What Constitutes a “Sale” of Privacy Information under CPRA/CCPA?

By Robert Cunningham / January 22, 2021

The California Consumer Privacy Act (CCPA) that went into effect on January 1, 2020 and the recently approved California Privacy Rights Act (CPRA) that will supersede CCPA come 2023, are applicable to any for-profit business in California that meets any one of the following thresholds:

  • Annual gross revenue in excess of $25 million
  • Buying, receiving or selling personal information of more than 50,000 consumers or households (expanded to 100,000 under CPRA)
  • Earning more than half of your annual revenue from selling personal information

If your revenue is less than $25 million, your customer base doesn’t exceed the threshold for the number of consumers or households, and you’re not earning revenue by selling personal information, you probably think that your business is exempt. However, under CPRA/CCPA, the definition of “selling” is not confined to the classic sense of the word but rather is broadly defined. That means you could technically be selling personal information, even if you don’t think you are. It’s therefore important to know what constitutes a “sale.” 

What’s in a Word?

CCPA/CPRA defines a “sale” of privacy information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or their party for monetary or other valuable consideration.” 

While this remains a vague aspect of the law, one can conclude based on the definition that even if your business is not directly being paid for consumer personal information (i.e., name, social security number, email or IP address, Internet browsing history, etc.), any such information that you make available by other means could still be considered a sale if you’re receiving “valuable consideration” in return. But what exactly is valuable consideration?

California law defines valuable consideration as any benefit, meaning it can be non-monetary such as assets, inventory, a service, discounts, promotion, or intellectual property. Really any tangible or nontangible business asset can potentially have valuable consideration. This includes targeted advertising based on a consumer’s behavior or preferences acquired via Internet analytics or tracking cookies. But there are exceptions.

Exceptions to Every Rule

First of all, under CCPA/CPRA, “selling” only refers to providing privacy data to third parties, which does not include service providers or contractors that perform a service required for your business to function. For example, if in selling your product or service, you provide personal information to a credit check bureau or fraud detection service to protect your business, this does not constitute a sale. In this scenario, service providers and contactors are also prohibited from “selling” personal information, and it’s up to you to ensure this requirement is covered in any terms and conditions. 

Another exception to disseminating privacy data occurs if your business has previously provided personal information to third-party entities and a customer then chooses to opt out—you’ll need to provide that customer’s identification information (i.e., email, account numbers, etc.) to third parties so they too can comply with the opt-out request. Additionally, if you’re selling assets as part of a business merger or acquisition to a third party that will take over control of the business, the transfer of personal information does not constitute a sale. And of course, if a consumer opts in, disseminating that user’s personal information also does not constitute a sale.

How Can You Be Sure?

At this time, it remains somewhat unclear as to whether all disclosures of personal information to third parties constitutes a “sale” under CCPA/CPRA. As specific legal cases arise and the California Privacy Protection Agency (CPPA) ramps up audits, enforcement, and education, it may become increasingly clear what constitutes a sale, but that doesn’t mean compliance can be put off until tomorrow. Rather than waiting for clarification and risking the penalties of non-compliance, any business handling privacy data would be wise to assess their risk today. And in today’s data-driven economy where information drives business decisions, it’s more than likely that you’re handling personal information.  

With cybersecurity attacks on the rise and users becoming increasingly concerned about how their data is used, you need to be sure that you’re maintaining consumer trust. To that end, it is recommended to engage with CCPA/CPRA legal and data experts to conduct a thorough data mapping that identifies all the ways your business systems acquire and disseminate personal information. These experts can help assess your risk and implement necessary orchestration policies and procedures to prevent any potential non-compliant “sale” of information. Because even if your business is unknowingly selling information per the definition of CCPA/CPRA, you can be held liable. 

CCPA/CPRA privacy data compliance is complicated. But with Ketch, it doesn’t have to be. Learn how we can help your business with data privacy today to reduce your risk tomorrow.

Share this: