Post-graduate law degree, CIPP/E from the International Association of Privacy Professionals (IAPP). Privacy and Data Protection Research Writer at TermsFeed.
On this page
- 1. Main Definition of "Sale"
- 1.1. What Types of Communications are Covered?
- 1.2. What is a Third Party?
- 1.3. What is Monetary or Other Valuable Consideration?
- 2. Exceptions to Selling
- 2.1. Consumer Intent
- 2.2. Alerting Third Parties of an Opt-Out Request
- 2.3. Service Providers
- 2.4. Mergers, Acquisitions, and Bankruptcies
- 2.5. Section 1798.140 (w)(2)
- 3. Do Cookies Count?
- 3.1. Provide Notice of the Right to Opt Out
- 3.2. Obtain Consent from Users Before Setting Cookies
- 3.3. Implement a Service Provider Contract With the Third-Party Ad Network
- 4. Obligations on Businesses That Sell Personal Information
- 4.1. Set Up a "Do Not Sell My Personal Information Page"
- 4.2. Provide Another Designated Opt-Out Method
- 4.4. Comply With "Right to Know" Requests
- 4.5. Comply With the "Right to Opt In"
- 4.6. Additional Requirements for Larger Businesses
- 5. Summary
The main purpose of the California Consumer Privacy Act (CCPA/CPRA) is to enable consumers to opt out of the sale of their personal information.
However, there was a lot of debate about what constitutes a "sale" of personal information.
Given the serious consequences of violating the CCPA (CPRA), this ambiguity is a problem. But a close reading of the law can help us understand what "selling" really means.
(The CCPA was updated by the CPRA. The CPRA's amendments took effect January 1, 2023.)
You can build your CCPA/CPRA Opt-Out code by following the steps below:
- Customize the banner:
- Adjust the settings by adding a description, text for the button and other settings.
Main Definition of "Sale"
Here's the main part of the definition of "sale," at Section 1798.140 (t) of the CCPA (CPRA):
There are three key elements to this definition:
- Communicating a consumer's personal information
- To a third party
- For valuable consideration
Let's consider each of these elements in turn.
What Types of Communications are Covered?
The types of communications of personal information that might constitute a "sale" include:
- Making available
- Otherwise communicating
There are a lot of synonymous verbs here, suggesting that the CCPA (CPRA) intends to provide a "catch-all" definition. The presence of the term "or otherwise communicating" confirms this.
Any communication of personal information can potentially be a "sale" under the CCPA (CPRA). The purpose of the communication is more important than the means of communication.
What is a Third Party?
Disclosing personal information to "another business or a third party" could constitute a sale.
The definition of a "business" is central to the CCPA (CPRA), and we won't examine that here.
But what's a third party? The CCPA (CPRA) defines "third party" by excluding what a third party isn't, at Section 1798.140 (w):
So, a third party can be anyone other than your business, except the type of person described at Section 1798.140 (w)(2).
We'll look at what Section 1798.140 (w)(2) means for your business below.
What is Monetary or Other Valuable Consideration?
Besides money, it's possible to "sell" personal information for any "valuable consideration."
"Consideration" is a concept central to contract law. It describes the thing for which the object of the contract (in this case, personal information) is exchanged.
In California law, "consideration" is defined in the California Civil Code Section 1605 (available here):
The takeaway from this part of the CCPA/CPRA's definition of "sale" is that you don't need to be receiving money in exchange for personal information in order to "sell" it. You might be exchanging it for a product, service, or anything else that benefits your business.
This would appear to include using third-party cookies, as we'll explore below.
Exceptions to Selling
The CCPA (CPRA) offers several exceptions to (or "safe harbors" from) the definition of "sale." In these circumstances, businesses can derive benefits from the communication of personal information without being deemed to have "sold" it.
Here's the first exception to the definition of "selling":
This covers situations where the consumer directs your business to disclose their personal information to a third party or intends to interact with a third party via your business.
This exception might apply to service comparison websites (e.g. comparing insurance quotes) or affiliate websites.
Note that there are preconditions to meeting the requirements under this exception:
- The third party receiving the consumer's personal information must not sell the personal information unless it does so in a CCPA/CPRA-compliant manner (providing the right to opt out, etc).
- The consumer must take "one or more deliberate actions" to demonstrate their intention to interact with the third party. Such actions must clearly signify the consumer's intention and do not include "hovering over, muting, pausing or closing a given piece of content."
Alerting Third Parties of an Opt-Out Request
Here's the next exception:
This exception ensures that you can continue to lawfully transfer personal information to a third party after the consumer has opted out, but only for the purposes of informing that third party that the consumer's personal information is no longer for sale.
Here's the "service providers" exception:
Disclosing a consumer's personal information to a service provider, if it is necessary to do so for a business purpose, does not constitute the "sale" of personal information:
Sharing personal information for a business purpose must be a "reasonably necessary and proportionate" means of:
- Fulfilling the purposes for which the personal information was collected, or
- Fulfilling another operational purpose that is compatible with the context in which the personal information was collected
Bear in mind that service providers must be engaged under a contract that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the purposes specified in the contract, or any other purposes permitted under the CCPA (CPRA).
For more information, see our articles The Complete Guide to CCPA (CPRA) Service Providers.
There are certain requirements for meeting this threshold listed, including that:
- The service provider does not further process the consumer's personal information unless it is necessary in order to perform the business purpose.
Mergers, Acquisitions, and Bankruptcies
Here's the "mergers, acquisitions, and bankruptcies" exception:
If another company acquires all or part of your business or its assets, and consumers' personal information is among your business's assets, you can disclose that personal information to the acquiring company. This doesn't constitute a "sale" of personal information, if:
- The consumers can still exercise their "right to know" under Sections 1798.110 and 1798.115 of the CCPA (CPRA).
- The consumer receives notice if the acquiring company uses the consumer's personal information in a way that is materially different from the purposes for which it was collected.
- The acquiring company allows the consumer the right to opt out of any sale of their personal information.
- Any changes in how the consumer's personal information is processed do not violate the Unfair and Deceptive Practices Act (available here).
Section 1798.140 (w)(2)
A sale of personal information can occur when your business transfers personal information to any other business or third party. Under the CCPA (CPRA), a "third party" can be anyone except a particular type of "person," defined at Section 1798.140 (w)(2):
It's worth exploring this definition. Disclosing personal information to the following type of person will not constitute a "sale":
A person to whom your business discloses personal information for a business purpose pursuant to a written contract
The contract must prohibit the person from:
- Selling the personal information
- Retaining, using, or disclosing the personal information for any reason other than providing the services specified in the contract
- Retaining, using, or disclosing the information outside of the direct business relationship between them and your business
- The contract must contain a certification confirming that the person understands the restrictions under the contract and will comply with them
For the purposes of this exception to the "selling" of personal information, this type of person must also not be a "business" (under the CCPA/CPRA's definition). A sale of personal information can occur between a business and a third party or another business.
The type of person described at Section 1798.140(w)(2) is very similar to a service provider. However, there are several important differences:
|Service provider||"Person" under 1798.140(w)(2)|
|Legal entity operating for profit||Any person|
|Processes personal information on behalf of a business||Not restricted to processing personal information on behalf of a business|
|Must be bound by a contract but this contract does not need to contain a certification||Must be bound by a contract containing a certification confirming that the person understands the restrictions under the contract and will comply with them|
It's possible that the intention here is to allow businesses to disclose personal information for business purposes to a broader range of entities than service providers. A service provider must operate for profit and be a "legal person."
Such "persons" might include public bodies, charities, or legal advisers. You might benefit from disclosing personal information to them. But if the disclosure is covered by an appropriate contract then it will not qualify as a "sale."
Remember that disclosing personal information to this broader range of entities comes with added protection: the contract must include a certification.
Do Cookies Count?
Let's address one of the most hotly-debated questions when it comes to the sale of personal information under the CCPA: Does the transfer of cookie data to third-parties count as selling personal information?
Cookies, IP addresses and online identifiers are specifically listed among the types of personal information in the CCPA (CPRA). But does a running third-party cookie program constitute a commercial communication in exchange for valuable consideration?
This is still an open question among some businesses. However, on balance, it would appear that using third-party cookies can constitute the sale of personal information.
In support of this view, see Section 999.315 of the CCPA (CPRA) Proposed Regulations (available here), which suggests the following as an appropriate means of facilitating "the right to opt out":
"[...] user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information"
If using third-party cookies means "selling" personal information, this brings many, many companies under the jurisdiction of the CCPA (CPRA). This is because of the second of the three criteria used to define a "business," at Section 1798.140 (c)(1)(B) of the CCPA (CPRA):
"[the company] alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices."
Many companies will find that they "sell" the personal information of more than 50,000 (California) consumers, households, or devices via their targeted advertising or third-party analytics programs.
As such, there are three possible approaches to dealing with cookies under the CCPA (CPRA).
Provide Notice of the Right to Opt Out
If we accept that using third-party cookies amounts to selling personal information, you can fulfill your obligations under the CCPA (CPRA) by prominently displaying a link to a "Do Not Sell My Personal Information" page on each page where you set third-party cookies.
This is probably the safest and most straightforward means of complying with the CCPA (CPRA).
For more information, see our article "Do Not Sell My Personal Information" Page.
Obtain Consent from Users Before Setting Cookies
You could consider using a GDPR-style cookie consent solution to obtain consent from users before setting cookies.
This could qualify as a "direction" from the consumer for you to make a transfer of their personal information to the relevant ad network, thus bringing the transfer under the "consumer intent" exception.
Note, however, that merely "closing a given piece of content does not constitute a consumer's intent to interact with a third party."
Implement a Service Provider Contract With the Third-Party Ad Network
Certain businesses that reject the broad interpretation of the "selling" personal information have attempted to engage their advertising partners in a "service provider" arrangement, so as to bring their use of third-party cookies under the "service provider" exemption.
This supposes that using third-party cookies amounts to a "business purpose." Among the CCPA/CPRA's business purposes is "performing services on behalf of the business," including "providing advertising or marketing services" and "providing analytic services."
Remember that disclosing personal information for a business purpose must be "reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected," or other compatible contexts.
Obligations on Businesses That Sell Personal Information
If your business sells personal information, the CCPA (CPRA) imposes several obligations.
Set Up a "Do Not Sell My Personal Information Page"
You must place a link on your homepage reading "Do Not Sell My Personal Information" or "Do Not Sell My Info." The link must lead to a page wherein consumers can exercise their right to opt out.
You must comply with requests under the right to opt out by stopping any sale of the consumer's personal information as soon as is reasonably possible, and within 15 business days at the latest. You may invite the consumer to opt back in after 12 months have passed.
Provide Another Designated Opt-Out Method
In addition to your "Do Not Sell My Personal Information" page, you must provide at least one other designated method by which consumers can submit a request to opt out of the sale of their personal information.
The CCPA (CPRA) Proposed Regulations suggest the following possible methods:
- A toll-free phone number
- An email address
- A paper form submitted in person or through the mail
- User-enabled privacy controls
You should choose a method that is compatible with the context in which you collect personal information.
Comply With "Right to Know" Requests
Upon receiving a verifiable consumer request under the right to know, you must disclose to a consumer (among other things):
- The categories of personal information you have sold about the consumer
- The categories of third parties to which each category of personal information was sold
For more information, see our article CCPA (CPRA) Consumer Rights.
Comply With the "Right to Opt In"
You may not sell the personal information of minors aged 13-16 unless they have opted in to the sale of their personal information.
You may not sell the personal information of minors aged under 13 unless you have received parental consent.
For more information, see our article CCPA (CPRA) Consumer Rights.
Additional Requirements for Larger Businesses
If your business "alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers," there are additional obligations under the CCPA Proposed Regulations.
With respect to the right to know, delete, and opt-out over the past 12 months, how many requests you:
- Complied with in whole or in part
- The median number of days within which you substantively responded to such requests
You must also:
"establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests or the business's compliance with the CCPA are informed of all the requirements in these regulations and the CCPA."
Selling personal information under the CCPA (CPRA) means communicating personal information to another business or third party for any valuable consideration.
This is a broad definition that would appear to include using third-party cookies.
There are several exceptions, including:
- Where a consumer has directed you to share their personal information
- When you need to alert a third party that a consumer has exercised their right to opt out
- When sharing disclosing information for business purposes to a service provider
- When sharing personal information that is an asset as part of a merger, acquisition, or bankruptcy process
- When disclosing personal information to a person that falls under Section 1798.140(w)(2)