Iubenda logo

Documentation

Table of Contents

An In-depth Look at the CCPA Concept of Sale

The following document is meant to explain our reasoning for certain service defaults categorized as a sale within the generator and serve as a basic guide in cases where you’re unsure if our defaults apply to you. In practice, we can’t confirm whether or not your individual use of a service can be considered a sale – this is something that you must decide based on your individual processes. In cases where you’re still unsure whether or not your use of a service constitutes a sale, we suggest that you consult with your lawyer.

To get started, we’ll explain in detail what constitutes a sale under the CCPA, what classifies an exception to sale then examine iubenda “sale” defaults for services within the generator.

What is a “sale” under the CCPA?

Under the CCPA, a sale is defined as:

“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

In other words, any arrangement between a business and a third party or other business, that allows the business to receive some value (monetary or not) in exchange for the personal information of consumers* is virtually included in the “sale” definition.

*See CCPA definition of “consumer” here.

Why is the concept of “sale” important?

Under the CCPA, consumers have “the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” This is the right to opt out.

If the exchange of personal information between a business and other business is not defined as a “sale,” then the business is not prohibited from disclosing personal information to the other business without the opt-out option provided some conditions and thresholds are met. In other words, exchanging information that does constitute a “sale” under the CCPA does not trigger additional obligations about the opt-out process.

What is not considered a “sale” under the CCPA?

The CCPA does provide exceptions to its definition of a “sale” of a consumer’s personal information. Specifically, under the CCPA, a business does not “sell” a consumer’s personal information when:

(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.

(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.

(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

In other words, a “sale” does not occur when:

  • a consumer intentionally directs the business to disclose personal information;
  • the business shares the personal information for a consumer that has opted out of the sale of personal information for the purpose of alerting the third party of this opt-out; or
  • the business shares personal information with a service provider that is necessary to perform a business purpose.

Let’s focus on the “service provider” exception. Under (C) in the above (more information about the definition of a “service provider” and “business purpose” is discussed below).

If a business discloses personal information to a service provider, then the business is obligated to:

  • Provide notice in the online privacy policy that personal information is being used or shared with a service provider for a business purpose.
  • Ensure the service provider does not further collect, sell, or use the personal information except necessary for the business purpose.

It is important to note that disclosure of personal information to service providers from businesses are permitted, even where a consumer has opted out. This is because, as stated above, this does not qualify as a “sale” of personal information.

What is a “service provider” under the CCPA?

The “service provider” exception to a sale of personal information may be the most popular exception and allows a business to seek shelter under this exception where it applies. Under the CCPA, a “service provider” is defined as:

a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

In other words, under the CCPA, a “service provider” meets these conditions:

  • Be a business entity
  • Be a processor to a business (for example, process information on behalf of the business)
  • Receives the information from a business for business purposes
  • Receives the information pursuant to a compliant written contract (a compliant written contract must prohibit the service provider that receives the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for business.).

How does a “service provider” qualify for the exception?

A business will not be deemed to be a seller of consumer personal information when this information is exchanged with a “service provider” where:

  • The exchange of consumer personal information is necessary for a business purpose
  • The exchange of consumer personal information is received by a service provider pursuant to a written contract between the business and the other business that acts as a service provider.

First, let’s go over the written contract requirement. The written contract can take the form of a CCPA Service Provider Addendum attached to other existing terms and contracts. The CCPA specifies that this written contract include provisions that “prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business[.]” Further, the CCPA specifies this about the written contract if the other business agrees that it qualifies as a service provider:

(A) Prohibits the person receiving the personal information from:
(i) Selling the personal information.
(ii) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

(B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
A person covered by paragraph (2) that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by paragraph (2) in compliance with paragraph (2) shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

In review, the written contract must include:

  • A provision where the service provider agrees not to sell the personal information.
  • A provision that prohibits the service provider from retaining, using, or disclosing the personal information other than for the specific business purpose in the contract.
  • A provision that prohibits the service provider from retaining, using, or disclosing the personal information outside of the direct business relationship between the business and the service provider.

Now, let’s go over the “business purpose” requirement. The CCPA defines “business purpose” broadly. The CCPA defines business purpose as such:

“Business purpose” means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

(6) Undertaking internal research for technological development and demonstration.

(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

In other words, a business purpose is:

  • auditing;
  • detecting security incidents and protecting against fraud;
  • debugging errors that impair intended functionality;
  • short-term use of personal information provided that the personal information is not disclosed to a third-party or used to build a profile about the consumer;
  • performing services such as customer service, order fulfillment, processing payments, and other similar services;
  • internal research for technological development; or
  • undertaking activities for quality control.

What are some examples of service providers?

Listed below are a few examples of service providers that collect, access, maintain, use, process and transfer the personal information of the customers of a business for the business’ purpose of performing the service providers obligations.

Here are just a few examples of potential service providers:

  • Web host. A business most likely uses another business to host a website. It is foreseeable that a web host acts as a “service provider” for a business.
  • CRM cloud software. Businesses may use CRM cloud software to store consumer’s personal information. It is foreseeable that CRM cloud software functions as a “service provider” as defined under the CCPA for a business.

As stated above, a written contract and conditions must be in place with any and all third-party businesses that act as “service providers” to qualify for the exception to “sale” of personal information.

About “sale” defaults for services within the Generator

It is important to note that while using personal information for a “business purpose” does exempt that information from opt-out requirements, it does not exempt that personal information from CCPA disclosure requirements.

The services categorized inside the following purposes would most likely be a “sale” of personal information because they likely involve a transfer to personal information outside the scope of a business purpose or any other exception to a “sale”:

iubenda’s categories/purposes / how we categorize by default

iubenda categories/purposeshow we categorize by default
Access to third-party accounts(likely) sale
Advertising(likely) sale
Advertising serving infrastructure(likely) sale
Analytics(likely) sale
Beta Testing(likely) sale
Commercial affiliation(likely) sale
Contacting the User(likely) sale
Content commenting(likely) sale
Content performing and features testing (A/B testing)(likely) sale
Data transfer outside the EU(likely) sale
Displaying content from external platforms(likely) sale
Heat mapping and session recording(likely) sale
Interaction with data collection platforms and other third parties(likely) sale
Interaction with external social networks and platforms(likely) sale
Interaction with live chat platforms(likely) sale
Interaction with online survey platforms(likely) sale
Managing data collection and online surveys(likely) sale
Managing landing and invitation pages(likely) sale
Managing web conferencing and online telephony(likely) sale
Platform services and hosting(likely) sale
Registration and authentication(likely) sale
Remarketing and behavioral targeting(likely) sale
RSS feed management(likely) sale
Social features(likely) sale
Tag Management(likely) sale
User database management(likely) sale

The following services would most likely provide a necessary “business purpose” (the personal information is used for a business’ or service provider’s operation purposes) and, therefore, fall under the “business purpose” exception to a “sale” of personal data. Remember, as discussed in the CCPA, the business is required to enter into a written contract with the service provider that “prohibits the [service provider] receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business[.]”

iubenda categories/purposeshow we categorize by default
Device permissions for Personal Data access(possibly) no sale
Handling activity data(possibly) no sale
Handling payments(possibly) no sale
Registration and authentication provided directly by {insert application}(possibly) no sale
Selling goods and services online(possibly) no sale
SPAM protection(possibly) no sale

The following services may be a “sale” of personal information or may be an exception to a “sale’” because of their “business purpose”:

  • Interaction with support and feedback platforms – In this case, a third-party service may collect browsing data and usage data from a user. Because browsing data and usage data may fall or may not fall under the definition of a “sale” this selection depends on particular use cases. It depends on the business reasons for using a third-party service for support and feedback.
  • Managing contacts and sending messages – In this case, this depends about whether or not it falls under a “sale” because services that collect data concerning messages from a user may collect data outside the scope of a “business purpose” and, therefore, be defined as a “sale.” It depends on the business reasons for using a third-party service to manage contacts and send messages.
  • Managing support and contact requests – A third party service that manages support and contact requests could be “sale” or a business purpose exception, it depends on the business reasons for using a third-party service to manage support and contact requests.
  • Traffic optimization and distribution – Traffic optimization and distribution may provide a “business purpose” such as using a cloud storage provider. Traffic optimization and distribution may also constitute a “sale” of personal information by storing user data on a third party. It all depends on the business reasons for the transfer of personal information by a business to a third party for traffic optimization and distribution.
  • Backup saving and management – A backup saving and management service may provide a “business purpose” such as using a cloud storage provider. A backup saving and management service may also constitute a “sale” of personal information by storing user data on a third party. It all depends on the business reasons for the transfer of personal information by a business.
  • Hosting and backend infrastructure – A hosting service may provide a “business purpose” such as using a cloud storage provider. A hosting service may also constitute a “sale” of personal information by storing user data on a third party. It all depends on the business reasons for the transfer of personal information by a business.
  • Infrastructure monitoring – Infrastructure monitoring may provide a “business purpose” such as using a cloud storage provider. Infrastructure monitoring may also constitute a “sale” of personal information by storing user data on a third party. It all depends on the business reasons for the transfer of personal information by a business.

Still have questions?

Visit our support forum Email us