Do You "Sell" Personal Information?
The CCPA defines “sale” broadly to include transferring or making available any PI of consumers in exchange for money or anything else of value, like a service or even the promotion of your business.
If you provide (or “sell”) the PI of consumers in exchange for money, you are required to give those consumers whose PI you sell the opportunity to opt-out of that sale. If you share the PI of consumers in exchange for anything else of value (even if not money), your business might also be required to provide opt-out rights. While not traditionally considered a “sale,” your business’s sharing of PI in return for a benefit might be considered a “sale” under the CCPA, unless the sharing occurs in one of these four contexts:
- Your business shares the information with a service provider; or
- The consumer uses or directs your business to share the information with a third party; or
- Your business shares the information only to communicate an opt-out to a third party; or
- Your business shares the information as an asset during a merger or acquisition to a third party that assumes at least partial control of your business.
A note about sharing information with service providers: The CCPA does not provide a clear line between what is a “sale” of PI and what is not outside of a traditional data broker scenario, where your business actually sells PI to others in exchange for money. However, the CCPA does make clear that sharing PI with service providers is not a sale. Recall that the CCPA has a very specific definition for who is considered a “service provider.”
When you share PI with third party vendors who are not service providers, are you selling PI? Maybe. The CCPA defines “sale” broadly, and some business practices traditionally not thought of as a sale may be a “sale” under the CCPA. Building profiles about consumers that are shared with other businesses is a practice that excludes third parties from being service providers. Profile-building is combining information about consumers obtained from different sources to track and build a set of information about a consumer’s online behavior, interests, and purchases. Examples of third party vendors who build profiles include ad networks in the context of targeted advertising, and possibly data analytics providers. When used by a business, these third party vendors often access consumer PI using tracking devices like cookies placed on the business’s website. Alternatively, your business may provide consumer information directly to these vendors, such as by sending customer email addresses to a third party ad network.
Therefore, in addition to viewing an actual sale of PI for money as a "sale" under the CCPA, we also recommend that your business provide opt-out rights to consumers whose PI it shares with third parties when those third parties build profiles about consumers.
Similarly, if your business allows the use of third party cookies to access PI of your website visitors - such as their online activity - to serve or support targeted, interest-based or behavioral advertising to consumers, your business is likely “selling” those consumers’ PI under the CCPA. Again, the CCPA is not 100% clear on this, but the safest way of handling retargeted advertising is to consider it a sale. If you’re not sure what to do, you should consult an attorney with any questions about your specific business and how it shares PI. If you think you might sell PI, answer “yes” to questions asking whether you sell PI in the Additional Requirements worksheet. This will help us ensure you provide opt-out rights to California residents whose PI you sell.
Google’s Restricted Data Processing Google allows users to turn on “restricted data processing” for various advertising and analytics services that do not already operate under restricted data processing. If you turn on restricted data processing in accordance with Google’s instructions, certain uses of PI collected by Google will be disabled for advertising purposes, such as profile-building. If you enable restricted data processing with your Google services, your use of Google advertising and other services may not be considered a “sale” of PI. If you have questions about your particular use of Google’s services, you can reach out to Google. You can learn more about restricted data processing here. |
Facebook’s Limited Data Use Facebook allows users to enable a similar data processing mode called “limited data use” that restricts how it uses and shares PI. If you enable limited data use for services you receive from Facebook, such as Facebook ads, your use of Facebook advertising may not be considered a “sale” of PI. If you have questions about your particular use of Facebook’s services, you can reach out to Facebook. You can learn more about limited data use here. |