The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another. This arguably could include disclosures of personal information by a business to third parties who provide services to the business. The CCPA offers two exceptions for sharing between businesses and third parties:
- The third party is considered a “service provider” under the CCPA. To qualify as a “service provider,” the contract with the third party must prohibit the third party from:
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
- Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
- Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
2. The consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.” The consumer’s action must be “deliberate” and “intentional.” Affirmative consent (i.e., opt-in consent) qualifies as intentionally directing the business to disclose personal information to a third party.
If information is being shared between a business and a third party, and neither of the above exceptions applies, the disclosure of information to the third party might be a “sale” of information.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
[View source.]