Under §1798.140(w), the CCPA describes a third party as “a recipient of personal information who is not the business that collected it nor an entity operating on behalf of that business based on a contract [i.e., a service provider].” [emphasis added] This raises the question of what qualifies as a “sale.” The definition of a sale under the CCPA is rather broad under §1798.140(t)(1):
Sale. Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
In many cases a business may not realize that such a transfer is taking place. For example, a transfer of information to advertisers via cookies or advertising identifiers (for those clicking on advertisements) or a transfer of browser information to an analytics firm are likely sales under the CCPA.
Consumers have three rights with respect to sales of their personal data to third parties:
- A consumer can direct a business not to sell the consumer’s personal information. 1
- A business shall provide notice to consumers that their personal information may be sold to third parties and that consumers have the right to opt out. 2
- A third party shall not sell personal information about a consumer unless the consumer has received explicit notice and is provided an opportunity to opt out. 3
Note that for sale of the personal information of consumers under the age of 16, there is a requirement to “opt-in,” either by the consumer or his/her parent or guardian. 4
The CCPA Regulations do not expand upon the mandates set forth in the statute with respect to sales to third parties. One noteworthy area, however, is with respect to so-called “Do Not Track” mechanisms in web browsers that purport to tell advertisers not to process the personal data of a web users. The Regulations state that
[i]f a business collects personal information from consumers online, the business shall treat user-enabled global privacy controls, such as a browser plugin or privacy setting, device setting, or other mechanism, that communicate or signal the consumer’s choice to opt-out of the sale of their personal information as a valid request [to opt out of such a sale]…for the consumer[.]” 5 [emphasis added]
As a result, a business that sells personal information to third parties would should have an automated means to pass on the state of a Do Not Track signal to those third parties as part of its data protection compliance program. Moreover, third party purchasers of personal information will likely wish to mandate such communication in order to advance their own compliance.
1. Cal. Civ. Code §1798.140(v).
2. Cal. Civ. Code §1798.140(t)(2)(C).
3. The CCPA Regulations §999.314(a).
4. The CCPA Regulations §999.314(b).
5. The CCPA Regulations §999.314(c).