The requirements of the California Consumer Privacy Act enter into force 1 January 2020, and impose an array of requirements on companies that are subject to the law. Among them are obligations related to the sharing of "personal information" [Section 1798.140(o)] that obligate businesses to push down contractual limitations on service providers and other recipients of personal information and to offer California "consumers" [Section 1798.140(g)] the right to opt out of disclosures that qualify as a "sale" as that term is broadly defined under the CCPA.
As with many aspects of the CCPA, companies are struggling to approach these requirements in a manner that reduces risk under the CCPA but is also practical and manageable from a business standpoint.
What does the CCPA require?
Before launching efforts to address disclosure and sales rules under the CCPA, it is important to understand them. Among other requirements (e.g., consumer rights of notice, access, deletion), the CCPA imposes multiple obligations on disclosures of personal information with a central focus on disclosures that constitute a "sale" under the CCPA.
Relevant requirements tied to the "sale" of personal information in the CCPA can be summarized as follows:
- Disclosures in relevant privacy statements and in response to a specific consumer request that include a 12-month look-back period.
- A "Do Not Sell My Personal Information" button if the organization engages in the "sale" of personal information.
- Note that the definition of "sale" in the CCPA goes well beyond traditional concepts of selling, but certain exceptions apply, including disclosures to service providers and other recipients if contractual restrictions on further use are included in applicable agreements.
- Any situation that constitutes a sale obligates a company to make required disclosures and allow consumers to opt out of further disclosures of personal information.
Complying with these obligations will be some of the most difficult tasks under the CCPA, such that companies will need to carefully consider how to minimize disclosures that could inadvertently constitute a sale under the CCPA and/or make sure service provider agreements meet the CCPA content requirements and otherwise are structured to fall outside the scope of the definition of "sale." For those disclosures that will qualify as a sale despite such steps, companies will also need to begin as soon as possible the process of establishing technical and administrative solutions for honoring "do-not-sell" requests.
Tackling the disclosure and sale rules
As with all CCPA compliance, the most important step in this process is to take the time to develop a strategy for involving key stakeholders and approaching the situation in an organized manner. The recommendations included in this section are intended to help companies organize their efforts in a way that is streamlined and as efficient as possible. A flowchart to further understand how to categorize disclosures of personal information is also included at the end of this article.
(1) Understand outgoing personal information flows
To effectively address the CCPA rules regarding disclosure of personal information, an organization must take the time to understand how and why personal information is moving out of the organization. This effort requires input from multiple stakeholders in the company to understand from a technical standpoint where personal information might be housed (e.g., identifying external systems and third parties that maintain company information) and understand from a business standpoint why the information is disclosed (e.g., hosting of a website or customer relationship management system or provision of marketing services).
Because the CCPA does not specifically exempt data flows between affiliated companies, disclosures by and among different legal entities of the same company must be factored in. The information gathered during this effort to understand the flow of personal information will be the foundation for the compliance steps that follow, but with 1 January 2020, fast approaching, organizations should not wait until the completion of the information gathering stage to develop a strategy for addressing disclosures, as well as developing technical solutions and template service provider and other contractual language.
(2) Categorize recipients of personal information and update agreements
Organizations should carefully consider which categories particular recipients of personal information should fall into and then examine the underlying relationship and related agreements to determine if any adjustments are needed to meet the CCPA requirements. It will be particularly important to make sure that disclosures to service providers do not inadvertently qualify as a sale and trigger opt-out rights that might be practically impossible or infeasible for companies to apply. This process will involve a careful review and/or update of the underlying agreement to make sure that it includes the mandatory CCPA content, as well as potential negotiation with the service provider regarding its rights to use personal information, particularly if the original agreement with the service provider allowed independent rights in personal information subject to the agreement (e.g., rights to aggregate personal information and/or perform analytics).
Regarding contractual terms for service providers, the CCPA requires the disclosing business to implement strict contractual controls on the further use and disclosure of personal information and a related certification that the signatory to the terms understands the terms and agrees to comply with them. This certification requirement is particularly important under the CCPA because the law takes the unusual step of providing a safe harbor from liability for organizations that impose such obligations on recipients of personal information that violate the CCPA so long as the disclosing organization does not have actual knowledge or reason to believe that the recipient intends to commit such a violation [Section 1798.140(w)(2)(B)].
In certain instances, however, there may be sharing of personal information that will qualify as a sale even if it the disclosure does not appear to be a "sale" in the traditional sense. Affiliated companies may, for example, share customer information to build more robust customer profiles across different but affiliated brands. While such sharing may not involve the exchange of monetary compensation, it will be difficult for companies to establish that there is no exchange of valuable consideration considering that the exchange is meant to benefit the companies sharing the information. In these circumstances, it may be necessary to treat such disclosures as sales and provide the related right of opt-out, unless another exception can be relied upon (e.g., the disclosure is made at the direction of the consumer).
(3) Develop a strategy for addressing the requirements for "sales" of personal information
As noted above, businesses that "sell" personal information are required to include a "Do Not Sell My Personal Information" button on their homepage, as well as any webpage where personal information is collected, and generally allow consumers to opt out of the sale of their personal information. This means that companies not only have to undertake careful review of disclosures to identify those that meet the definition of "sale," but they will also have to coordinate across technical and business teams to make sure that once a consumer exercises this right, the organization can shut down all flows of that consumer's data that fall into the category of sale. In addition, companies that have entered into data-sharing agreements or similar situations where the sharing of personal information is the true purpose of the arrangement may need to revisit contracts to understand whether pulling out data of individuals impacts the value or underlying obligations of the contract.
(4) Equip key stakeholders with the tools for implementing
Implementing an effective CCPA compliance program can only be achieved with broad buy-in and support across the organization. This is particularly important when addressing the CCPA rules for disclosures and sales because the approach will necessarily involve engagement across legal/privacy, business and technical teams, as well as with service providers and other vendors. It likely will also involve the negotiation of large numbers of agreements and the implementation of complicated, new internal processes and controls.
Like much of the CCPA, tackling the rules regarding the disclosure and sale of personal information is a daunting task, but approaching this process in an organized efficient manner will smooth the process and allow organizations to maximize their compliance efforts in the lead up to 1 January 2020.
What is "selling" under the California Consumer Privacy Act? View this illustration.
* Special thanks to Harry Valetk for his contributions to the accompanying flowchart.
* Originally published with the IAPP.