of your users' activities (e.g. via analytics insights).
You can avoid jumping through several of the CCPA's hoops if you adjust your business practices to avoid "selling" personal information altogether.
It is possible to exchange personal information for valuable consideration without selling it. You can achieve this by ensuring that the exchange falls under one of the CCPA's exemptions.
An important exemption from the CCPA's definition of "sale" is where the consumer directs a business to disclose their personal information at Section 1798.140 (t) (2) (A):
To comply with this exemption you would need to ensure that you have the express consent of the consumer, demonstrated via "one or more deliberate actions" that do not include "hovering over, muting, pausing or closing a given piece of content."
Clicking "agree" on a GDPR-compliant cookie banner may be sufficient for a consumer to demonstrate that they have "directed [your] business to intentionally disclose [their] personal information."
Note that the third party to whom you disclose the personal information may not sell it. You would need to set up a contract with the receiving party to make this clear.
If you disclose personal information for business purposes to a service provider, this does not count as a sale.
There must be a contract between your business and the service provider, warranting that the service provider will not use, disclose, or retain, the personal information for any purpose other than that stipulated in the contract.
Your intended use of the personal information must fall within one of the CCPA's "business purposes." One of the CCPA's enumerated business purposes is "performing services on behalf of the business," including "marketing or advertising" and "analytics."
You must ensure that you notify consumers before sharing their personal information for business purposes.
To qualify as a "disclosure for business purposes" rather than a "sale," your use of the personal information must be:
If you've determined that you are selling personal information and can't rely on an exemption, here are the steps you need to take to help ensure your business remains CCPA-compliant.
Businesses that sell personal information must provide a link on their homepage and/or mobile app titled "Do Not Sell My Personal Information" or "Do Not Sell My Info." This link must lead to a page that allows consumers to exercise their right to opt out.
Here's an example from T-Mobile:
For more information, see our article "Do Not Sell My Personal Information" Page.
You must also provide at least one other method in addition to your "Do Not Sell My Personal Information" page via which consumers can exercise their right to opt out.
The following are acceptable methods under the CCPA:
Choose the method your customers are most likely to use.
Businesses that sell personal information must disclose certain information to consumers who have submitted a request under the "right to know," including:
For more information, see our article CCPA Consumer Rights.
The "right to opt out" turns on its head for minors under the age of 16, who instead have a right to opt in. This means:
Under the CCPA, you must seek opt-in consent from anyone whose personal information you have collected if you have "active knowledge" that they are a minor. You will be considered to have active knowledge of a minor's age if you "willfully disregard" their age.
In other words, if you have any reason to believe that your services are used by minors, you must take steps such as age verification checks to ensure you don't sell their personal information without consent.
If your business is acquired by another company, you may be asked to transfer the personal information in your possession as an asset.
This may qualify as a disclosure of personal information to a third party in exchange for valuable consideration, i.e., a sale. Therefore, you must take the necessary steps to ensure that consumers receive proper notice of your actions, and are offered the right to opt out.
These steps are necessary where:
"The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business."
If the acquiring business plans to use the personal information in a way that is "materially inconsistent with the promises made at the time of collection," the acquiring business must give the consumers notice and offer them the opportunity to opt out.
If you sell personal information under the CCPA, you need to take certain steps to ensure you don't break the law. These include:
You may wish to check whether you can benefit from one of the CCPA's exemptions, e.g. by setting up a service provider contract or obtaining express consent from consumers.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.