Arguably the most important right the California Consumer Privacy Act provides to California residents is the right to opt out of data sales. “Sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.” Valuable consideration is not defined under the CCPA, but the act authorizes the attorney general to provide guidelines in furtherance of the CCPA’s purpose, and it is expected that a public consultation period will open in 2019.
Absent guidelines, this article proposes a possible framework to interpret “valuable consideration” in light of existing California law.
Under contract law, one of the requirements for the formation of a contract is the existence of valuable consideration. California law defines consideration as “[a]ny benefit conferred, or agreed to be conferred, upon the promisor, by any other person, to which the promisor is not lawfully entitled, or any prejudice suffered, or agreed to be suffered, by such person, other than such as he is at the time of consent lawfully bound to suffer, as an inducement to the promisor, is a good consideration for a promise.” Moreover, where the agreement is in writing, California law provides that “[a] written instrument is presumptive evidence of a consideration.” There are many examples of contract formation with nonmonetary consideration. For example, in a nondisclosure agreement, one party agrees to allow another access to confidential information (a detriment) in exchange for service (a benefit).
If the reference in the CCPA to “valuable consideration” is interpreted in a manner consistent with existing contract law doctrine, all agreements where personal information is exchanged and the transferring entity receives any benefit to which it is not legally entitled absent the agreement will be considered a “sale” under the CCPA.
Given the potentially overbroad scope of “valuable consideration,” the key factor to determine if a transaction is a sale under the CCPA will likely be whether it falls within one of the four exceptions to the definition of “sale.” Those are: (1.) transfers directed by the consumer; (2.) use of data to alert third parties of opt-outs; (3.) disclosure of data to “service provider"; and (4.) transfers of data in transactions where the acquirer assumes control of the business.
Some circumstances in which a “sale” does not occur.
- Under the code, a sale does not occur when a consumer intentionally directs or uses a business to disclose the consumer’s personal information. This seems to be the equivalent of controller-to-controller transfers with consent of the data subject under EU data protection law. Adequate consent for the purposes of this exception is yet to be determined. The recipient of the data is prohibited from selling such data unless such disclosure is compliant with the CCPA.
- Under the code, a sale does not occur where a businesses uses or shares an “identifier” for the purposes of alerting third parties that a consumer has opted out of the sale of its data. It is unclear what this provision may cover, but it could potentially apply to limit online tracking.
- Under the code, a sale does not occur where data is disclosed to a “service provider.” Several requirements need to be met for this exception to apply: (1.) the transfer must be necessary to perform a task that has a “business purpose”; (2.) the transfer must take place “pursuant to a written contract” that prohibits the service provider from “selling, retaining, using, or disclosing the personal information”; (3.) the business has provided compliant notice to consumers of the fact that it intends to share with service providers; and (4.) the service provider does not further “collect, sell, or use” the personal information of the consumer except as necessary to perform the “business purpose.” It is important to note that, because the CCPA defines “service provider” to exclude nonprofits, sharing consumer personal information with public interest research organizations can be considered a sale, subject to consumer opt-out under the CCPA, even if all of the above conditions are met, provided that there is an exchange of consideration (for example, an acknowledgment of sponsorship of a research project).
- Under the code, a sale does not occur where a business transfers personal information to a third party as an asset that is part of a “transaction in which the third party assumes control of all or part of the business” (e.g., merger, acquisition, or bankruptcy situations) provided that “information is used or shared consistent with the rights to be informed under CCPA.” Any material alteration of the purposes for which the data will be used will require prior notice of the changes in the practices to be provided to the consumer in a way that enables consumers to easily exercise their choices under the CCPA. Retroactive changes to practices that violate the California Unfair and Deceptive Practices Act are prohibited by the CCPA.
Ultimately, the scope of the CCPA’s definition of “sale” will remain unresolved until the California attorney general establishes enforcement rules. Discussing the possible interpretations of ambiguous provisions may lead to amendments that clarify the CCPA’s scope.
photo credit: Makaristos from Wikimedia Commons