Under CCPA, You Might Be Selling Personal Information (Part 2)
CCPA went into effect on January 1, 2020. Once you’ve established if CCPA applies to you, you’ll want to create a data map and carefully evaluate the privacy policies for each service you use. When you do so, you may be surprised to find that under CCPA, if you use ad networks such as Facebook and LinkedIn, you are “selling” information.
Part 1 of this blog post discussed how to become CCPA compliant if you use these ad networks for retargeting.
Part 2 of this post is a discussion of the specific language in CCPA that led us and a large number of companies to the conclusion that advertising that utilizes retargeting constitutes a sale under CCPA.
Let’s begin with the text of the law.
How does CCPA define selling?
“Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
Based on this very broad definition, we can’t think of a single example of disclosure of personal information that wouldn’t constitute a sale. Is every disclosure of personal information a sale?
Luckily, CCPA goes into more detail to define what is not a sale. Here are couple of key exclusions:
If a consumer directs your business to intentionally disclose their personal information through deliberate interactions
If your business uses or shares consumer PI with a service provider.
Okay, so we have a few new concepts here in this second bullet point. Let’s dig into them.
Personal Information shared for a Business Purpose (PIB)
This concept was discussed in our post Who gets rights under CCPA?
Here are some examples of PIB:
Company A sells refurbished mobile phones online. Company A uses Google Mail (Gmail) as their email provider. Customer information for Company A that ends up in Gmail is PIB.
Company B provides babysitting and housekeeping services. Company B uses Hubspot for customer relationship management. Prospect and customer information that ends up in Hubspot is PIB.
Company C designs and constructs home remodels. Company C uses Dropbox to store customer contracts. Customer information that ends up in Dropbox is PIB.
How do we know it’s PIB?
Because (1) it fits in the definition of personal information and (2) that information is disclosed in order to perform a business purpose.
Which brings us to the question…
What is a business purpose?
Again, CCPA defines this for us:
“Business purpose” means the use of personal information for a business’s operational purposes that is reasonably necessary and compatible with the context in which the personal information was collected. Business purposes are:
Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
Debugging to identify and repair errors that impair existing intended functionality.
Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
Undertaking internal research for technological development and demonstration.
Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Based on this definition, we know that PIB does not constitute a sale when shared with a service provider. Let’s dig into the definition of service provider next.
What is a service provider?
A service provider meets the following requirements:
Is a for profit business
Processes personal information on behalf of a business based on a contract. The contract must prohibit the person or business receiving the personal information from:
- Selling the personal information
- Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract
- Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business
- Includes a certification made by the person receiving the personal information that the person understands these restrictions and will comply with them
Why is the service provider designation good?
There are two benefits:
The disclosure is definitely not a sale
You are not liable if the service provider experiences a data breach that impacts your PIB. Per CCPA:
A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.
I disclose information to a third party that doesn’t qualify to be a service provider. Is it a sale?
The answer is, it depends.
In the scenario of Facebook Ads, Facebook doesn’t limit its use of the personal information collected through its cookies to serving ads for your business. It combines that data with information it tracks on other websites to optimize for its overall revenue. It’s not simply improving the Facebook platform; it’s using the information it gathers on your website to further its own commercial purposes.
Is that definitely a sale? We think this constitutes a sale. Additionally, the legal departments at a number of large companies also seems to believe this; for example, you can find 'Do Not Sell My Info' links on websites such as T-Mobile, Disney, and Coca-Cola related to their use of digital advertising. Google also appears to agree with this conclusion. As a result of CCPA, Google Ads now offers Data Restricted Mode in which data collected on your website is used exclusively to provide you with services, thereby making them a service provider.
We like this article from the International Association of Privacy Professional (IAPP) that discusses various scenarios and whether or not various disclosures are considered a sale: https://iapp.org/news/a/how-to-know-if-your-vendor-is-a-service-provider-under-ccpa/
Need help thinking through it?