Keypoint: Organizations subject to these laws will
need to determine whether they are engaging in “sales,”
which can be a complex and multifaceted analysis given the
statutes’ varying definitions and exemptions.
This is the fifth post in our ten-part weekly series comparing
key provisions of the California Privacy Rights Act (CPRA),
Colorado Privacy Act (CPA), and Virginia Consumer Data Protection
Act (VCDPA). With the operative dates of these laws drawing near,
we are exploring important distinctions between them. If you are
not already subscribed to our blog, consider subscribing
now to stay updated.
In this article, we analyze how each of these laws treat
“sales” of personal information/data. The CPRA, CPA, and
VCDPA all give consumers the right to opt-out of the sale of their
personal information/data by businesses/controllers. Whether
organizations need to provide this right is obviously dependent on
whether they are selling personal data. That analysis, however, is
complicated by the fact that the laws define “sale”
differently and contain different exemptions. Reconciling the
definitions and exemptions will be an important step for any
organization complying with these laws.
In the below article, we analyze these issues by first comparing
the definitions of sale under the three laws and then analyzing the
various exemptions.
Comparing the Definitions of Sale
The California Consumer Privacy Act (CCPA) defines
“sale” as “selling, renting, releasing, disclosing,
disseminating, making available, transferring, or otherwise
communicating orally, in writing, or by electronic or other means,
a consumer’s personal information by the business to another
business or a third party for monetary or other valuable
consideration.”
The CPRA makes one change to that definition, removing the
phrase “another business or.” As discussed below, that
deletion makes sense given the CPRA’s reframing of third-party
transfers. The change also is important to understanding the
CPRA’s modification of the exemptions to the definition of
sale.
Since the CCPA was enacted in 2018, privacy professionals have
questioned the meaning and contours of the phrase “other
valuable consideration.” During the CCPA rulemaking process
many businesses asked the Attorney General to clarify the phrase.
At least one commentator asked for a factor-based method to
identify when valuable consideration was provided. However, the
Attorney General’s office was unwilling to provide guidance,
stating that the “CCPA’s use of the terms
‘valuable’ and ‘consideration’ are reasonably clear
and should be understood by the plain meaning of those
words.”
The CPA defines “sale” as “the exchange of
personal data for monetary or other valuable consideration by a
controller to a third party.” The VCDPA uses the same
definition as the CPA with the exception that it excludes the
phrase “other valuable consideration.” As a result of
this difference, it is possible that some data transfers could be
considered sales in California and Colorado, but not in
Virginia.
Comparing Exemptions to the Definition of
Sale
Determining whether a data transfer meets the definition of sale
is only the first part of the analysis as each of the three laws
provide a number of exemptions for when data transfers are not
considered sales. Below, we first provide a summary of the
exemptions followed by a discussion of each.
Summary of Exemptions
| CCPA | CPRA | VCDPA | CPA | |
| 1. When a consumer intentionally uses a
business / controller to disclose personal information or uses a business / controller to interact with third parties |
Yes, provided the third party does not sell the
personal information unless that disclosure is consistent with the CCPA. |
Yes | No | Yes |
| 2. Notifying third parties of a
consumer’s opt out of sale request |
Yes | Yes, the CPRA also excludes transfers used to
notify persons that a consumer has limited the business’s use of sensitive personal information. |
No, but the law does not require that such notice
be provided. |
No, but the law does not require that such notice
be provided. |
| 3. Transfers to service providers /
contractors / processors |
Yes (transfers to service providers) | Yes (transfers to service providers and
contractors) |
Yes (transfers to processors) | Yes (transfers to processors) |
| 4. Transfers as part of a merger,
acquisition, bankruptcy, or similar transaction |
Yes, provided subsequent use of information is
materially consistent (if not, must provide notice). |
Yes, provided subsequent use of information is
materially consistent (if not, must provide notice). |
Yes | Yes, the exemption also includes transfers
associated with proposed transactions. |
| 5. Transfers to third parties for purposes
of providing a product or service requested by consumer |
No, but transfers may be exempt under exemptions
for intentional disclosures to third parties or transfers to service providers. |
Yes, based on the CPRA’s expanded definition of
“intentionally interacts” to include “purchasing a good or service.” |
Yes | Yes |
| 6. Transfers to controller’s
affiliates |
No, but the CCPA’s definition of business in
§ 1798.140(c)(2) includes entities that meet similar criteria as in the VCDPA and CPA’s definition of affiliate. |
No, but the CPRA’s definition of business in
§ 1798.140(d)(2) includes entities that meet similar criteria as in the VCDPA and CPA’s definition of affiliate. |
Yes | Yes |
| 7. Transfers of information a consumer
intentionally made available to the general public via a channel of mass media |
No | No, but the CPRA excludes publicly available
information which has similar language and may lead to the same result. |
Yes, provided the consumer did not restrict to a
specific audience. In addition, see the VCPDA’s definition of publicly available information in § 59.1-575. |
Yes, in addition, see the CPA’s definition of
publicly available information in § 6-1-1303(17)(b). |
Analysis of Exemptions
Exemption 1: When a consumer intentionally uses a
business / controller to disclose personal information or uses a
business / controller to interact with third parties
CCPA § 1798.140(t)(2)(A) exempts from the definition of
“sale” transfers in which a consumer “uses or
directs the business to intentionally disclose personal information
or uses the business to intentionally interact with a third party,
provided the third party does not also sell the personal
information, unless that disclosure would be consistent with the
provisions of this title.” The section further states that an
“intentional interaction occurs when the consumer intends to
interact with the third party, via one or more deliberate
interactions. Hovering over, muting, pausing, or closing a given
piece of content does not constitute a consumer’s intent to
interact with a third party.” The CCPA defines “third
party” negatively to mean a person who is not the business
that collects the personal information from the consumer or a
service provider.
The CPRA changes this exemption in three ways.
First, the CPRA removes the qualifying phrase “provided the
third party does not also sell the personal information, unless
that disclosure would be consistent with the provisions of this
title.”
Second, the CPRA moves the explanation of what constitutes an
intentional interaction to a new definition found in §
1798.140(s). The CPRA also expands the definition of an intentional
interaction by stating that intentional interactions include
“visiting the person’s website or purchasing a good or
service from the person.” The latter part of this expanded
definition becomes significant when we discuss Exemption 5
below.
Third, the CPRA revises the definition of third party to mean a
person who is not (1) the “business with whom the consumer
intentionally interacts and that collects personal information from
the consumer as part of the consumer’s current interaction with
the business under this title,” (2) a service provider to the
business, or (3) a contractor.
With these changes, the CPRA clarifies and expands the CCPA
exemption such that it will not be a sale if a consumer
intentionally directs the business to transfer the consumer’s
personal information to an entity that is not the business, a
service provider of the business, or a contractor. What the
third-party recipient does with the consumer’s personal
information is no longer part of the calculus.
Similar to the CCPA and CPRA, the CPA exempts from the
definition of sale “the disclosure of personal data . . .
[t]hat a consumer directs the controller to disclose or
intentionally discloses by using the controller to interact with a
third party.” The CPA defines “third party” as any
“person, public authority, agency, or body other than a
consumer, controller, processor, or affiliate of the processor or
controller.” The CPA does not define
“intentional.”
The VCDPA does not include this exemption.
Exemption 2: Notifying third parties of a consumer’s
opt out of sale request
The CCPA exempts transfers where the business uses or shares an
identifier for a consumer who has opted out of the sale of the
consumer’s personal information for the purposes of alerting
persons that the consumer has opted out of the sale. The CPRA
maintains the exemption and expands it to include transfers of an
identifier for purposes of alerting persons to a consumer’s
request to limit the use of their sensitive personal
information.
The CCPA and CPRA do not mandate alerting persons of a
consumer’s opt out request. However, § 999.315(e) of the
CCPA regulations requires a business that sells personal
information to a third party, after receiving an opt out request
but before complying with the request, to notify those third
parties that the consumer has exercised their right to opt-out and
direct those third parties not to sell that consumer’s
information.
The CPA and VCDPA do not contain this exemption, but neither
statute requires controllers to notify third parties of consumer
opt-out requests.
Exemption 3: Transfers to service providers / contractors /
processors
The CCPA’s definition of sale excludes transfers from a
business to a service provider that is “necessary to perform a
business purpose” where the business provides notice of the
transfer to consumers and the service provider does not sell the
personal information. Although the CPRA deleted this exemption such
transfers still do not constitute sales based on other changes made
by the CPRA.
First, as discussed, the CPRA modifies the definition of
“sale” to state that a sale is a transfer of personal
information “by the business to a third party” instead of
the CCPA’s definition of “by the business to a
business or third party.” (Emphasis added.) The CPRA then
modifies the definition of third party to state that a third party
is a person who is not (1) the business to whom the consumer
provided the information, (2) a service provider to the business,
or (3) a contractor. Therefore, transfers to service providers or
contractors cannot be sales because the definition of sale states
that the transfer must be to a third party.
The CPA and VCDPA make this analysis cleaner by simply stating
that sales do not include the disclosure of personal data to a
processor that processes the personal data on behalf of the
controller.
To take advantage of this exception, businesses/controllers will
need to ensure that they have proper contractual arrangements in
place with service providers, contractors, and processors, as
applicable. We will address those requirements in a future article
in this series.
Exemption 4: Transfers as part of a merger, acquisition,
bankruptcy, or similar transaction
The CPRA, CPA, and VCDPA all include an exemption for the
transfer of consumer personal information in a “merger,
acquisition, bankruptcy, or other transaction in which the third
party assumes control of all or part of” the business (in the
case of the CPRA) or assets (CPA and VCDPA). The CPA also
specifically allows for a transfer for proposed transactions.
Notably, the CPRA requires notice to consumers if the party
receiving the information “materially alters how it uses or
shares the personal information of a consumer in a manner that is
materially inconsistent with the promises made at the time of
collection.” Similar language can be found in CCPA
§§ 1798.100(a)(1) and (2). The CPRA further provides that
this exemption does not authorize a business to make
“material, retroactive changes to their privacy policies”
or other changes that would violate the Unfair and Deceptive
Practices Act.
The CPA and VCDPA do not contain a similar restriction in their
exemptions. However, controllers subject to the CPA must keep in
mind that §§ 6-1-1308(2) and (4) provide that a
controller “shall specify the express purposes for which the
personal data are collected and processed” at the time of
collection and “shall not process personal data for purposes
that are not reasonably necessary to or compatible with the
specified purposes for which the personal data are processed,
unless the controller first obtains the consumer’s
consent.”
The VCDPA similarly provides that “[e]xcept as otherwise
provided in this chapter, [controllers shall] not process personal
data for purposes that are neither reasonably necessary to nor
compatible with the disclosed purposes for which such personal data
is processed, as disclosed to the consumer, unless the controller
obtains the consumer’s consent.”
These considerations will be important for companies to
understand and analyze when conducting due diligence on proposed
transactions.
Finally, separate and apart from these laws, the FTC has cautioned that Section 5 of the FTC
Act may require companies to obtain permission from consumers for
post-sale material changes to privacy policies.
Exemption 5: Transfers to third parties for purposes of
providing a product or service requested by consumer
The CPA and VCDPA both exempt the disclosure of personal data to
a third party for purposes of providing a product or service
requested by the consumer.
The CPRA does not contain this exemption but likely reaches the
same result through its intentional interaction exemption discussed
in Exemption 1. That is because the CPRA defines
“intentionally interacts” in § 1798.140(s) to mean
“when the consumer intends to interact with a person, or
disclose personal information to a person, via one or more
deliberate interactions, including visiting the person’s
website or purchasing a good or service from the
person.” (Emphasis added.)
Exemption 6: Transfers to controller’s affiliates
The CPA and VCDPA both exempt the disclosure or transfer of
personal data to an affiliate of the controller. However, the laws
do not define “affiliate” the same.
Under the CPA an affiliate is “a legal entity that
controls, is controlled by, or is under common control with another
legal entity.” “Control” is defined as
“ownership, control, or voting power of 25% or more of the
shares of the company,” control “over the election of a
majority of directors, trustees, or general partners,” or the
power to directly or indirectly exercise “a controlling
influence over the management or policies” of the entity.
The VCDPA differs in two notable respects. First, it extends
affiliate not only to an entity that controls, is controlled by, or
is under common control, but also an entity that shares
“common branding with another legal entity.” Second, it
requires a 50% voting power rather than 25%.
Although the CPRA does not specifically contain this exemption
from its definition of sale, it likely reaches the same result
because the CPRA’s definition of “business” contains
similar language as the CPA and VCDPA’s definitions of
affiliate. Specifically, § 17981.140(d)(2) of the CPRA states
that a business includes:
Any entity that controls or is
controlled by a business, as defined in paragraph (1), and that
shares common branding with the business and with whom the business
shares consumers’ personal information. “Control” or
“controlled” means ownership of, or the power to vote,
more than 50 percent of the outstanding shares of any class of
voting security of a business; control in any manner over the
election of a majority of the directors, or of individuals
exercising similar functions; or the power to exercise a
controlling influence over the management of a company.
“Common branding” means a shared name, servicemark, or
trademark that the average consumer would understand that two or
more entities are commonly owned.
Finally, while the VCDPA definition of affiliate states
“or shares common branding,” the CPRA definition
states “and that shares common branding.”
Additionally, the CPRA further narrows the scope with the inclusion
of “and with whom the business shares consumers’ personal
information,” essentially adding a third requirement that the
transfer of personal information be from the governed entity to the
affiliated entity. As a result, the CPRA exception for sharing with
an entity with common control may be narrower than the VCDPA.
Exemption 7: Transfers of information a consumer intentionally
made available to the general public via a channel of mass
media
Finally, the CPA and VCDPA exempt transfers of personal data
that a consumer already made available “to the general public
via a channel of mass media.” The VCDPA goes one step further,
adding that the consumer must not have restricted the information
to a specific audience. Notably, the CPA and VCDPA do not define
“general public” or “channel of mass
media.”
Although the CPRA does not contain this exemption, it contains a
broad definition of “publicly available information” that
likely reaches the same result. Specifically, the CPRA’s
definition of publicly available information includes
“information that a business has a reasonable basis to believe
is lawfully made available to the general public by the consumer or
from widely distributed media, or by the consumer; or information
made available by a person to whom the consumer has disclosed the
information if the consumer has not restricted the information to a
specific audience.” The CPA and VCDPA also exempt publicly
available information although with different definitions. For a
further analysis of this issue, see our prior post in this series.
Consequences of the Variations
As the length of this article perhaps indicates, although all
three laws allow consumers to opt out of sales of personal
information/data, the nuances between the laws’ definitions of
sale and the various exemptions will cause headaches for
organizations engaging in complex data transfers with other
entities. Despite the differences, it is possible to find common
ground when one digs into the exemptions (and maps the data
collection and flows). This suggests that organizations can develop
a strategy that allows for interoperability on this issue between
the three laws.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
https://www.mondaq.com/unitedstates/privacy-protection/1168378/how-do-the-cpra-cpa-vcdpa-treat-sales