[co-author: Stacey Weber]
Keypoint: Organizations subject to these laws will need to determine whether they are engaging in “sales,” which can be a complex and multifaceted analysis given the statutes’ varying definitions and exemptions.
This is the fifth post in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them.
In this article, we analyze how each of these laws treat “sales” of personal information/data. The CPRA, CPA, and VCDPA all give consumers the right to opt-out of the sale of their personal information/data by businesses/controllers. Whether organizations need to provide this right is obviously dependent on whether they are selling personal data. That analysis, however, is complicated by the fact that the laws define “sale” differently and contain different exemptions. Reconciling the definitions and exemptions will be an important step for any organization complying with these laws.
In the below article, we analyze these issues by first comparing the definitions of sale under the three laws and then analyzing the various exemptions.
Comparing the Definitions of Sale
The California Consumer Privacy Act (CCPA) defines “sale” as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
The CPRA makes one change to that definition, removing the phrase “another business or.” As discussed below, that deletion makes sense given the CPRA’s reframing of third-party transfers. The change also is important to understanding the CPRA’s modification of the exemptions to the definition of sale.
Since the CCPA was enacted in 2018, privacy professionals have questioned the meaning and contours of the phrase “other valuable consideration.” During the CCPA rulemaking process many businesses asked the Attorney General to clarify the phrase. At least one commentator asked for a factor-based method to identify when valuable consideration was provided. However, the Attorney General’s office was unwilling to provide guidance, stating that the “CCPA’s use of the terms ‘valuable’ and ‘consideration’ are reasonably clear and should be understood by the plain meaning of those words.”
The CPA defines “sale” as “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.” The VCDPA uses the same definition as the CPA with the exception that it excludes the phrase “other valuable consideration.” As a result of this difference, it is possible that some data transfers could be considered sales in California and Colorado, but not in Virginia.
Comparing Exemptions to the Definition of Sale
Determining whether a data transfer meets the definition of sale is only the first part of the analysis as each of the three laws provide a number of exemptions for when data transfers are not considered sales. Below, we first provide a summary of the exemptions followed by a discussion of each.
Summary of Exemptions
|1. When a consumer intentionally uses a business / controller to disclose personal information or uses a business / controller to interact with third parties||Yes, provided the third party does not sell the personal information unless that disclosure is consistent with the CCPA.||Yes||No||Yes|
|2. Notifying third parties of a consumer’s opt out of sale request||Yes||Yes, the CPRA also excludes transfers used to notify persons that a consumer has limited the business’s use of sensitive personal information.||No, but the law does not require that such notice be provided.||No, but the law does not require that such notice be provided.|
|3. Transfers to service providers / contractors / processors||Yes (transfers to service providers)||Yes (transfers to service providers and contractors)||Yes (transfers to processors)||Yes (transfers to processors)|
|4. Transfers as part of a merger, acquisition, bankruptcy, or similar transaction||Yes, provided subsequent use of information is materially consistent (if not, must provide notice).||Yes, provided subsequent use of information is materially consistent (if not, must provide notice).||Yes||Yes, the exemption also includes transfers associated with proposed transactions.|
|5. Transfers to third parties for purposes of providing a product or service requested by consumer||No, but transfers may be exempt under exemptions for intentional disclosures to third parties or transfers to service providers.||Yes, based on the CPRA’s expanded definition of “intentionally interacts” to include “purchasing a good or service.”||Yes||Yes|
|6. Transfers to controller’s affiliates||No, but the CCPA’s definition of business in § 1798.140(c)(2) includes entities that meet similar criteria as in the VCDPA and CPA’s definition of affiliate.||No, but the CPRA’s definition of business in § 1798.140(d)(2) includes entities that meet similar criteria as in the VCDPA and CPA’s definition of affiliate.||Yes||Yes|
|7. Transfers of information a consumer intentionally made available to the general public via a channel of mass media||No||No, but the CPRA excludes publicly available information which has similar language and may lead to the same result.||Yes, provided the consumer did not restrict to a specific audience. In addition, see the VCPDA’s definition of publicly available information in § 59.1-575.||Yes, in addition, see the CPA’s definition of publicly available information in § 6-1-1303(17)(b).|
Analysis of Exemptions
Exemption 1: When a consumer intentionally uses a business / controller to disclose personal information or uses a business / controller to interact with third parties
CCPA § 1798.140(t)(2)(A) exempts from the definition of “sale” transfers in which a consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.” The section further states that an “intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.” The CCPA defines “third party” negatively to mean a person who is not the business that collects the personal information from the consumer or a service provider.
The CPRA changes this exemption in three ways.
First, the CPRA removes the qualifying phrase “provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title.”
Second, the CPRA moves the explanation of what constitutes an intentional interaction to a new definition found in § 1798.140(s). The CPRA also expands the definition of an intentional interaction by stating that intentional interactions include “visiting the person’s website or purchasing a good or service from the person.” The latter part of this expanded definition becomes significant when we discuss Exemption 5 below.
Third, the CPRA revises the definition of third party to mean a person who is not (1) the “business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business under this title,” (2) a service provider to the business, or (3) a contractor.
With these changes, the CPRA clarifies and expands the CCPA exemption such that it will not be a sale if a consumer intentionally directs the business to transfer the consumer’s personal information to an entity that is not the business, a service provider of the business, or a contractor. What the third-party recipient does with the consumer’s personal information is no longer part of the calculus.
Similar to the CCPA and CPRA, the CPA exempts from the definition of sale “the disclosure of personal data . . . [t]hat a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party.” The CPA defines “third party” as any “person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or controller.” The CPA does not define “intentional.”
The VCDPA does not include this exemption.
Exemption 2: Notifying third parties of a consumer’s opt out of sale request
The CCPA exempts transfers where the business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting persons that the consumer has opted out of the sale. The CPRA maintains the exemption and expands it to include transfers of an identifier for purposes of alerting persons to a consumer’s request to limit the use of their sensitive personal information.
The CCPA and CPRA do not mandate alerting persons of a consumer’s opt out request. However, § 999.315(e) of the CCPA regulations requires a business that sells personal information to a third party, after receiving an opt out request but before complying with the request, to notify those third parties that the consumer has exercised their right to opt-out and direct those third parties not to sell that consumer’s information.
The CPA and VCDPA do not contain this exemption, but neither statute requires controllers to notify third parties of consumer opt-out requests.
Exemption 3: Transfers to service providers / contractors / processors
The CCPA’s definition of sale excludes transfers from a business to a service provider that is “necessary to perform a business purpose” where the business provides notice of the transfer to consumers and the service provider does not sell the personal information. Although the CPRA deleted this exemption such transfers still do not constitute sales based on other changes made by the CPRA.
First, as discussed, the CPRA modifies the definition of “sale” to state that a sale is a transfer of personal information “by the business to a third party” instead of the CCPA’s definition of “by the business to a business or third party.” (Emphasis added.) The CPRA then modifies the definition of third party to state that a third party is a person who is not (1) the business to whom the consumer provided the information, (2) a service provider to the business, or (3) a contractor. Therefore, transfers to service providers or contractors cannot be sales because the definition of sale states that the transfer must be to a third party.
The CPA and VCDPA make this analysis cleaner by simply stating that sales do not include the disclosure of personal data to a processor that processes the personal data on behalf of the controller.
To take advantage of this exception, businesses/controllers will need to ensure that they have proper contractual arrangements in place with service providers, contractors, and processors, as applicable. We will address those requirements in a future article in this series.
Exemption 4: Transfers as part of a merger, acquisition, bankruptcy, or similar transaction
The CPRA, CPA, and VCDPA all include an exemption for the transfer of consumer personal information in a “merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of” the business (in the case of the CPRA) or assets (CPA and VCDPA). The CPA also specifically allows for a transfer for proposed transactions.
Notably, the CPRA requires notice to consumers if the party receiving the information “materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection.” Similar language can be found in CCPA §§ 1798.100(a)(1) and (2). The CPRA further provides that this exemption does not authorize a business to make “material, retroactive changes to their privacy policies” or other changes that would violate the Unfair and Deceptive Practices Act.
The CPA and VCDPA do not contain a similar restriction in their exemptions. However, controllers subject to the CPA must keep in mind that §§ 6-1-1308(2) and (4) provide that a controller “shall specify the express purposes for which the personal data are collected and processed” at the time of collection and “shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer’s consent.”
The VCDPA similarly provides that “[e]xcept as otherwise provided in this chapter, [controllers shall] not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.”
These considerations will be important for companies to understand and analyze when conducting due diligence on proposed transactions.
Finally, separate and apart from these laws, the FTC has cautioned that Section 5 of the FTC Act may require companies to obtain permission from consumers for post-sale material changes to privacy policies.
Exemption 5: Transfers to third parties for purposes of providing a product or service requested by consumer
The CPA and VCDPA both exempt the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.
The CPRA does not contain this exemption but likely reaches the same result through its intentional interaction exemption discussed in Exemption 1. That is because the CPRA defines “intentionally interacts” in § 1798.140(s) to mean “when the consumer intends to interact with a person, or disclose personal information to a person, via one or more deliberate interactions, including visiting the person’s website or purchasing a good or service from the person.” (Emphasis added.)
Exemption 6: Transfers to controller’s affiliates
The CPA and VCDPA both exempt the disclosure or transfer of personal data to an affiliate of the controller. However, the laws do not define “affiliate” the same.
Under the CPA an affiliate is “a legal entity that controls, is controlled by, or is under common control with another legal entity.” “Control” is defined as “ownership, control, or voting power of 25% or more of the shares of the company,” control “over the election of a majority of directors, trustees, or general partners,” or the power to directly or indirectly exercise “a controlling influence over the management or policies” of the entity.
The VCDPA differs in two notable respects. First, it extends affiliate not only to an entity that controls, is controlled by, or is under common control, but also an entity that shares “common branding with another legal entity.” Second, it requires a 50% voting power rather than 25%.
Although the CPRA does not specifically contain this exemption from its definition of sale, it likely reaches the same result because the CPRA’s definition of “business” contains similar language as the CPA and VCDPA’s definitions of affiliate. Specifically, § 17981.140(d)(2) of the CPRA states that a business includes:
Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned.
Finally, while the VCDPA definition of affiliate states “or shares common branding,” the CPRA definition states “and that shares common branding.” Additionally, the CPRA further narrows the scope with the inclusion of “and with whom the business shares consumers’ personal information,” essentially adding a third requirement that the transfer of personal information be from the governed entity to the affiliated entity. As a result, the CPRA exception for sharing with an entity with common control may be narrower than the VCDPA.
Exemption 7: Transfers of information a consumer intentionally made available to the general public via a channel of mass media
Finally, the CPA and VCDPA exempt transfers of personal data that a consumer already made available “to the general public via a channel of mass media.” The VCDPA goes one step further, adding that the consumer must not have restricted the information to a specific audience. Notably, the CPA and VCDPA do not define “general public” or “channel of mass media.”
Although the CPRA does not contain this exemption, it contains a broad definition of “publicly available information” that likely reaches the same result. Specifically, the CPRA’s definition of publicly available information includes “information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.” The CPA and VCDPA also exempt publicly available information although with different definitions. For a further analysis of this issue, see our prior post in this series.
Consequences of the Variations
As the length of this article perhaps indicates, although all three laws allow consumers to opt out of sales of personal information/data, the nuances between the laws’ definitions of sale and the various exemptions will cause headaches for organizations engaging in complex data transfers with other entities. Despite the differences, it is possible to find common ground when one digs into the exemptions (and maps the data collection and flows). This suggests that organizations can develop a strategy that allows for interoperability on this issue between the three laws.