We’re continuing our CCPA readiness series with a closer examination into some core tenets of CCPA: the sale of personal information (PI) and opt outs.
PI sales and CCPA
PI sales are featured in two of the three qualifiers that determine whether a company is classified as a business under CCPA. As such, a core piece of compliance is understanding what constitutes a sale.
CCPA defines the sale of PI as:
“Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (CAL.CIV. CODE §1798.140(t)(1))
In simplified terms, you might think about PI sales as “moving consumer personal information between businesses or third parties in any way that generates value, monetarily or otherwise.” It’s worth noting that, as currently written, service providers are not explicitly included in the definition above (for a quick refresher on how the CCPA defines businesses, service providers, and third parties, read this blog).
Opt out and CCPA
The CCPA provides explicit guidelines with regard to how businesses must support opt outs. Some of these include:
- A link on a website’s homepage that reads “Do Not Sell My Personal Information.”
- Notice that PI may be sold and that consumers may opt out.
- A ban on asking consumers who have opted out to opt in again until 12 months have passed.
- No discrimination against consumers who opt out, e.g. by denying goods or services.
- The ability for consumers to authorize someone else to request an opt out on their behalf.
However, there’s nuance when it comes to CCPA opt outs. As the law is currently written, opt outs refer specifically to PI sales, but not necessarily to PI data processing or collection. If a consumer opts out, the business they opted out with can no longer sell that consumer’s PI to other businesses or third parties, but that business may still be able to collect and use that consumer’s PI data internally.
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.