A Sale for Valuable Consideration Under California’s CCPA Defined
2019 will be the year where the details of the California Consumer Privacy Act (CCPA) are finalized. Looking ahead, there are three areas of government which could take action to change or clarify the new CA privacy law: the California legislature which has the power to amend the statute, the Attorney General which has been given the power to issue clarifying regulations, and Congress which could pass a new federal privacy law and preempt some or all of the CCPA privacy protections.
One of the areas where there is likely to be further guidance for businesses is the definition of a sale of personal information. Sale is defined by Section 1798.140(t) broadly to include releasing, disclosing, disseminating, making available, transferring or otherwise communicating to another business or third party for valuable consideration. This broad scope is in addition to the classic interpretation which includes selling to a third party for money, which also falls within the statutory definition of “sell,” “selling,” “sale,” or “sold”.
However, the broad scope creates challenges for businesses that may transfer personal information between two entities without selling it in the classic sense of the word. Nevertheless, the CCPA definition is written broadly to no doubt attempt to limit circumvention of the right to opt out by bad actors.
A blog post on IAPP’s The Privacy Advisor today looks at how the scope of the term sale will be interpreted in the context of the phrase valuable consideration if there is no further guidance from the above parties between now and 2020.
The post looks to contract law for guidance as to what will be considered valuable consideration and assumes that all agreements exchanging personal information that conveys any benefit will be considered a sale. Instead, it believes only the exemptions in the definition of sale will provide limits for businesses.
These limits are:
– Direction by the consumer to the business to disclose personal information.
– Disclosure of data to a service provider as the exemption is defined by the CCPA.
– Disclosure as part of a transfer in a change of control situation such as a merger, acquisition or bankruptcy.
– Sharing of an identifier to alert third-parties that a consumer has exercised the right to opt out.
We will be closely following interpretation of the definition of the term sale because of the importance of its interpretation to the handling of the right to opt out, and expect that in the interim businesses will be locking down service provider relationships with those organizations which they transfer personal information as part of providing a service to a California resident.
If a business can not establish an organization as a service provider, then they will have to stop the transfer of personal information to them when a California resident exercises their right to opt out of the sale of their personal information.
Other Blog Posts on the California Consumer Privacy Act:
Debate Over CCPA Amendment Heats Up as Business Preparations Ramp Up
California AG Holds First Public Forum for CCPA Rulemaking in San Francisco
New Mexico Privacy Bill Copies CCPA – Consumer Information Privacy Act Introduced in NM Legislature
CCPA Rulemaking Public Forums Announced by California Attorney General
CCPA Compliance Note: The Lookback Period Starts on January 1, 2019
Consumer Organizations Defend California Consumer Privacy Act (CCPA) in Letter to Legislators
California AG Tells Congress Not to Preempt California Privacy Law
CCPA Privacy Lawsuits Implicated in United States Challenge to Injury Standing in Frank v. Gaos
PWC Survey on CCPA: Enterprise Compliance Expected at 52% by January 1, 2020
California Adopts SB-1121 Amendments to Consumer Privacy Act
Contact Clarip Today for Help with CCPA and GPDR
The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.
If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.
If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.