July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis

Data Transfers That Are Exempt From the Definition of ‘Sale’

The term “sale” is defined slightly differently between and among modern U.S. data privacy statutes with some statutes defining the term as including exchanges of personal information in return for valuable consideration, and others defining the terms as including only exchanges of personal information in return for monetary consideration. As the following chart indicates, state statutes also contain different exemptions for types of transfers that will not be considered a sale even if they otherwise meet the statutory definition of the term. It should be noted that some of these statutory differences may not lead to a substantive difference in terms of what activities constitute a sale – i.e., a transfer might fall under an express exemption under one statute and a different exemption under another statute. The following chart provides a breakdown of the express exemptions from the definition of sale between and among modern privacy statutes:

Explicit Exemption

Europe

GDPR

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Data subject uses the business to intentionally disclose personal information to a third party

N/A

✔[1]

✔[2]

✔[3]

✔[4]

Data subject directs a business to intentionally disclose personal information to a third party.

 

✔[5]

✔[6]

✔[7]

✔[8]

Data subject requests a product or service from a third party

 

✔[9]

✔[10]

✔[11]

Disclosure to a service provider to perform a business purpose.

 

✔[12]

✔[13]

✔[14]

✔[15]

✔[16]

Disclosure is part of an asset in a M&A transaction where the recipient uses information consistently with transferor.

 

✔[17]

✔[18]

✔[19]

✔[20]

✔[21]

Disclosure is part of an asset in bankruptcy transaction where the recipient uses information consistently with transferor.

 

✔[22]

✔[23]

✔[24]

✔[25]

✔[26]

Disclosure to a corporate affiliate.

 

✔ / ✘[27]

✔ / ✘[28]

✔[29]

✔[30]

✔[31]

Data subject intentionally made information available to the general public via mass media.

 

✔ / ✘[32]

✔[33]

✔[34]

✔[35]

Disclosure is consistent with data subject’s reasonable expectations.

 

✔[36]


 

FOOTNOTES 

  1. Cal. Civ. Code 1798.140(t)(2)(A) (West 2020) (note that the CCPA provides that the recipient must not also sell the personal information unless its actions are consistent with the CCPA).

  2. Cal. Civ. Code 1798.140(ad)(2)(A)(i) (West 2021).

  3. C.R.S. 6-1-1303(22)(b)(V)(A) (2022).

  4. Utah Code Ann. 13-61-101(31)(b)(iv)(b) (2022) (refers to directing a controller to interact with a third party).

  5. Cal. Civ. Code 1798.140(t)(2)(A) (West 2020) (note that the CCPA provides that the recipient must not also sell the personal information unless its actions are consistent with the CCPA).

  6. Cal. Civ. Code 1798.140(ad)(2)(A)(i) (West 2021).

  7. C.R.S. 6-1-1303(22)(b)(V)(A) (2022).

  8. Utah Code Ann. 13-61-101(31)(b)(iv)(a) (2022).

  9. Va. Code 59.1-571 (2022).

  10. C.R.S. 6-1-1303(22)(b)(II) (2022).

  11. Utah Code Ann. 13-61-101(31)(b)(v) (2022).

  12. Cal. Civ. Code 1798.140(t)(2)(C) (West 2020).

  13. Note that the CPRA does not contain an express exemption for transfers to service providers, however, a “sale” is defined as relating only to a transfer to a “third party” and the term “third party” is, itself, defined as not including service providers.  See Cal. Civ. Code 1798.140(ai)(2) (West 2021).

  14. Va. Code 59.1-571 (2022).

  15. C.R.S. 6-1-1303(22)(b)(I) (2022).

  16. Utah Code Ann. 13-61-101(31)(b)(i) (2022).

  17. Cal. Civ. Code 1798.140(t)(2)(D) (West 2020).

  18. Cal. Civ. Code 1798.140(ad)(2)(C) (West 2021).

  19. Va. Code 59.1-571 (2022).

  20. C.R.S. 6-1-1303(22)(b)(IV) (2022).

  21. Utah Code Ann. 13-61-101(31)(b)(vii) (2022).

  22. Cal. Civ. Code 1798.140(t)(2)(D) (West 2020).

  23. Cal. Civ. Code 1798.140(ad)(2)(C) (West 2021).

  24. Va. Code 59.1-571 (2022).

  25. C.R.S. 6-1-1303(22)(b)(IV) (2022).

  26. Utah Code Ann. 13-61-101(31)(b)(vii) (2022).

  27. The CCPA does not contain an express exemption to the definition of “sale” for transfers of personal data between and among corporate affiliates, however, the CCPA considers some corporate affiliates (i.e., those that share common branding) to constitute the same “business” for regulatory compliance purposes.  See Cal. Civ. Code 1798.140(c) (West 2020).

  28. The CPRA does not contain an express exemption to the definition of “sale” for transfers of personal data between and among corporate affiliates, however, the CCPA considers some corporate affiliates (i.e., those that share common branding) to constitute the same “business” for regulatory compliance purposes.  See Cal. Civ. Code 1798.140(d)(2) (West 2021).

  29. Va. Code 59.1-571 (2022).

  30. C.R.S. 6-1-1303(22)(b)(III) (2022).

  31. Utah Code Ann. 13-61-101(31)(b)(ii) (2022).

  32. While the CCPA does not contain an express exemption to the definition of “sale,” the CPRA provides that information made available to the general public by the consumer or widely distributed by media does not constitute “personal information” for the purposes of the statute.  See Cal. Civ. Code 1798.140(v)(2) (West 2021).

  33. Va. Code 59.1-571 (2022).

  34. C.R.S. 6-1-1303(22)(b)(V)(B) (2022).

  35. Utah Code Ann. 13-61-101(31)(b)(vi)(A) (2022).

  36. Utah Code Ann. 13-61-101(31)(b)(iii) (2022).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 129
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement