Last updated on 18 January 2021 by Robert Bateman (TermsFeed Privacy and Data Protection Research Writer)
The main purpose of the California Consumer Privacy Act (CCPA) is to enable consumers to opt out of the sale of their personal information.
However, there's a lot of debate about what constitutes a "sale" of personal information. So far, the California Attorney General has done little to clarify the definition.
Given the serious consequences of violating the CCPA, this ambiguity is a problem. But a close reading of the law, together with the CCPA Proposed Regulations, can help us understand what "selling" really means.
And yes, "selling personal information" probably does include using cookies.
Here's the main part of the definition of "sale," at Section 1798.140 (t) of the CCPA:
There are three key elements to this definition:
Let's consider each of these elements in turn.
The types of communications of personal information that might constitute a "sale" include:
There are a lot of synonymous verbs here, suggesting that the CCPA intends to provide a "catch-all" definition. The presence of the term "or otherwise communicating" confirms this.
Any communication of personal information can potentially be a "sale" under the CCPA. The purpose of the communication is more important than the means of communication.
Disclosing personal information to "another business or a third party" could constitute a sale.
The definition of a "business" is central to the CCPA, and we won't examine that here.
But what's a third party? The CCPA defines "third party" by excluding what a third party isn't, at Section 1798.140 (w):
So, a third party can be anyone other than your business, except the type of person described at Section 1798.140 (w)(2).
We'll look at what Section 1798.140 (w)(2) means for your business below.
Besides money, it's possible to "sell" personal information for any "valuable consideration."
"Consideration" is a concept central to contract law. It describes the thing for which the object of the contract (in this case, personal information) is exchanged.
In California law, "consideration" is defined in the California Civil Code Section 1605 (available here):
The takeaway from this part of the CCPA's definition of "sale" is that you don't need to be receiving money in exchange for personal information in order to "sell" it. You might be exchanging it for a product, service, or anything else that benefits your business.
This would appear to include using third-party cookies, as we'll explore below.
The CCPA offers several exceptions to (or "safe harbors" from) the definition of "sale." In these circumstances, businesses can derive benefits from the communication of personal information without being deemed to have "sold" it.
Here's the first exception to the definition of "selling":
This covers situations where the consumer directs your business to disclose their personal information to a third party or intends to interact with a third party via your business.
You can build your CCPA Opt-Out code by following the steps below:
This exception might apply to service comparison websites (e.g. comparing insurance quotes) or affiliate websites.
Note that there are preconditions to meeting the requirements under this exception:
Here's the next exception:
This exception ensures that you can continue to lawfully transfer personal information to a third party after the consumer has opted out, but only for the purposes of informing that third party that the consumer's personal information is no longer for sale.
Here's the "service providers" exception:
Disclosing a consumer's personal information to a service provider, if it is necessary to do so for a business purpose, does not constitute the "sale" of personal information:
Sharing personal information for a business purpose must be a "reasonably necessary and proportionate" means of:
Bear in mind that service providers must be engaged under a contract that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the purposes specified in the contract, or any other purposes permitted under the CCPA.
For more information, see our articles The Complete Guide to CCPA Service Providers.
There are certain requirements for meeting this threshold listed, including that:
Here's the "mergers, acquisitions, and bankruptcies" exception:
If another company acquires all or part of your business or its assets, and consumers' personal information is among your business's assets, you can disclose that personal information to the acquiring company. This doesn't constitute a "sale" of personal information, if:
A sale of personal information can occur when your business transfers personal information to any other business or third party. Under the CCPA, a "third party" can be anyone except a particular type of "person," defined at Section 1798.140 (w)(2):
It's worth exploring this definition. Disclosing personal information to the following type of person will not constitute a "sale":
A person to whom your business discloses personal information for a business purpose pursuant to a written contract
The contract must prohibit the person from:
For the purposes of this exception to the "selling" of personal information, this type of person must also not be a "business" (under the CCPA's definition). A sale of personal information can occur between a business and a third party or another business.
The type of person described at Section 1798.140(w)(2) is very similar to a service provider. However, there are several important differences:
|Service provider||"Person" under 1798.140(w)(2)|
|Legal entity operating for profit||Any person|
|Processes personal information on behalf of a business||Not restricted to processing personal information on behalf of a business|
|Must be bound by a contract but this contract does not need to contain a certification||Must be bound by a contract containing a certification confirming that the person understands the restrictions under the contract and will comply with them|
It's possible that the intention here is to allow businesses to disclose personal information for business purposes to a broader range of entities than service providers. A service provider must operate for profit and be a "legal person."
Such "persons" might include public bodies, charities, or legal advisers. You might benefit from disclosing personal information to them. But if the disclosure is covered by an appropriate contract then it will not qualify as a "sale."
Remember that disclosing personal information to this broader range of entities comes with added protection: the contract must include a certification.
Let's address one of the most hotly-debated questions when it comes to the sale of personal information under the CCPA: Does the transfer of cookie data to third-parties count as selling personal information?
Cookies, IP addresses and online identifiers are specifically listed among the types of personal information in the CCPA. But does a running third-party cookie program constitute a commercial communication in exchange for valuable consideration?
This is still an open question among some businesses. However, on balance, it would appear that using third-party cookies can constitute the sale of personal information.
In support of this view, see Section 999.315 of the CCPA Proposed Regulations (available here), which suggests the following as an appropriate means of facilitating "the right to opt out":
"[...] user-enabled privacy controls, such as a browser plugin or privacy setting or other mechanism, that communicate or signal the consumer's choice to opt-out of the sale of their personal information"
If using third-party cookies means "selling" personal information, this brings many, many companies under the jurisdiction of the CCPA. This is because of the second of the three criteria used to define a "business," at Section 1798.140 (c)(1)(B) of the CCPA:
"[the company] alone or in combination, annually buys, receives for the business' commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices."
Many companies will find that they "sell" the personal information of more than 50,000 (California) consumers, households, or devices via their targeted advertising or third-party analytics programs.
As such, there are three possible approaches to dealing with cookies under the CCPA.
If we accept that using third-party cookies amounts to selling personal information, you can fulfill your obligations under the CCPA by prominently displaying a link to a "Do Not Sell My Personal Information" page on each page where you set third-party cookies.
This is probably the safest and most straightforward means of complying with the CCPA.
For more information, see our article "Do Not Sell My Personal Information" Page.
You could consider using a GDPR-style cookie consent solution to obtain consent from users before setting cookies.
This could qualify as a "direction" from the consumer for you to make a transfer of their personal information to the relevant ad network, thus bringing the transfer under the "consumer intent" exception.
Note, however, that merely "closing a given piece of content does not constitute a consumer's intent to interact with a third party."
Certain businesses that reject the broad interpretation of the "selling" personal information have attempted to engage their advertising partners in a "service provider" arrangement, so as to bring their use of third-party cookies under the "service provider" exemption.
This supposes that using third-party cookies amounts to a "business purpose." Among the CCPA's seven business purposes is "performing services on behalf of the business," including "providing advertising or marketing services" and "providing analytic services."
Remember that disclosing personal information for a business purpose must be "reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected," or other compatible contexts.
If your business sells personal information, the CCPA imposes several obligations.
You must place a link on your homepage reading "Do Not Sell My Personal Information" or "Do Not Sell My Info." The link must lead to a page wherein consumers can exercise their right to opt out.
You must comply with requests under the right to opt out by stopping any sale of the consumer's personal information as soon as is reasonably possible, and within 15 business days at the latest. You may invite the consumer to opt back in after 12 months have passed.
In addition to your "Do Not Sell My Personal Information" page, you must provide at least one other designated method by which consumers can submit a request to opt out of the sale of their personal information.
The CCPA Proposed Regulations suggest the following possible methods:
You should choose a method that is compatible with the context in which you collect personal information.
Upon receiving a verifiable consumer request under the right to know, you must disclose to a consumer (among other things):
For more information, see our article CCPA Consumer Rights.
You may not sell the personal information of minors aged 13-16 unless they have opted in to the sale of their personal information.
You may not sell the personal information of minors aged under 13 unless you have received parental consent.
For more information, see our article CCPA Consumer Rights.
If your business "alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, the personal information of 4,000,000 or more consumers," there are additional obligations under the CCPA Proposed Regulations.
With respect to the right to know, delete, and opt-out over the past 12 months, how many requests you:
You must also:
"establish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests or the business's compliance with the CCPA are informed of all the requirements in these regulations and the CCPA."
Remember that the CCPA Proposed Regulations have not yet come into law (as of April 2020).
Selling personal information under the CPOA means communicating personal information to another business or third party for any valuable consideration.
This is a broad definition that would appear to include using third-party cookies.
There are several exceptions, including:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 January 2021