October 17, 2021

Volume XI, Number 290


October 15, 2021

Subscribe to Latest Legal News and Analysis

CCPA Creates Possible Dilemmas for Companies Sending Text Messages. Is Your Business Ready?

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.

With the impending implementation of the CCPA, brands and platforms that use text messages to contact consumers (could be customers, employees, others) must be sure their texting programs comply with the CCPA.

Two areas of particular interest for businesses sending texts are: (1) determining whether they are “selling” personal information under the CCPA and managing the requirements for a data seller under the CCPA, and (2) how to simultaneously comply with a request to delete personal information under the CCPA with the need to maintain records of obtaining prior express written consent for purposes of the Telephone Consumer Protection Act (“TCPA”).

What does the CCPA definition of “selling” personal information mean for brands that send text messages?

The term “sell” under the CCPA is defined broadly to mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

What this means is that even if a business is not receiving monetary payment in exchange for the consumers’ data, it could still be considered to be “selling” under the CCPA in certain circumstances when the data is shared with third parties.

For example, consider a scenario where a business is collecting personal information for purposes of sending text messages and it makes the information available to a vendor to conduct research and provide additional insight on each consumer. If the vendor is authorized to “mine” the data for its own purposes, that is likely sufficient consideration to make the disclosure to the vendor a sale under the CCPA. If on the other hand, the contract with the vendor includes appropriate language to exclude the disclosure from being such a sale (language largely directed to using the data solely to service the business providing the data), the disclosure can be excluded from being considered a sale under the CCPA. Where two brands share personal information of California consumers for co-marketing or some other mutual benefit, even if no money changes hands, the fact each benefits from the exchange could be sufficient consideration to support a sale having occurred under the CCPA. Whether there is a “sale” for CCPA purposes can be a potential trap for the unwary. The distinction matters, as the CCPA imposes additional obligations on sellers of personal information.

If a business is considered to be “selling” personal information, then the CCPA mandates that the business must implement an opt-out procedure to such selling for California residents, must seek their opt-in to such selling if they are between 13-16 years old, and must obtain parental consent to such selling if they are children under 13.

Additionally, the CCPA provides that a business cannot discriminate against a person opting-out from selling of their personal information. This means that the text messaging business must determine a way to provide the same services to their text users whether they are “selling” the users’ information or not (or come under a CCPA exception that allows for permissible different treatment of different users). 

For businesses that work with vendors to send text messages, complying with the CCPA likely includes to:

1. Identify third party vendors involved in collecting or processing such information;

2. Review the contracts with such vendors and update them, as needed;

3. Implement policies and procedures to comply with the new opt-out sales rules in the contracts with your vendors, or alternatively, if feasible, seek to have the vendor contracts exempted from what is considered selling data by including CCPA-compliant terms to do so; and

4. Determine how to address requests for deletion of personal information (more on this topic below).

How to balance the obligation to comply with a request to delete personal information under the CCPA with the need to maintain consent records under the TCPA?

In order to comply with the TCPA, text messaging businesses must be able to prove that they obtained “prior express written consent” of the consumers they are contacting with an “automatic telephone dialing system” for “telemarketing purposes.” Is this in conflict with the consumers’ right to request deletion of their personal information under the CCPA?

The analysis of this question may be different for individuals contacted by the text messaging business that have opted-out from receiving text messages and individuals who have not opted out, but still request their personal information to be deleted under the CCPA.

For individuals who consented to receive text messages and then subsequently submitted opt-out requests, the text messaging businesses can refuse the request to delete relying on the “comply with legal obligations” exception under the CCPA. The justification would be that they have the legal TCPA obligation to maintain an internal do not call list.

For individuals who consented to receive text messages and have not opted out, but still request all their personal information to be deleted under the CCPA, several other exceptions to deletion under the CCPA could apply. The request for deletion could be declined on the basis that the personal information must be retained to complete the transaction or service requested by the consumer (e.g., text updates for shipping status of a product, texted account alerts, texted appointment reminders, texted service progress alerts, etc.). Other possible exceptions involve retaining the personal information solely for internal use by the business for purposes that a consumer would reasonably expect or compatible with the purposes for which the information was collected. Whether a particular exception applies is a factual analysis unique to each business and the analysis the business performed to arrive at the applicability of the exception should be documented by the business.

Although the scope of enforcement and litigation under the CCPA are still to be tried, challenges under the CCPA are expected to commence shortly after the CCPA becomes effective on January 1, 2020. Businesses sending texts should know, understand and be prepared to comply with their CCPA obligations sooner rather than later as it can take some time to implement CCPA-compliant policies, procedures and contractual updates.


Copyright © 2021 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 199

About this Author

Nicole Su, Womble Dickinson, Business litigation lawyer

Nicole focuses her business litigation practice on commercial and financial services cases, with a particular emphasis on Telephone Consumer Protection Act (TCPA). She is part of a nationally-recognized team that is at the forefront of the TCPA space.  Along with the team, Nicole brings the experience and capability to vigorously defend financial institutions in TCPA actions nationwide. 

Nicole is dedicated to achieving cutting-edge results for her clients.  She uses her in-depth knowledge of the TCPA to come up with creative solutions for difficult problems.

Ernesto Mendieta Telecom Attorney

Ernesto Mendieta is an experienced bilingual attorney with a history of helping international clients resolve complex matters.  

Ernesto began his career in Mexico as an associate at one of the world’s largest law firms, before specializing in telecommunications law at Mexico’s preeminent telecommunication boutique firm. In that capacity, Ernesto worked with competitive carriers entering the Mexican telecommunications market on all aspects of regulatory compliance and corporate formation. He helped several U.S. companies start operations in Mexico as ISPs, MVNOs, resellers and e-...

Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...


Companies rely on David Carter to guide them in Telephone Consumer Protection Act (TCPA) compliance matters and to defend them against allegations of TCPA violations. He has represented both closely held and publicly traded companies facing TCPA claims with potential liability in excess of $500 million. David runs the TCPA Defense Force whose mission is to reduce TCPA risk, allowing companies to communicate with consumers responsibly and without fear of legal consequences.