Probably not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹

The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider.  Whether the exception applies to a third party fulfillment company that has been contracted by a loyalty program operator to provide benefits (e.g. free merchandise, goods, or services) depends in part upon the contract in place with the fulfillment company.²  Specifically, the service provider exception requires that following three conditions be present:

1. The transfer of information to the service provider must be “necessary” for the loyalty program’s business purpose.³ There is a strong argument that the use of a vendor to fulfill promised benefits is necessary to the operation of a loyalty program.
2. The transfer of information to the service provider must be disclosed to consumers.  Many loyalty programs meet this requirement by disclosing their use of service providers in their privacy policies.
3. The agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”⁴ Whether the contract in place with a fulfillment provider meets these requirements may be a case-by-case inquiry.

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA Section 1798.140(t)(1).

2. CCPA, Section 1798.140(t)(2)(C).

3. CCPA, Section 1798.t)(2)(C).

4. CCPA, Section 1798.140(t)(2)(C)(ii), (v).

[View source.]