The California Consumer Privacy Act (CCPA) is a privacy law that applies to businesses working in California; it requires them to provide certain basic protections for any personal data the companies collect about California residents. One such protection is that consumers can request that their data not be sold or transferred for business purposes to a third party.
This raises a question that might seem straightforward, but in fact isn’t: What qualifies as a sale of consumer data under the CCPA?
The answer is sufficiently complicated that in many cases, it’s easier to determine when a data transfer doesn’t qualify as a sale. So let’s unravel the entire issue, starting with the consumer.
How Does the CCPA Define a Consumer?
The CCPA applies first and foremost to all California residents. They are the first group considered “consumers” under the statute.
The California Code of Regulations counts anyone in the state as a resident for other than “temporary or transitory activities” such as passing through on a trip. This works the other way, too, however: any Californian traveling temporarily outside the state is still considered a California resident, and thus a consumer under the CCPA.
A person who finds him- or herself in California for business for several days or to fulfill a specific work contract within a certain time frame is not considered a California resident. There is, however, a slightly confusing exemption here. Suppose a person is in California for long-term health treatment, recovery, or business dealings without a set end date. In that case, that person is considered a California resident.
Are Employees Considered Consumers Under CCPA?
The definition of consumer under CCPA is broad, starting with any person who’s a California resident. That means employees who maintain a permanent residence in California are considered consumers under the statute.
To complicate matters, however, personal information collected by a company about its employees (say, during job interviews or evaluations) is usually not covered by the CCPA. This means that employees can’t ask to have that information released to them.
So as you evaluate your business practices and whether you comply with the CCPA, it’s wise to become familiar with the CCPA’s definition of personal information.
What Does “Other Valuable Consideration” Mean?
The CCPA allows California residents to tell companies not to sell their data for commercial purposes.
Selling includes renting, releasing, disclosing, or transferring the consumer’s personal information to a third party, either for a business purpose or for what the CCPA calls “other valuable consideration.”
“Other valuable consideration” means that the company acquiring the personal data stands to gain something from this sale of personal information that it otherwise wouldn’t have achieved. For example, most exchanges of personal information involving a third party that benefits from the deal would qualify for a sale under the CCPA.
Again, it may be easier to determine whether the transaction you’re evaluating isn’t a sale under the CCPA. The transaction is not considered a sale if it falls under one of the following CCPA exemptions:
- Data and personal information given directly to the consumer is not considered a sale.
- Data and confidential information consumers opt-in to share is not considered a sale.
- A company sharing data to alert another company or third party of a consumer’s request to opt out of data sharing or enter a do not sell agreement is also not a sale.
- Data transferred to a service provider (a for-profit business such as a financial institution) is not a sale as long as the data transmitted is needed for the business transaction, such as loan approval.
- Data transferred during acquisitions: When Company A purchases Company B, the data stored by Company B that now becomes Company A’s property is not considered a sale.
Why is the Definition of a Sale an Issue for Companies in the Targeted Advertising Business?
Behavioral advertising depends on digital identifiers (“cookies”) that internet advertisers connect to the IP addresses of users that visit their websites. (This is how a pair of shoes you might view on your phone in the morning then pop up in online advertising you see for the rest of the day.)
The challenge for CCPA compliance is that those unique identifiers are considered personal information. The CCPA, however, allows California residents to opt out of selling their data. So by tracking your internet activity, our hypothetical shoe company above may be selling your personal information – and thus fall out of CCPA compliance.
Those who advocate for a high level of data privacy argue that when an internet search engine is allowed to place a tracking cookie in a consumer’s browser during a website visit, that website has made some of the consumer’s information available to a third party. In other words, this transaction could be considered a sale under the CCPA.
Advertising and marketing organizations have submitted several complaints to the California state attorney general, arguing that the CCPA places an impossible burden on them and on companies that use targeted advertising. Their concern is that the CCPA will require advertising agencies to track consumers’ Do Not Sell requests in the same way web browsers now have to monitor ‘Do Not Track’ requests from consumers who want to keep their browsing history private.
For now, online retailers and media companies should assure that their cookie usage complies with all CCPA privacy practices.
Remember that advertising-driven platforms such as Google and Facebook have taken steps to limit user data sharing; your company’s Facebook ad doesn’t automatically place you in a position where you sell personal information. Google has a Restricted Data Processing (RDP) setting, which limits how Google can share data. Facebook has a similar background called Limited Data Use (LDU). Both restrictions, however, have to be activated by the consumer.
Can Companies Share Personal Information With Other Businesses Without This Constituting a Sale?
Yes. The easiest way for this is if the consumer opts into the sharing, such as via a written contract. For example, financial institutions and other lenders may share consumer information needed to qualify for a bank loan. Such as CCPA vs. General Data Protection Regulation (GDPR).
How is CCPA’s Sale of Personal Information Defined?
The CCPA has specific regulations regarding the information businesses must give people when collecting and using personal information. One notable rule is the CCPA’s ability to refuse the sale of personal data.
According to the CCPA, renting, disclosing, releasing, disseminating, transferring, or communicating personal information to another company or a third party for “monetary or other valuable consideration” constitutes the selling or selling of personal information. A payment made in exchange for personal information is optional for something to be considered selling.
The CCPA allows people to request that businesses stop selling their personal information. Subject to certain exceptions, companies must abide by that request to opt out of selling personal information to third parties. In addition, businesses must have a clear and noticeable “Do Not Sell My Personal Information” link on their website so that customers may exercise their right to opt out. But what precisely is a sale?
What are the Penalties for a CCPA Violation?
Right now only the California Office of the Attorney General (OAG) can enforce the CCPA. Starting in 2023, however, the newly established California Privacy Protection Agency (CPPA) will assume enforcement responsibilities. The OAG notifies the company of the apparent infraction and gives it 30 days to correct. If the company can fix the problems within the 30-day window, no further action is required.
Of course, if a company hasn’t made any substantive efforts yet to comply with the CCPA, building a compliance program inside that 30-day window will be challenging to say the least. A firm can save money by developing a CCPA compliance program before the state attorney general ever comes knocking.
Businesses that fail to correct any claimed infractions within 30 days of receiving a cure notice may be subject to penalties for violating the CCPA: injunctions and civil fines.
Injunctions
A court order known as an injunction directs a person (or business) to refrain from particular conduct. For example, in the framework of the CCPA, the OAG might ask for an injunction requiring a company to stop gathering personal data from California citizens or even to stop operating in the state altogether.
Civil fines
The CCPA includes particular reference to sanctions for non-compliant firms. Businesses can be fined up to $2,500 for each infraction. These fines could easily reach hundreds of thousands of dollars because companies routinely collect personal information from large customers.
Businesses are subject to fines of up to $7,500 for “deliberate” offenses. So exactly what is a deliberate CCPA violation? That term is not defined in the statute, but the most common instance is when a company repeatedly violates the privacy law despite prior enforcement actions or consumer complaints.
Who Is Exempt From the CCPA?
Several types of organizations are exempt, even though they gather the personal information of California residents and satisfy the law’s threshold conditions. These organizations are:
- Nonprofits, since they do not meet the criteria for becoming a company.
- Government agencies, since they may require personal information for inquiries, subpoenas, summonses, compliance with federal, state, and municipal laws, or other reasons. Since the phrase “government agency” is so general, many possible interpretations exist. It should include all levels of government, including federal, state, municipal, and public schools.
- Insurance companies, brokers, and related businesses, because they’re subject to other privacy laws. For example, the Insurance Information and Privacy Protection Act of California applies to Insurance Institutions, Agents, and Support Organizations (IIPPA).
What Are CCPA’s Opt-Out Requirements?
The CCPA’S right to opt out allows customers to request that businesses not sell their personal information to third parties. An organization can distribute personal data within its various operating units; companies can also share personal data to their service providers when there is a signed contract. Additionally, individuals are free to keep supplying information that does not fall within personal information. So this provision doesn’t restrict all sharing of personal data to your third parties.
Consumers in California who are 16 years old or older have access to this privilege, which they can use whenever they choose. A company must respect the right to opt out unless the customer later decides to consent to sell their data.
Websites based in California will have a Do Not Sell My Information link or badge on their home pages and any California-specific sections of their privacy policies.
What are the Latest Updates and Amendments to the CCPA?
In November 2020, voters approved the California Privacy Rights Act, a ballot measure that updates the CCPA and adds further consumer privacy safeguards. Most of the CPRA’s provisions will take effect as of 2023.
The CPRA created the California Privacy Protection Agency to carry out and uphold the law. The state attorney general is still in charge of civil enforcement.
The CPRA made many adjustments to the CCPA’s specific regulations that would make them less onerous for businesses. For instance:
- Some formerly “necessary” technical criteria are now “permissive.” The modifications either remove or make it easier for rights requests (such as “Do Not Sell” recommendations) to flow down.
- Service providers are no longer required to explicitly state in contracts that they may use personal information to build or improve the quality of their services or to prevent, investigate, or detect security incidents and other malicious activity.
- The right to limit the use or disclosure of Sensitive Personal Information (SPI) only applies to SPI used to make an inference about an individual.
Maintain CCPA Compliance With Reciprocity ZenComply
Trying to comply with the CCPA via spreadsheets and manual processes is a fool’s errand. A better approach is ZenComply, a compliance and audit management system by Reciprocity. Zen automates many of the CCPA compliance requirements by:
- Checking your designs to look for mistakes;
- Letting you know what you should do to close such gaps;
- Monitoring the compliance of your suppliers and service providers;
- Putting all of their results on comprehensible dashboards;
- Enabling simple, unrestricted self-audits;
- Putting all of the necessary documents in a “single source of truth” repository that you can access at audit time.
ZenComply brings you peace of mind for CCPA compliance. After that, you’ll have more time to concentrate on other, more urgent issues, like boosting your bottom line and assuring that your customers are happy.
Worry-free compliance is how Zen is practiced! To learn more, schedule a demo.