For businesses planning their compliance with the California Consumer Privacy Act (CCPA), determining whether a transfer of consumers’ personal information constitutes a “sale” is very important. If it is a sale, then the business has additional duties of disclosure and California residents have opt-out rights. Making this determination one of the trickier aspects of CCPA compliance.
With the passage of the California Privacy Rights Act (CPRA), businesses must now contend with another concept: “sharing” personal information. Functionally, sharing and selling are treated the same under the amended CCPA. That is, businesses have the same obligations toward both types of transactions. This has left many wondering what the difference is between them.
Keep reading to learn how sharing is defined, why it was added to the law, and why it is good for businesses.
The CCPA’s definition of selling, both originally and as amended by the CPRA, has remained more or less the same. It is the disclosure of a consumer’s personal information to a third party for “monetary or other valuable consideration.” While the part about monetary consideration is clear enough, what “other valuable consideration” means is less clear.
The widely held view is that this definition includes disclosing consumers’ personal information in exchange for using interest-based advertising (a.k.a. retargeting) services on platforms like Facebook and Google. To be CCPA compliant, businesses must either allow consumers to opt out of this “sale” or stop using interest-based advertising altogether. To accommodate the data privacy law, Google, Facebook, and others have begun offering scaled-back (and less effective) versions of their advertising services that do not qualify as selling personal information under the CCPA.
There are other businesses that have adopted the position that interest-based advertising does not count as a sale of personal information under the CCPA. Regulations released by the California Attorney General have been silent on the issue, so these companies have not been allowing consumers to opt out. In order to clarify businesses’ obligations, the CPRA introduces the concept of “sharing” personal information, which removes any ambiguity.
In the CPRA, sharing has a very narrow definition. It is the disclosure of personal information to a third party “for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Cross-context behavioral advertising is the CPRA’s term for interest-based advertising or retargeting. Specifically, it is the targeting of advertising to a consumer based on personal information from the consumer’s interactions with other businesses, websites, etc.
Sharing and selling are regulated in the same way. Consumers now have a right to opt out of the sale or sharing of their personal information, and businesses have the same duty to disclose their practices with regard to both. Why, then, did lawmakers bother with the change in language?
Primarily, it removes any doubt that the law covers this type of activity. It provides a clear definition for cross-context behavioral advertising, and even removes the requirement for receiving any type of consideration in exchange. When the CPRA becomes effective on January 1, 2023, businesses that share personal data definitely must provide an opt-out method for Californians (if they haven’t already).
A second likely reason for the change is to address businesses’ concerns regarding the optics of CCPA compliance, as discussed below.
From a business perspective, the consumer’s right to opt out of the sale of their personal information is probably the least popular component of the CCPA. It’s not because of the difficulties in determining what is a sale or which vendors qualify as service providers, or even because it hamstrings certain aspects of their marketing strategy. It’s because of the “Do Not Sell” opt out links.
Putting everything into the same category and calling it a sale of personal information is a blunt approach. For this reason, at least in part, the CPRA distinguishes between selling and sharing. Even if businesses’ obligations are the same for both, the difference in terminology is better for two reasons. First, it lines up better with consumers’ understanding of what a sale is. Second, it is a considerable softening of language: “Sharing personal information” sounds much better than “selling personal information.”
By allowing businesses to replace “Do Not Sell” links with a “Do Not Sell or Share My Personal Information” link, it lets them disclose their practices more clearly and maintain better relationships with consumers.
Getting your business CCPA compliant is a complex task. Figuring out what is a sale, what is sharing, and what is exempt is just one small part of the larger overall compliance strategy. Businesses must track personal data as it comes and goes, promptly respond to consumer requests, and more.
TrueVault Polaris is an innovative software tool that automates the process, drastically reducing the time and expense required to become CCPA compliant. Contact our team of data privacy experts today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.