FTC Defense Attorney on “Sale” and “Service Provider” Under the CCPA
Sunday, November 17, 2019
CCPA on sale of personal information
Print Mail Download i

The interpretation of “sale” and “service provider” under the California Consumer Privacy Act, including applicable exceptions, are both of critical important when assessing compliance obligations. 

The CCPA imposes onerous requirements on the “sale” of “personal information.”  “Personal information” is defined expansively to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular consumer or household.  The statute provides a non-exhaustive list of categories of “personal information.”  “Personal information” does not include de-identified or aggregate consumer information.

Generally, if your entity sells, rents, releases, transfers, discloses, disseminates, makes available or otherwise communicates “personal information” about a California consumer to a third party in exchange for monetary or other valuable consideration, there is a qualifying “sale” under the CCPA. 

Digital marketers must take note and should consult with an experienced FTC defense attorney to ensure CCPA compliance.  For example, the transmission of information to third party advertising networks via cookies probably constitutes the “sale” of “personal information.”

Note that “personal information” that is disclosed at a consumer’s direction, to alert a third party that consumer has submitted an opt-out request for sale of their “personal information,” in conjunction with a merger/acquisition or other transaction which third party assumes control of all or part of the business, or to comply with a legal obligation do not constitute a “sale” of “personal information” under the CCPA. 

Similarly, there is no “sale” of “personal information” under the CCPA for “personal information” that is disclosed to a “service provider” subject to contractual restrictions that prohibit “retaining, using, or disclosing” “personal information” for any purpose other than “for the specific purpose of performing the services specified in the contract,” a certification made by a “service provider” that it understands its contractual restrictions, and the disclosing entity has provided reasonable notice to consumers about such sharing with the “service provider.”  Otherwise, disclosure is not covered by the “service provider” exception set forth above, including third party vendors.

Valuable consideration must be interpreted broadly and can potentially include, without limitation, the development of technologies and services beyond the contracted business service.

Under the California Consumers Privacy Act certain entities that collect information on behalf of businesses are considered “service providers.”  Knowing what constitutes as a “service provider” under the CCPA is a critical component of compliance with the new law because if “personal information” is collected on behalf of a business through a third party “service provider,” the business might be covered by the CCPA.

Also consumers have the right to request various pieces of information regarding the collection and use of “personal information,” including the categories of “service providers” to whom “personal information” was sold or disclosed.  Additionally, the CCPA permits consumers to requests covered entities and their “service providers,” to delete “personal information.”

A “service provider” means a for-profit legal entity that processes information on behalf of a business and to which the business discloses a consumer’s “personal information” for a business purpose, pursuant to a written contract.  Contracts must include various prohibitions, including, but not limited to, the retention, use or disclosure of “personal information” for any purpose other than the purpose specified in the contract or under the law.  “Service provider” contracts should also specifically address responses to consumer requests, data security safeguards, data breach response obligations, and data use and retention limitations.

The development and implementation of a robust CCPA compliance program must be made part of any data-driven business operation.  CCPA compliance protocols must necessarily entail such things as contract reviews, privacy notice updates, and data mapping and sharing analyses in order to determine whether applicable processes and arrangements meet various definitions, including, but not limited to, “personal information,” “sale” and “service provider.” 

© 2024 Hinch Newman LLP

Current Legal Analysis

More from Hinch Newman LLP

FTC Issues Report to Congress Highlighting Collaboration with State Attorneys General
by: Richard B. Newman
The FTC, CIDs and Tolling Agreements
by: Richard B. Newman
FCC Publishes Final Single Seller Lead Generation Consent Rule in Federal Register
by: Richard B. Newman
FCC Adopts New Rule to Close the Lead Generator Robocall and Robotexts Loophole
by: Richard B. Newman
Lead Generation Industry to be Turned on Head: Proposed FCC Rule Requires Consent Must be Secured From a Single Seller at a Time
by: Richard B. Newman
Google Announces New Requirements for Bulk Email Senders to Gmail
by: Richard B. Newman
NY AG and FTC Secure $1.6m from Online Apartment Finder for Allegedly Defrauding Renters
by: Richard B. Newman
FTC Explores Environmental Claims and Pending Civil Penalty Implementing Rulemakings
by: Richard B. Newman
FCC Notice of Proposed Rulemaking Could be Existential Threat to Lead Generation Industry
by: Richard B. Newman
TCPA Established Business Relationship Defense Defeats Class Allegations
by: Richard B. Newman

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins