Under CCPA, You Might Be Selling Personal Information (Part 2)
Part 1 of this blog post discussed CCPA obligations if you use ad networks like Google or Facebook for interest-based advertising.
Part 2 of this post is a discussion of the specific language in the CCPA that led us to conclude that interest-based advertising is a “sale” of information under the CCPA.
Let’s begin with the text of the law.
How Does The CCPA Define Selling?
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
As you can see, the definition of “sale” is incredibly broad. Does that mean every disclosure of personal information is a sale?
No.
Luckily, CCPA goes into more detail to define what is not a sale. Here are a couple of key exclusions:
- If a consumer uses or directs your business to intentionally disclose their personal information through deliberate interactions
- If your business uses or shares consumer information with a service provider.
What Is A Service Provider?
A service provider meets the following requirements:
- Is a for profit business
- Processes personal information on behalf of a business based on a contract. The contract must prohibit the person or business receiving the personal information from:
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract
- Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business
Why Is The Service Provider Designation Good?
There are two benefits:
- The disclosure is definitely not a sale
- You are not liable if the service provider violates the CCPA. Per the CCPA:
A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
I Disclose Information To A Third Party That Doesn’t Qualify As A Service Provider. Is It A Sale?
It depends.
The CCPA doesn’t draw a clear line between a “sale” of information and other types of sharing. However, it makes clear that a vendor is NOT considered a service provider if it uses the information your business shares with it to build profiles on consumers, which the vendor then uses to provide services to other businesses.
Some could argue that building profiles is a key part of the business model and services offered by ad networks like Facebook and Google, which collect information not only in their capacity as ad networks but also as a provider of other services, including social media platforms and analytics tools.
If your business uses one of these profile-building ad networks to serve interest-based ads to consumers, your sharing of consumer information with them for this purpose likely constitutes a “sale” under the CCPA. Unless, of course, the ad network has assured you that it is not using that information to build profiles and instead acts as a “service provider” to your business.
If I Use Ad Networks To Advertise, Am I Definitely “Selling” Information?
No, not necessarily. In the wake of the CCPA’s enactment, ad networks like Google and Facebook began offering solutions to businesses looking to be CCPA compliant. Google offers Restricted Data Processing (RDP). If turned on or operating by default for a particular ad service, RDP means that Google is restricting its use of the data you share with it such that the sharing should not be considered a “sale” under the CCPA. Facebook has a similar mode, called Limited Data Use (LDU). Ad networks may be updating their options and terms as CCPA enforcement kicks in, so be sure to understand your sharing practices with respect to each ad network and other third party.
As noted in Part 1 of this blog post, if you sell information under the CCPA, you are required to follow certain guidelines to give consumers the Right to Opt-Out of the sale of their information.
Need help thinking through it?