The California Consumer Privacy Act reflects a tectonic shift in the United States privacy landscape, sparking similar legislation in several states and prompting a call for uniform federal rules. The CCPA simultaneously creates a host of new rights for California residents and a myriad of ambiguities for companies subject to its requirements.

Although the statute takes effect in less than two months,1 one of its key provisions ― the right of California residents to opt out of the sale of their personal information ― remains to be defined.

The CCPA, as originally enacted, provides that a consumer "shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information."2 Under the law and in conventional usage, the term "sale" has been typically defined as a transaction in which a buyer pays a seller for goods or services.3

Yet just as the CCPA expands the scope of personal data to include information that was never considered personal identifying information, the statute also expands the concept of "sale" to include transfers and uses of data that are outside the scope of most legal or conventional definitions of that term.

The CCPA defines "sale" as the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."4

In other words, "sale" under the CCPA is both "selling" and a whole host of other things that are, by traditional definitions, not selling. As for the limiting phrase "valuable consideration," that language is not defined in the statute or in the California attorney general's draft regulations issued on Oct. 10.

Despite the expansive and incomplete definition of "sale," the CCPA requires that businesses that "sell" personal information to third parties (as further defined in the statute) must notify consumers that information may be sold and provide a means to opt out of the sale. This results in Hobson's choices for businesses designing compliance programs. Businesses must first determine whether they sell personal information within the meaning of the CCPA.

If so, the business must then determine the means by which it will notify consumers of the "sale," and how to provide consumers a means to opt-out, including whether to offer an "opt-out logo or button[,]" ― an option that the drafters of the CCPA envisioned would be developed by the AG in "a recognizable and uniform" format with the benefit of "broad public participation."5

On the first issue, the International Association of Privacy Professionals has suggested that, in the absence of AG guidance, "valuable consideration" may be interpreted in "a manner consistent with existing contract law doctrine[.]" Under this approach, "all agreements where personal information is exchanged and the transferring entity receives any benefit to which it is not legally entitled absent the agreement [would] be considered a 'sale' under the CCPA," unless one of four statutory exceptions enumerated at Section 1798.140(t)(2) applies.

Those four exceptions cover: (1) transfers directed by consumers; (2) communications or alerts regarding opt-out requests; (3) disclosures to service providers (as defined by the CCPA); and (4) transfers in connection with mergers, acquisitions or bankruptcy proceedings.6

For businesses that transfer data not covered by these exceptions, the CCPA presents the confounding decision whether to make a website disclosure that fundamentally misleads consumers, while potentially stigmatizing the businesses making the disclosure. Reflecting the accelerated drafting and passage of the CCPA, the statute effectively compels a business to convey confusing information regarding the purported "sale" of personal information, even when the information at issue has not been the subject of a sales transaction in any legal or conventional sense.

Although the business may in good faith believe that there has not been "valuable consideration" provided for the data, the scope of the common law doctrine of consideration is subject to competing and conflicting judicial decisions developed long before the advent of technologies subject to the CCPA. The net result is an administrative enforcement regime that turns on the vagaries of the common law of contracts, creating the real risk that a business's good faith interpretation of "valuable consideration" might nonetheless result in an enforcement action seeking injunctive relief and statutory penalties.

The second issue as to customer notice is equally difficult for those businesses that determine to include a website disclosure as specified in the CCPA. Customer education integrated with compliance efforts will be important to correct misconceptions about what businesses actually do with data and to preserve and cultivate consumer trust.

Businesses can clarify that certain common uses of data swept into the definition of sale are necessary to provide consumers with the array of benefits and curated experiences they covet and affirmatively seek out. Without such meaningful outreach, many businesses may be mischaracterized as being in the business of selling data, and many consumers may be unwittingly stripped of the experiences and conveniences they want and enjoy.

With respect to opt-out procedures, the CCPA requires a uniform "clear and conspicuous" link on a business's website that enables California residents to opt-out of the sale of their data to third parties. That requirement essentially applies to any entity that is not a service provider within the meaning of the CCPA.7 Such opt-out information must be "reasonably accessible" and "easily understood" by consumers.8

For those businesses that elect to provide a "logo or button," it must link directly to a distinct webpage or portion of the privacy policy designed to capture opt-out requests. This same link to an opt-out tool must be independently set forth in an online privacy policy and in any California-specific description of consumers' privacy rights, such as disclosures made to California residents under the Shine the Light statute, and businesses must allow these opt-out requests to be submitted without requiring the creation of online accounts.9

To see the full article click here

Footnote

1 While the effective date of the CCPA is January 1, 2020, the California attorney general may not bring enforcement actions until six months after final regulations are adopted or July 1, 2020, whichever comes first. The AG recently issued draft regulations on October 10, 2019. The comment period and a related series of public hearings on the draft regulations will conclude on December 6, 2019.

2 Cal. Civ. Code § 1798.120(a).

3 Webster's Dictionary defines "sale" as "the transfer of ownership of and title to property from one person to another for a price." https://www.merriam-webster.com/dictionary/sale. Multiple California statutes define "sale" similarly. See, e.g., Cal. Com. Code § 2106(1) ("A 'sale' consists in the passing of title from the seller to the buyer for a price.").

4 Cal. Civ. Code § 1798.140(t)(1).

5 Cal Civ. Code § 1798.185(a)(4)(C).

6 IAPP, What does 'valuable consideration' mean under the CCPA? (Dec. 2018), https://iapp.org/news/a/what-does-valuable-consideration-mean-under-the-ccpa.

7 Cal. Civ. Code § 1798.135(a)(1).

8 Cal. Civ. Code §§ 1798.140(a), 1798.185(a)(6).

9 Cal. Civ. Code § 1798.135(a)(1)–(2).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.