The California Consumer Privacy Act certainly has its fair share of complexities, which companies began grappling with well before the law came into force Jan. 1. While some are becoming more clear with time and discussion, others remain the topic of debate, including how to approach the CCPA's broad definition of "sale."
Instead of accepting and conforming to the statute of the law, though, there's talk within the privacy profession that some companies are using tricky semantics to avoid terming a data transfer or relationship a "sale."
As defined by the CCPA, a sale refers to the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration."
The broad definition has left companies hanging on a clear-cut answer to if their business activities count as a sale. The lack of clarity ultimately puts the sale provision up for interpretation for companies, which are taking advantage for their own benefit.
Squire Patton Boggs Counsel Lydia de la Torre pointed to internal transfers as one of the under-the-radar methods to skim a sale label.
"CCPA restricts the selling of data, but it doesn’t restrict an organization from buying data," de la Torre said. "When you think in that context, where the CCPA only regulates one side of the equation … that could be a major loophole in terms of the restraint put on an organization. They can take the position that they are not selling data, but simply buying it and then transferring it internally."
Other companies have tried avoiding the definition of sale by attempting to outsmart consumers. Faegre Baker Daniels Associate Mitchell Noordyke, CIPP/E, CIPP/US, CIPM, has seen instances in which websites feature an opt-in mechanism rather than an opt-out. In that scenario, a company receives consent to use personal information with one unknowing click as the opt-in could have been misinterpreted for a "do not sell" mechanism, which the CCPA requires to be placed on websites that collect and sell data under the definitions of the law.
"The point of that is to remove the transfer of information from the company’s website to a third-party cookie publisher from the definition of sale entirely because you have consent from the consumer," Noordyke said. "Depending on the nature of your business, that’s a creative approach — and defensible. What’s unclear to me is what adequate consent will be under the CCPA, which we’ve gotten no indication of. That opt-in approach may very well be an adequate amount of consent."
The deceptive tactics are only employed by a small fraction of companies, according to Noordyke. The majority of companies that object to the definition of sale shows their resistance in the form of turning a blind eye or pleading ignorance until they're given a reason not to.
"It’s usually just this wholesale rejection of the label of sale," Noordyke said. "Often it’s a strategic decision. There’s no malintent when they say they are not going to comply with the statute, but more that it’s unclear that this label applies to the activities they engage in. In the absence of clarification from a risk-management or cost-of-business standpoint, they’ll pause and survey the landscape. It’s more reasoned and rational."
The "wait-and-see" approach, in which companies watch and decipher how others within a given industry are approaching the label of sale, seems to be a favored stance in examining challenging data transfer relationships.
"There are different interpretations of what sale is because we don’t have guidelines," said de la Torre, referring to the yet-to-be-released final CCPA regulations from the Office of the Attorney General of California. "Organizations are trying to take a risk-based approach, which leads to them exploring what everyone else is doing. They don’t want to be ahead of or behind where the pack is going. It’s a wise approach for the time being."
Noordyke mentioned a branded credit card as an example of an unclear relationship, explaining that a consumer might perceive a connection between the retailer and the card provider, but often a retailer doesn't transfer data back to the provider.
"That's not applying a novel interpretation of the definition of sale or wiggle out of some of the nuances of language," Noordyke said. "It’s thinking very practically about where does the information actually move. That’s the value of detailed data mapping or having the legal or compliance department speak directly to data administrators."
Another area of confusion for a sale label is activities in the advertising technology industry. U.S. Naval Academy Assistant Professor of Cybersecurity Jeff Kosseff, CIPP/US, said adtech companies are at a standstill on sale due in large part to a lack of clarity on whether targeted ads or ad networking fall under their favorable interpretation of valuable consideration or a sale.
"I can’t even imagine the legal fees that have been spent debating this very issue," Kosseff said. "Most frequently, companies are saying something along the lines of, ‘We don’t sell data as you would traditionally expect it to be defined, but California has a definition that may make it seem like we might be selling data.' But then they're saying they target people via ad networks, which is when you realize they have a different legal conclusion on this."
The choice to sit back and let other companies take the lead also derives from a perception of low risk. Noordyke said many small- and medium-sized companies may not see themselves falling victim to the first set of CCPA enforcement actions that will come from the California attorney general, and it's easier to stand idle. However, being safe from enforcement is not a certainty.
"As we saw with the GDPR, the first fines issued were to smaller businesses and ones that are more obscure rather than the headline, industry-leading companies that some people may have expected," Noordyke said. "Maybe engaging with a large deep-pocketed business would set a good precedent and add clarity to the market, but it would take a number of months to complete an enforcement action when they’ll have to engage with the company."
Noordyke opined that tapping a smaller, cooperative business might be most beneficial.
"We may then see a faster-tracked enforcement action that is really geared toward clarifying the expectations of the statute to the market rather than lowering the boom and giving the statute a lot of teeth with a large fine," Noordyke said. "I don’t think it’s clear what direction the attorney general wants to go, and it could be that they go both directions at the same time."
Effectively closing "sale" loopholes and bringing clarity to promote prompt compliance will ultimately be done through a version of reform from the current statute. De la Torre believes potential changes could come through the aforementioned final regulations or state legislative sessions in Sacramento this year, or they could show up on the ballot initiative for the California Privacy Rights Act. If passed, the CPRA would increase the privacy rights of California residents beyond those provided by the CCPA.
According to the attorney general in December, the aforementioned final guidelines aren't expected to see any "major" changes from the current draft rules. What that could mean for the definition of sale is unclear, but Kosseff argues any diversions from the current definition would likely create a stir.
"I think one of the biggest problems you have is that the law has gone into effect before the regulations are final. That’s insane," Kosseff said. "The problem you have now is that companies have invested a lot of money in compliance for this, so I worry about making these wholesale amendments after compliance has already been structured around the statutory text of the draft regulations."
Noordyke said companies will undoubtedly need to be patient in regards to clarity on sale and give it some time.
"The challenge that faces anyone writing a piece of legislation is being specific and generic at the same time," Noordyke said. "That’s especially the case here with a comprehensive privacy law that touches all industries with businesses of varying sizes. There are going to be growing pains to try and apply a statute to every business. The structure is somewhat complex, but it reflects and mimics the market it’s trying to regulate."
Photo by Sharon McCutcheon on Unsplash