The interpretation of “sale” and “service provider” under the California Consumer Privacy Act, including applicable exceptions, are both of critical important when assessing compliance obligations.
The CCPA imposes onerous requirements on the “sale” of “personal information.” “Personal information” is defined expansively to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household. The statute provides a non-exhaustive list of categories of “personal information.” “Personal information” does not include de-identified or aggregate consumer information.
Generally, if your entity sells, rents, releases, transfers, discloses, disseminates, makes available or otherwise communicates “personal information” about a California consumer to a third party in exchange for monetary or other valuable consideration, there is a qualifying “sale” under the CCPA.
Digital marketers must take note and should consult with an experienced FTC defense attorney to ensure CCPA compliance. For example, the transmission of information to third party advertising networks via cookies probably constitutes the “sale” of “personal information.”
Note that “personal information” that is disclosed at a consumer’s direction, to alert a third party that consumer has submitted an opt-out request for sale of their “personal information,” in conjunction with a merger/acquisition or other transaction which third party assumes control of all or part of the business, or to comply with a legal obligation do not constitute a “sale” of “personal information” under the CCPA.
Similarly, there is no “sale” of “personal information” under the CCPA for “personal information” that is disclosed to a “service provider” subject to contractual restrictions that prohibit “retaining, using, or disclosing” “personal information” for any purpose other than “for the specific purpose of performing the services specified in the contract,” a certification made by a “service provider” that it understands its contractual restrictions, and the disclosing entity has provided reasonable notice to consumers about such sharing with the “service provider.” Otherwise, disclosure is not covered by the “service provider” exception set forth above, including third party vendors.
Valuable consideration must be interpreted broadly and can potentially include, without limitation, the development of technologies and services beyond the contracted business service.
Under the California Consumers Privacy Act certain entities that collect information on behalf of businesses are considered “service providers.” Knowing what constitutes as a “service provider” under the CCPA is a critical component of compliance with the new law because if “personal information” is collected on behalf of a business through a third party “service provider,” the business might be covered by the CCPA.
Also consumers have the right to request various pieces of information regarding the collection and use of “personal information,” including the categories of “service providers” to whom “personal information” was sold or disclosed. Additionally, the CCPA permits consumers to requests covered entities and their “service providers,” to delete “personal information.”
A “service provider” means a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s “personal information” for a business purpose, pursuant to a written contract. Contracts must include various prohibitions, including, but not limited to, the retention, use or disclosure of “personal information” for any purpose other than the purpose specified in the contract or under the law. “Service provider” contracts should also specifically address responses to consumer requests, data security safeguards, data breach response obligations, and data use and retention limitations.
The development and implementation of a robust CCPA compliance program must be made part of any data-driven business operation. CCPA compliance protocols must necessarily entail such things as contract reviews, privacy notice updates, and data mapping and sharing analyses in order to determine whether applicable processes and arrangements meet various definitions, including, but not limited to, “personal information,” “sale” and “service provider.”