Under the CCPA, a “sale” is defined broadly as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.” That means in some cases, you could be “selling” personal information under CCPA when you share that data with a third party, even if you are not receiving monetary compensation.
Specifically, “valuable consideration” includes things like development, enhancement, modification, or improvement of technologies, tools, methodologies, services, and offerings, or for development or performance of data analysis or other insight generation beyond the contracted business service.
The CCPA also provides limited exceptions to what constitutes a sale. Under the CCPA, a business might not “sell” personal information when:
How do I know if I am selling personal information under CCPA?
If your business is engaging in the sale of a consumer’s personal information as defined under CCPA, the CCPA requires that your business include mechanisms for consumers to opt out of the sale of their personal information. That means understanding what is and isn’t considered a sale, including whether an exception might apply, is critical to CCPA compliance.
If your business is subject to CCPA and shares personal information of California residents with third parties, you are nearly always either “disclosing for business purposes” or “selling” that information based on how those terms are defined under the law. Determining whether you “sell” data is one of the most important considerations in determining your obligations and your customers’ rights under CCPA. To make that determination, you will need to look at whether your data collection and sharing practices fall within the definition of a sale (defined more broadly than what you might typically think of as a sale) or within an exception to the definition of a sale under CCPA. If you evaluate your third-party data sharing practices and determine that they do not meet the definition of a sale, or fall within an exception to the definition of a sale, then you are likely “disclosing” data for a business purpose. However, your business still will have some obligations related to that disclosure. To help you determine whether you are engaging in a sale under CCPA, we have provided definitions and examples below.
“Disclosure for a business purpose” is a very broad concept. Disclosures to a third party typically include things like detecting security incidents, maintaining or servicing customer accounts, customer services, processing orders, and payments. For example, you are disclosing information for a business purpose if you are sharing data with a third party only so that they can process that information on your behalf and the third party does not keep the data for longer than necessary to provide those services or use it for any other purpose.
However, because “sale” is defined more broadly than how you might typically think of a sale, if you are sharing information with third parties you could be “selling” information under CCPA, even in some instances where you are not exchanging data for monetary compensation. A sale under CCPA is defined as any kind of disclosure to another business or third party for monetary or other valuable consideration. Some examples of sales include: collecting personal information through cookies for targeted advertising purposes; sharing personal information with a third party for marketing partnerships; or sharing data with a service provider where that service provider uses personal information to enrich their own data-sets, training machine learning models, or for technological research.
As such, if you are sharing information with a third party for a specific purpose, like for payment processing, you should review any agreements you have with the third party to determine if they only process the information to help with that specific purpose, or if they use it in any other way.
If your business relies on the sale of personal information as defined by the CCPA, remember that you only need to give California consumers the ability to opt out of the sale of their personal information.
Trusted by thousands of companies worldwide, Termly’s intuitive software generates legal policies and handles consent management for any business in minutes.
Termly allows our users to focus more on their business instead of spending countless hours figuring out data privacy compliance. - Jona, Senior Product Manager @ Termly