The California Consumer Privacy Act (CCPA) is a privacy law that applies to businesses working in California, and requires them to provide certain basic protections for any personal data the businesses collect about consumers. One such protection is that consumers can request that their personal data not be sold or transferred for business purposes to a third party.
This raises a question that might seem straightforward, but actually isn’t: What qualifies as a sale of consumer data under the CCPA?
The answer is sufficiently complicated that in many cases, it’s easier to determine when a data transfer doesn’t qualify as a sale. Let’s try to unravel the entire issue, starting with the consumer.
How does the CCPA define a consumer?
The CCPA applies first and foremost to all California residents; so they are the first group considered consumers under the statute.
The California Code of Regulations counts as a resident anyone who is in the state for other than “temporary or transitory activities” such as passing through on a trip. This works the other way, too: any Californian who is traveling temporarily outside of the state is still considered a California resident, and thus a consumer according to the CCPA.
A person who finds him or herself in California for business for several days or to fulfill a specific work contract within a certain time frame is not considered a California resident. There is, however, a slightly confusing exemption here: if a person is in California for long-term health treatment or recovery, or for long-term business dealings without a set end date, then that person is considered a California resident.
Are employees considered consumers under CCPA?
The definition of consumer under CCPA is broad, starting with any person who’s a California resident. That means employees who maintain a permanent residence in California are considered consumers under the statute.
To complicate matters even more, however, personal information collected by a company about its employees (say, during job interviews or evaluations) is usually not covered by the CCPA. This means that employees can’t ask to have that information released to them.
So as you evaluate your business practices and whether you comply with the CCPA, it’s wise to become familiar with the CCPA’s definition of personal information.
What does “other valuable consideration” mean?
The CCPA gives California residents the right to tell companies not to sell their personal data for commercial purposes.
Selling includes renting, releasing, disclosing, or transferring the consumer’s personal information to a third party either for a business purpose or for what the CCPA calls “other valuable consideration.”
What’s that? “Other valuable consideration” means that the company acquiring the personal data stands to gain something from this sale of personal information that it otherwise wouldn’t have been able to gain. The majority of exchanges of personal information that involve a third party which benefits from the exchange would qualify a sale under the CCPA.
Again, it may be easier to determine if the transaction you’re evaluating isn’t a sale under the CCPA. It’s not considered a sale if it falls under one of the following exemptions:
- Data and personal information given directly to the consumer is not considered a sale.
- Data and personal information where consumers opt in to share is not considered a sale.
- A company sharing data to alert another company or third party of a consumer’s request to opt out of data sharing or enter a do not sell agreement is also not a sale.
- Data transferred to a service provider (a for-profit business such as a financial institution) is not a sale, as long as the data transferred is needed for the business transaction in question, such as loan approval.
- Data transferred during acquisitions: When Company A purchases Company B, the data stored by Company B that now becomes Company A’s property is not considered a sale.
Why is the definition of a sale an issue for companies in the targeted advertising business?
Behavior advertising depends on digital identifiers (“cookies”) that internet advertisers connect to the IP addresses of users that visit their websites. (This is how a pair of shoes you might view on your phone in the morning then pop up in online advertising you see for the rest of the day.)
The challenge for CCPA compliance is that those unique identifiers are considered personal information, and the CCPA gives California residents the right to opt-out of the selling of their personal data. So by tracking your internet activity, our hypothetical shoe company above may be selling your personal information and thus fall out of CCPA compliance.
Those who advocate for a high level of data privacy argue that when an internet search engine is allowed to place a tracking cookie in a consumer’s browser during a website visit, that website has made some of the consumer’s information available to a third party. In other words, this transaction could be considered a sale under the CCPA.
Advertising and marketing organizations have submitted several complaints to the State of California attorney general’s office, arguing that the CCPA places an impossible burden on them and on companies that use targeted advertising. Their concern is that the CCPA will require advertising agencies to track consumers’ Do Not Sell requests the same way web browsers now have to monitor ‘Do Not Track’ requests from consumers who want to keep their browsing history private.
For now, online retailers and media companies should assure that their cookie usage complies with all CCPA privacy practices.
Keep in mind that advertising-driven platforms such as Google and Facebook have taken steps to limit the sharing of users data; your company’s Facebook ad doesn’t automatically place you in a position where you sell personal information. Google has a Restricted Data Processing (RDP) setting which limits how Google can share data. Facebook has a similar setting called Limited Data Use (LDU). Both restrictions, however, have to be activated by the consumer.
Can companies share personal information with other businesses without this constituting a sale?
Yes. The easiest way for this to happen is if the consumer opts into the sharing, such as via a written contract. Consumer information that’s needed to qualify for a bank loan may be shared between the financial institution and other lenders.