29 May 2020
Many businesses are worried about the CCPA's broad definition of "selling" personal information. Under the CCPA, "selling" personal information includes sharing it for any "valuable consideration" (benefit). A lot of routine business activities could fall under this definition.
However, there's an important exception. The definition of "selling" specifically excludes using or sharing personal information with a service provider for "business purposes."
The "business purposes" exception can allow a business to use and share personal information in a number of beneficial ways, including analytics, research, and marketing. But to avoid violating the CCPA, it's crucial to understand the rules around "business purposes."
The CCPA recognizes two types of purpose for which a business or service provider might collect, use, or share personal information:
There are stricter rules around sharing personal information for commercial purposes (i.e. selling it) than there are around sharing personal information for business purposes.
Therefore, to avoid burdening your business with unnecessary legal obligations, you must clearly distinguish your purposes for collecting, using, and sharing personal information.
There are several important differences between business purposes and commercial purposes.
Before a company falls under the jurisdiction of the CCPA, it must meet one or more of the following three thresholds set out in the act:
Note that threshold "B" only applies to a business that buys, receives, sells, or shares personal information for commercial purposes.
A business that shares the personal information of more than 50,000 consumers for business purposes does not meet threshold "B" and would not need to comply with the CCPA (unless it meets either of the other two thresholds).
A business that shares personal information for commercial purposes (i.e. sells personal information) must allow consumers to opt out of the sale of their personal information. You don't need to allow consumers to opt out of the use or disclosure of their personal information for business purposes.
In other words, if a consumer requests that you do not share their personal information for business purposes, you do not have to comply with this request. If the consumer asks that you do not sell their personal information, you do have to comply.
Additionally, disclosing personal information for business purposes does not require you to create a "Do Not Sell My Personal Information" page.
The CCPA prohibits the sale of the personal information of children under the age of 16 without prior opt-in consent. In the case of children under the age of 13, parental consent is required. This is known as "the right to opt in."
There is no obligation to obtain consent before disclosing children's personal information for business purposes.
Although most of the CCPA's obligations arise when selling personal information, there are also several obligations when sharing personal information for a business purpose.
Under the right to know, consumers can request certain information about your business purposes for collecting and sharing their personal information, including:
The definition of "business purpose" in the CCPA is very precise. It is important to ensure that your use or disclosure of personal information falls within the CCPA's definition. If not, it may qualify as a "sale."
The CCPA's definition of "business purpose" consists of two parts:
We're going to take an in-depth look at both parts of the definition.
Here's the general definition of "business purpose" as it appears at Section 1798.140 (d) of the CCPA:
So, a "business purpose" is the use of personal information for either:
Using personal information in this way must be reasonably necessary and proportionate to achieve either:
Using personal information for a business purpose must be "reasonably necessary and proportionate" for achieving an operational purpose of your business.
The CCPA doesn't define "reasonably necessary and proportionate." So how will you know whether using a consumer's personal information is reasonably necessary and proportionate?
The term "necessary and proportionate" is not common in US law. This term derives from the EU law that inspired the CCPA, the General Data Protection Regulation (GDPR). It's hard to tell whether the California courts will interpret "necessity" and "proportionality" in the same way as the EU courts, but it's a good starting point.
When assessing whether it is "reasonably necessary" to use a consumer's personal information to achieve a given objective, consider whether you could achieve the same objective without using personal information.
If you can't, or if it would require a disproportionate effort to do so, then your use of personal information might be "reasonably necessary."
If it is necessary to use personal information to achieve your objective, you must assess whether your proposed use of a consumer's personal information is "proportionate."
In assessing proportionality, consider whether you could achieve your objective:
Say you collect IP addresses from visitors to your website to defend against Distributed Denial of Service (DDoS) attacks. Under the CCPA, an IP address is considered personal information, and detecting security incidents is recognized as a business purpose.
Consider the following questions to determine whether this use of personal information is reasonably necessary and proportionate:
A "business purpose" can be:
So, say you have a set of personal information, and you intend to use it for a new purpose other than that for which you originally collected it. How do you know your proposed new use of this personal information is compatible with the context in which you collected it?
The CCPA doesn't explain which contexts are compatible with one another. But again, this concept exists in the GDPR, so we can get an idea of how the CCPA's authors may have intended this phrase to be interpreted.
The most relevant part of the GDPR is Recital 50, which explains the concept of "further processing." If you want to use personal information for a new purpose other than the purpose for which you collected it, consider these factors:
Say you collect a consumer's personal information for the purpose of performing a service. For example, you collect the consumer's email address for the purposes of processing an order.
At the point of collection, you give the customer notice that you may send them marketing emails in the future, and you provide instructions for them to opt out of receiving such emails.
It is likely that your new purpose (sending marketing emails) is compatible with the context in which you collected the consumer's personal information (processing an order), given:
The CCPA lists seven specific business purposes. The wording of this section of the CCPA implies that the list is exhaustive, i.e. that there are no business purposes other than these seven.
We're going to take a look at each of the seven business purposes. Bear in mind that the CCPA describes "using" personal information for a business purpose. However, most obligations arise when you disclose (share) personal information for a business purpose.
Personal information may be disclosed for auditing purposes if the auditing is "related to a current interaction with the consumer and concurrent transactions."
The CCPA provides a non-exhaustive list of three examples of auditing:
This implies that disclosing personal information to a third-party analytics or auditing service should not constitute "selling" personal information.
Personal information may be disclosed for the following security-related activities:
This business purpose may be relevant if you need to share personal information with companies that provide cybersecurity services, such as penetration testing.
Disclosing personal information for debugging is permissible in order "to identify and repair errors that impair existing intended functionality."
The presence of the term "existing intended functionality" implies that you cannot use personal information for improving your services or testing new services under this business purpose.
Personal information may be disclosed for "short-term, transient use" as long as it is not:
The CCPA provides one example of short-term, transient use: "the customization of ads shown as part of the same interaction."
This implies that disclosing personal information for the purposes of personalizing ads across multiple interactions or websites (i.e. using third-party tracking cookies) could constitute the "sale" of personal information.
A business may disclose personal information to a service provider to perform services on its behalf. A service provider may also disclose personal information to subcontractors that also act as service providers.
The CCPA provides nine examples of "services":
Note that disclosing personal information for these activities is only valid as a "business purpose" if the relationship between the business and the service provider (or the service provider and its subcontractor) meets the CCPA's requirements.
Under the CCPA, a "service provider":
Is subject to a contract that prohibits the retention, use, or disclosure of the personal information for any purposes other than:
It's crucial that you engage service providers under a contract that meets these specifications. If you disclose personal information outside of a business/service provider arrangement then this disclosure may qualify as a "sale."
You may use personal information to undertake "internal research for technological development or demonstration." However, bear in mind that there are strict rules around using personal information for research purposes.
The CCPA provides a specific definition of "research." Businesses must pseudonymize and de-identify personal information before they use it for research purposes, and ensure that it cannot be reidentified.
Here's business purpose number 7:
Let's break that down.
This business purpose relates to a service or device that is owned by, manufactured by, manufactured for, or controlled by your business.
You may use personal information for the following purposes in respect of such a service or device:
The CCPA regulates how businesses share personal information for financial or other benefits. But businesses need to share personal information in beneficial ways for their core operational purposes.
To avoid being caught out by the CCPA's broad definition of "sale," you should ensure your sharing of personal information falls within the CCPA's "business purposes."
Under the CCPA, you may disclose personal information where it is reasonably necessary and proportionate for your operational purposes. The CCPA provides seven such purposes:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.