The term “sale” is defined slightly differently between and among modern U.S. data privacy statutes with some statutes defining the term as including exchanges of personal information in return for valuable consideration, and others defining the terms as including only exchanges of personal information in return for monetary consideration. As the following chart indicates, state statutes also contain different exemptions for types of transfers that will not be considered a sale even if they otherwise meet the statutory definition of the term. It should be noted that some of these statutory differences may not lead to a substantive difference in terms of what activities constitute a sale – i.e., a transfer might fall under an express exemption under one statute and a different exemption under another statute. The following chart provides a breakdown of the express exemptions from the definition of sale between and among modern privacy statutes:
Explicit Exemption |
Europe GDPR |
California 2022 CCPA |
California 2023 CPRA |
Virginia 2023 VCDPA |
Colorado 2023 CPA |
Utah 2023 UCPA |
Data subject uses the business to intentionally disclose personal information to a third party |
N/A |
[1] |
[2] |
✘ |
[3] |
[4] |
Data subject directs a business to intentionally disclose personal information to a third party. |
|
[5] |
[6] |
✘ |
[7] |
[8] |
Data subject requests a product or service from a third party |
|
✘ |
✘ |
[9] |
[10] |
[11] |
Disclosure to a service provider to perform a business purpose. |
|
[12] |
[13] |
[14] |
[15] |
[16] |
Disclosure is part of an asset in a M&A transaction where the recipient uses information consistently with transferor. |
|
[17] |
[18] |
[19] |
[20] |
[21] |
Disclosure is part of an asset in bankruptcy transaction where the recipient uses information consistently with transferor. |
|
[22] |
[23] |
[24] |
[25] |
[26] |
Disclosure to a corporate affiliate. |
|
/ ✘[27] |
/ ✘[28] |
[29] |
[30] |
[31] |
Data subject intentionally made information available to the general public via mass media. |
|
✘ |
/ ✘[32] |
[33] |
[34] |
[35] |
Disclosure is consistent with data subject’s reasonable expectations. |
|
✘ |
✘ |
✘ |
✘ |
[36] |
FOOTNOTES
-
Cal. Civ. Code 1798.140(t)(2)(A) (West 2020) (note that the CCPA provides that the recipient must not also sell the personal information unless its actions are consistent with the CCPA).
-
Cal. Civ. Code 1798.140(ad)(2)(A)(i) (West 2021).
-
C.R.S. 6-1-1303(22)(b)(V)(A) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(iv)(b) (2022) (refers to directing a controller to interact with a third party).
-
Cal. Civ. Code 1798.140(t)(2)(A) (West 2020) (note that the CCPA provides that the recipient must not also sell the personal information unless its actions are consistent with the CCPA).
-
Cal. Civ. Code 1798.140(ad)(2)(A)(i) (West 2021).
-
C.R.S. 6-1-1303(22)(b)(V)(A) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(iv)(a) (2022).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(II) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(v) (2022).
-
Cal. Civ. Code 1798.140(t)(2)(C) (West 2020).
-
Note that the CPRA does not contain an express exemption for transfers to service providers, however, a “sale” is defined as relating only to a transfer to a “third party” and the term “third party” is, itself, defined as not including service providers. See Cal. Civ. Code 1798.140(ai)(2) (West 2021).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(I) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(i) (2022).
-
Cal. Civ. Code 1798.140(t)(2)(D) (West 2020).
-
Cal. Civ. Code 1798.140(ad)(2)(C) (West 2021).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(IV) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(vii) (2022).
-
Cal. Civ. Code 1798.140(t)(2)(D) (West 2020).
-
Cal. Civ. Code 1798.140(ad)(2)(C) (West 2021).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(IV) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(vii) (2022).
-
The CCPA does not contain an express exemption to the definition of “sale” for transfers of personal data between and among corporate affiliates, however, the CCPA considers some corporate affiliates (i.e., those that share common branding) to constitute the same “business” for regulatory compliance purposes. See Cal. Civ. Code 1798.140(c) (West 2020).
-
The CPRA does not contain an express exemption to the definition of “sale” for transfers of personal data between and among corporate affiliates, however, the CCPA considers some corporate affiliates (i.e., those that share common branding) to constitute the same “business” for regulatory compliance purposes. See Cal. Civ. Code 1798.140(d)(2) (West 2021).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(III) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(ii) (2022).
-
While the CCPA does not contain an express exemption to the definition of “sale,” the CPRA provides that information made available to the general public by the consumer or widely distributed by media does not constitute “personal information” for the purposes of the statute. See Cal. Civ. Code 1798.140(v)(2) (West 2021).
-
Va. Code 59.1-571 (2022).
-
C.R.S. 6-1-1303(22)(b)(V)(B) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(vi)(A) (2022).
-
Utah Code Ann. 13-61-101(31)(b)(iii) (2022).