News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Navigating disclosures and sales of personal information under the CCPA Related reading: Why the CCPA's 'verified consumer request' is a business risk

rss_feed

The requirements of the California Consumer Privacy Act enter into force Jan. 1, 2020, and impose an array of requirements on companies that are subject to the law. Among them are obligations related to the sharing of “personal information” [Section 1798.140(o)] that obligate businesses to push down contractual limitations on service providers and other recipients of personal information and to offer California “consumers” [Section 1798.140(g)] the right to opt out of disclosures that qualify as a “sale” as that term is broadly defined under the CCPA.

As with many aspects of the CCPA, companies are struggling to approach these requirements in a manner that reduces risk under the CCPA but is also practical and manageable from a business standpoint. 

What does the CCPA require?

Before launching efforts to address disclosure and sales rules under the CCPA, it is important to understand them. Among other requirements (e.g., consumer rights of notice, access, deletion), the CCPA imposes multiple obligations on disclosures of personal information with a central focus on disclosures that constitute a “sale” under the CCPA.

Relevant requirements tied to the “sale” of personal information in the CCPA can be summarized as follows:

  • Disclosures in relevant privacy statements and in response to a specific consumer request that include a 12-month look-back period.
  • A “Do Not Sell My Personal Information” button if the organization engages in the “sale” of personal information.
    • Note that the definition of “sale” in the CCPA goes well beyond traditional concepts of selling, but certain exceptions apply, including disclosures to service providers and other recipients if contractual restrictions on further use are included in applicable agreements.
    • The broad definition of “sale”— covering the disclosure of personal information for any “valuable consideration”— may include activities such as the use of cookies or similar technologies to track consumer behavior or even sharing personal information among affiliated companies.
    • Any situation that constitutes a sale obligates a company to make required disclosures and allow consumers to opt out of further disclosures of personal information.

Complying with these obligations will be some of the most difficult tasks under the CCPA, such that companies will need to carefully consider how to minimize disclosures that could inadvertently constitute a sale under the CCPA and/or make sure service provider agreements meet the CCPA content requirements and otherwise are structured to fall outside the scope of the definition of “sale.” For those disclosures that will qualify as a sale despite such steps, companies will also need to begin as soon as possible the process of establishing technical and administrative solutions for honoring “do-not-sell” requests.

Tackling the disclosure and sale rules

As with all CCPA compliance, the most important step in this process is to take the time to develop a strategy for involving key stakeholders and approaching the situation in an organized manner. The recommendations included in this section are intended to help companies organize their efforts in a way that is streamlined and as efficient as possible. A flowchart to further understand how to categorize disclosures of personal information is also included at the end of this article.

(1) Understand outgoing personal information flows

To effectively address the CCPA rules regarding disclosure of personal information, an organization must take the time to understand how and why personal information is moving out of the organization. This effort requires input from multiple stakeholders in the company to understand from a technical standpoint where personal information might be housed (e.g., identifying external systems and third parties that maintain company information) and understand from a business standpoint why the information is disclosed (e.g., hosting of a website or customer relationship management system or provision of marketing services).

Because the CCPA does not specifically exempt data flows between affiliated companies, disclosures by and among different legal entities of the same company must be factored in. The information gathered during this effort to understand the flow of personal information will be the foundation for the compliance steps that follow, but with Jan. 1, 2020, fast approaching, organizations should not wait until the completion of the information gathering stage to develop a strategy for addressing disclosures, as well as developing technical solutions and template service provider and other contractual language.

(2) Categorize recipients of personal information and update agreements

Organizations should carefully consider which categories particular recipients of personal information should fall into and then examine the underlying relationship and related agreements to determine if any adjustments are needed to meet the CCPA requirements. It will be particularly important to make sure that disclosures to service providers do not inadvertently qualify as a sale and trigger opt-out rights that might be practically impossible or infeasible for companies to apply. This process will involve a careful review and/or update of the underlying agreement to make sure that it includes the mandatory CCPA content, as well as potential negotiation with the service provider regarding its rights to use personal information, particularly if the original agreement with the service provider allowed independent rights in personal information subject to the agreement (e.g., rights to aggregate personal information and/or perform analytics).

Regarding contractual terms for service providers, the CCPA requires the disclosing business to implement strict contractual controls on the further use and disclosure of personal information and a related certification that the signatory to the terms understands the terms and agrees to comply with them. This certification requirement is particularly important under the CCPA because the law takes the unusual step of providing a safe harbor from liability for organizations that impose such obligations on recipients of personal information that violate the CCPA so long as the disclosing organization does not have actual knowledge or reason to believe that the recipient intends to commit such a violation [Section 1798.140(w)(2)(B)]. 

In certain instances, however, there may be sharing of personal information that will qualify as a sale even if it the disclosure does not appear to be a “sale” in the traditional sense. Affiliated companies may, for example, share customer information to build more robust customer profiles across different but affiliated brands. While such sharing may not involve the exchange of monetary compensation, it will be difficult for companies to establish that there is no exchange of valuable consideration considering that the exchange is meant to benefit the companies sharing the information. In these circumstances, it may be necessary to treat such disclosures as sales and provide the related right of opt-out, unless another exception can be relied upon (e.g., the disclosure is made at the direction of the consumer).

(3) Develop a strategy for addressing the requirements for ‘sales’ of personal information

As noted above, businesses that “sell” personal information are required to include a “Do Not Sell My Personal Information” button on their homepage, as well as any webpage where personal information is collected, and generally allow consumers to opt out of the sale of their personal information. This means that companies not only have to undertake careful review of disclosures to identify those that meet the definition of “sale,” but they will also have to coordinate across technical and business teams to make sure that once a consumer exercises this right, the organization can shut down all flows of that consumer’s data that fall into the category of sale. In addition, companies that have entered into data-sharing agreements or similar situations where the sharing of personal information is the true purpose of the arrangement may need to revisit contracts to understand whether pulling out data of individuals impacts the value or underlying obligations of the contract.

(4) Equip key stakeholders with the tools for implementing

Implementing an effective CCPA compliance program can only be achieved with broad buy-in and support across the organization. This is particularly important when addressing the CCPA rules for disclosures and sales because the approach will necessarily involve engagement across legal/privacy, business and technical teams, as well as with service providers and other vendors. It likely will also involve the negotiation of large numbers of agreements and the implementation of complicated, new internal processes and controls.

Like much of the CCPA, tackling the rules regarding the disclosure and sale of personal information is a daunting task, but approaching this process in an organized efficient manner will smooth the process and allow organizations to maximize their compliance efforts in the lead up to Jan. 1, 2020.

Click to view image as PDF

Image

Special thanks to attorney Harry Valetk for his contributions to the flowchart that accompanies this article.

Photo by Joseph Barrientos on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Amy de La Lama, CIPP/US IAPP Member Contributor
Headshot Brian Hengesbaugh, CIPP/US IAPP Member Contributor
Tags
U.S.
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
CCPA update: Senate committee pares back amendments
On Tuesday, July 9, the California Senate Standing Committee on Judiciary took up the slew of California Consumer Privacy Act amendment bills that the Assembly had passed more than a month earlier.  Consensus bills At the hearing, Democratic State Sen. Hannah-Beth Jackson supported two CCPA “clean...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Privacy Operations Management
Recent Comments