California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
For businesses planning their compliance with the California Consumer Privacy Act (CCPA), determining whether a transfer of consumers’ personal information constitutes a “sale” is very important. If it is a sale, then the business has additional duties of disclosure and California residents have opt-out rights. Making this determination one of the trickier aspects of CCPA compliance.
With the passage of the California Privacy Rights Act (CPRA), businesses must now contend with another concept: “sharing” personal information. Functionally, sharing and selling are treated the same under the amended CCPA. That is, businesses have the same obligations toward both types of transactions. This has left many wondering what the difference is between them.
Keep reading to learn how sharing is defined, why it was added to the law, and why it is good for businesses.
The CCPA’s definition of selling, both originally and as amended by the CPRA, has remained more or less the same. It is the disclosure of a consumer’s personal information to a third party for “monetary or other valuable consideration.” While the part about monetary consideration is clear enough, what “other valuable consideration” means is less clear.
The widely held view is that this definition includes disclosing consumers’ personal information in exchange for using interest-based advertising (a.k.a. retargeting) services on platforms like Facebook and Google. To be CCPA compliant, businesses must either allow consumers to opt out of this “sale” or stop using interest-based advertising altogether. To accommodate the data privacy law, Google, Facebook, and others have begun offering scaled-back (and less effective) versions of their advertising services that do not qualify as selling personal information under the CCPA.
There are other businesses that have adopted the position that interest-based advertising does not count as a sale of personal information under the CCPA. Regulations released by the California Attorney General have been silent on the issue, so these companies have not been allowing consumers to opt out. In order to clarify businesses’ obligations, the CPRA introduces the concept of “sharing” personal information, which removes any ambiguity.
In the CPRA, sharing has a very narrow definition. It is the disclosure of personal information to a third party “for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” Cross-context behavioral advertising is the CPRA’s term for interest-based advertising or retargeting. Specifically, it is the targeting of advertising to a consumer based on personal information from the consumer’s interactions with other businesses, websites, etc.
Sharing and selling are regulated in the same way. Consumers now have a right to opt out of the sale or sharing of their personal information, and businesses have the same duty to disclose their practices with regard to both. Why, then, did lawmakers bother with the change in language?
Primarily, it removes any doubt that the law covers this type of activity. It provides a clear definition for cross-context behavioral advertising, and even removes the requirement for receiving any type of consideration in exchange. Since the CPRA became effective on January 1, 2023, businesses that share personal data definitely must provide an opt-out method for Californians.
A second likely reason for the change is to address businesses’ concerns regarding the optics of CCPA compliance, as discussed below.
From a business perspective, the consumer’s right to opt out of the sale of their personal information is probably the least popular component of the CCPA. It’s not because of the difficulties in determining what is a sale or which vendors qualify as service providers, or even because it hamstrings certain aspects of their marketing strategy. It’s because of the “Do Not Sell” opt out links.
Businesses that sell consumers’ personal information, as defined by the CCPA, must include a clear and conspicuous “Do Not Sell My Personal Information” link on their homepage. Many businesses feel that these links are off-brand for their company and also give consumers the wrong idea about what the business is doing with their personal information. When consumers see the link, most of them assume it means the business is packaging their personal information and selling it for cash. Even if the consumer were to read the business’s full privacy policy and see that it only refers to retargeting, the damage has already been done. Some companies have simply abandoned interest-based advertising in order to avoid having to post a “Do Not Sell” link, even though customer conversion rates drop significantly.
Putting everything into the same category and calling it a sale of personal information is a blunt approach. For this reason, at least in part, the CPRA distinguishes between selling and sharing. Even if businesses’ obligations are the same for both, the difference in terminology is better for two reasons. First, it lines up better with consumers’ understanding of what a sale is. Second, it is a considerable softening of language: “Sharing personal information” sounds much better than “selling personal information.”
By allowing businesses to replace “Do Not Sell” links with a “Do Not Sell or Share My Personal Information” link, it lets them disclose their practices more clearly and maintain better relationships with consumers.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.