The California Consumer Privacy Act (“CCPA”) is a new California privacy law going into effect on January 1, 2020. The language in the CCPA is a bit of a mess in that definitions are often not what one would expect. In this article, we take a look at how the California State Legislature defines the word “selling” and its variations.
CCPA Consumer Rights and Opt-Out
The CCPA provides consumers with several affirmative rights they can exercise concerning the personal information companies collect from them. For example, a California resident has the right to ask a website to produce all the personal information the site has collected about the person. The person can also demand a company delete all or part of that information. These new rights have not previously appeared in the United States, but tend to reflect what we see in the GDPR in Europe. [The GDPR is a complex privacy regulation applicable to the EU that went into place on May 25, 2018.]
Consumers are also given a new right to opt-out of the sale of their personal information under the CCPA. When a California consumer makes such a request, a company can no longer “sell” the personal information of that person to third parties.
And this is where things get tricky.
What Is Selling?
Generally speaking, we consider the sale of something in law as one party exchange something of value with another party who is providing a return value. When I purchase my life-giving coffee in the morning, I exchange money for the sweet, sweet coffee product. The value I receive is coffee. The value the shop receives is money.
Not all that difficult of a concept to grasp, correct? Well, California decided to go in a different direction.
CCPA Sale Definition
The definition of “sale” and all its variations is exceedingly broad in the CCPA. It reads:
[Cal Civ Code Section 1798.140(t)(1)]
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
The first problem with the definition is the language is so broad that practically any exchange of personal information between two companies will count as a sale. For example, the phrases “making available,” “disseminating,” “or otherwise making available,” would seem to have few limits.
Let’s consider this definition from a real-world perspective. Let’s assume you own an e-commerce store. Do you perhaps have a few affiliate listings on the site? If so, are you not disseminating personal information of your visitors to those third party affiliate programs?
The second problem with the CCPA definition is found in the language reading “for monetary or other valuable consideration.” At first glance, the language suggests the broad definition is reigned in by the need for monetary exchange. However, the language reading “or other valuable consideration” is problematic.
“Consideration” carries a unique meaning under contract law. The word is a catch-all for value. If we return to our coffee example above, consideration would be the money that I paid the cashier for my coffee. However, consideration could be anything of value that I provide – a service, a product, a good joke. As long as it has value and is being exchanged, then it can count as “consideration.”
The result is we have a definition for “sale” that is extremely broad. Some commentators have argued the definition is so broad that it covers every scenario where an exchange takes place.
Legislative bodies cure this problem by defining the term “consideration” in the laws they create. Unfortunately, the California Legislature did not.
I imagine many people reading this article will think, “Definitions. Pfft! So what?” The implications of this broad definition are such that companies must now go through every third party relationship and determine whether they are “selling” information to the third party. If so, the company must decide how to arrange opt-out communications to those parties.
The vetting process will be exceedingly difficult when evaluating particular aspects of the online infrastructure you likely participate in. For example, do you use an ad network to place or show ads? An ad network is rarely comprised of one party. Instead, the named company will partner with multiple other companies to access information for behavioral tracking data so the ad network can return the most relevant ads for a visitor to your site or a site you are advertising on. How do you identify those behind-the-scenes companies and alert them to a user requesting their personal information no longer be “sold?”
No answer currently exists, but the advertising community is frantically working on solutions.
CCPA Service Provider Relief
The CCPA does provide relief when the third party is a “service provider.” A service provider is a:
“Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
In short, you do not need to force your vendors to opt-out of sales. However, a company must amend its contract with such vendors to limit their use of the data. A few vendors may refuse, at which point one must decide whether to move to another vendor or force the vendors to comply with the opt-out provisions under the CCPA. Neither choice is optimal.
In closing, the CCPA represents good intentions gone bad. The idea of giving people power over their data is hardly a radical proposal. Unfortunately, how the CCPA seeks to meet that goal is burdensome, bizarre, and often divorced from the reality of how the business world – particularly online – works.
Feel free to contact me if you have any questions or comments.
Richard A. Chapo, Esq.