Arguably not.

Some privacy advocates and plaintiffs’ attorneys have argued that the CCPA’s broad definition of the term “sell” might encompass the transmission of user information from an App to an AdTech partner.  Specifically, they claim that the CCPA considers any “disclos[ure]” of personal information to be a “sale” when a company receives “monetary or other valuable consideration.”  As the definition of “personal information” includes “unique identifiers” – a term which includes “mobile ad identifiers, or similar technology” – the act of transmitting information about a user’s device to an AdTech partner that then leads to ad revenue should be considered a “sale” for the purposes of the Act.

While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, that exception may not apply to all AdTech partners.¹  Specifically, to invoke the service provider exception the contract between an App publisher and an AdTech partner must “prohibit” the partner “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”²  Behavioral advertising networks that retain the information that they obtain from Apps and use that information for the benefit of themselves (or the benefit of other members of a behavioral advertising network) may not satisfy the definition of a “service provider.”

The definition of “sale” under the CCPA contains a second exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.”³  In order to mitigate the risk that sending user information to AdTech partners might be interpreted as a “sale” of information, some App publishers disclose that they transmit information to AdTech partners in their privacy notices, and then ask users to consent to those notices (and, hence, consent to the sharing of their information).  If the App publisher obtains consent to its privacy notice, it could argue that the consumer has “direct[ed] the business to intentionally disclose” information and, therefore, the transfer of information is not a sale.  The strength of such an argument may depend, in part, on the prevalence of the privacy notice, and the manner in which consent is solicited and obtained.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.140(t)(2)(C).

2. CCPA, Section 1798.140(t)(2)(C)(ii), (v).

3. CCPA, Section 1798.140(t)(2)(A).

[View source.]