Back

California Consumer Privacy Act (CCPA)

California

,

United States of America

Issue

What constitutes a sale of personal information under the California Consumer Privacy Act?

Conclusion

"Personal information" refers to a broad range of information that 'identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement is specifically included in the definition. However, such information is not considered "personal" if it is publicly available (lawfully made available from federal, state, or local government records) or if it is de-identified or aggregate consumer information. (Cal. Civ. Code § 1798.140)

A transfer of personal information is only considered a "sale" if the party that transfers personal information receives monetary or other valuable consideration. (Cal. Civ. Code § 1798.140)

It is not a "sale" for a business to share personal information with a "service provider" for a purpose necessary to the business. A "service provider" is a business that processes information on behalf of other businesses and to which those businesses disclose a consumer's personal information for a business purpose pursuant to a written contract, as long as the written contract prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose set out in the contract. (Cal. Civ. Code § 1798.140)

The definition of "sale" also contains an exception for situations in which a consumer "directs" the business to disclose personal information to a third party. (Cal. Civ. Code § 1798.140)

No California state court decisions were identified that discussed the meaning of "sale," "sold," "sell," or "selling" under the California Consumer Privacy Act of 2018 ("CCPA").

Federal courts and state administrative agencies have emphasized that the CCPA seeks to address the sale of personal information and the disclosure of personal information for business purposes, or in other words, for monetary or other valuable consideration. (Order Instituting Rulemaking on Regulations Relating to Passenger Carriers, Ridesharing, and New Online-Enabled Transportation Services, Will Kaupelis v. Harbor Freight Tools USA, Inc.)

Law

The California Consumer Privacy Act of 2018 ("CCPA") is codified at Cal. Civ. Code § 1798.100, et seq.

Under the current subdivision (o) of Cal. Civ. Code § 1798.140, "personal information" refers to a broad range of information that 'identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a consumer. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement is specifically included in the definition in subdivision (o)(1)(F). However, such information is not considered "personal" if it is publicly available (lawfully made available from federal, state, or local government records) or if it is de-identified or aggregate consumer information:

(o)

(1) "Personal information" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act ( 20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(2) "Personal information" does not include publicly available information. For purposes of this paragraph, "publicly available" means information that is lawfully made available from federal, state, or local government records. "Publicly available" does not mean biometric information collected by a business about a consumer without the consumer's knowledge.

(3) "Personal information" does not include consumer information that is deidentified or aggregate consumer information.

Under the current subdivision (t) of Cal. Civ. Code § 1798.140, a transfer of personal information is only considered a "sale" if the party that transfers personal information receives monetary or other valuable consideration:

(t)

(1) "Sell," "selling," "sale," or "sold," means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration.

Under the current subdivision (t)(2), it is not a "sale" for a business to share personal information with a "service provider" for a purpose necessary to the business:

(2) For purposes of this title, a business does not sell personal information when:

[...]

(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:

(i) The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135.

(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

A "service provider" is a business that processes information on behalf of other businesses and to which those businesses disclose a consumer's personal information for a business purpose pursuant to a written contract, as long as the written contract prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose set out in the contract:

(v) "Service provider" means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

The definition of "sale" in subdivision (t) also contains an exception for situations in which a consumer "directs" the business to disclose personal information to a third party:

(2) For purposes of this title, a business does not sell personal information when:

(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer's intent to interact with a third party.

(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer's personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer's personal information.

An amended version of Cal. Civ. Code § 1798.140, coming into effect on January 1, 2023, contains the same definition of "sale," "selling," "sell," or "sold" at subdivision (ad)(1):

(ad)

(1) "Sell," "selling," "sale," or "sold,'' means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration.

[...]

No California state court decisions were identified that discussed the meaning of "sale," "sold," "sell," or "selling" under the CCPA.

In Will Kaupelis v. Harbor Freight Tools USA, Inc., 2020 U.S. Dist. LEXIS 246379 (C.D. Cal. September 28, 2020), the United States District Court for the Central District of California explained that the CCPA seeks to address the sale of personal information and the disclosure of personal information for business purposes. The Court held that under the plain language of the CCPA, the disclosure of personal information as part of a civil discovery request was not a sale of personal information or a disclosure of personal information for business purposes as covered by the statute (at 6-8):

The Court does not believe that the CCPA should be so interpreted. The CCPA does state that it is " intended to further the constitutional right of privacy." California Civil Code § 1798.175. But the CCPA is a statute that is focused on particular practices; namely, it seeks to address the sale of PI and the disclosure of PI for business purposes. This intent is [*7] evidenced throughout the CCPA. See, e.g., California Civil Code §§ 1798.115(a) ("A consumer shall have the right to request that a business that sells the consumer's personal information, or that discloses it for a business purpose, disclose to that consumer . . . ." (emphasis added)); 1798.115(b) ("A business that sells personal information about a consumer, or that discloses a consumer's personal information for a business purpose, shall disclose . . . ." (emphasis added)); 1798.120(a) ("A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information." (emphasis added)); 1798.120(b) ("A business that sells consumers' personal information to third parties shall provide notice to consumers . . . that this information may be sold and that consumers have the 'right to opt-out' of the sale of their personal information." (emphasis added)).

The terms "sale" and "business purpose" are not defined in a way that encompasses civil discovery requests. A "sale" is the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic [*8] or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." California Civil Code § 1798.10(t)(1) (emphasis added). "'Business purpose' means the use of personal information for the business's or a service provider's operational purposes, or other notified purposes . . . ." California Civil Code § 1798.140(d). The plain language of the CCPA shows that neither of these terms is intended to include disclosure of PI as part of a civil discovery request. Indeed, the CCPA's irrelevance to civil discovery requests is further shown by how the CCPA expressly "shall not restrict a business' ability to . . . comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities." California Civil Code § 1798.145(a)(2). The CCPA therefore does not require the expanded use of notice and consent by parties responding to discovery requests.

In Order Instituting Rulemaking on Regulations Relating to Passenger Carriers, Ridesharing, and New Online-Enabled Transportation Services, 2020 CAL. PUC LEXIS 1072 (Cal. P.U.C. November 19, 2020), the California Public Utilities Commission also emphasized that the purpose of the CCPA is to regulate the sale and distribution of consumer information to third parties for business purposes, or in other words, for monetary or other valuable consideration (at 66-67):

Effective January 1, 2020, the purpose of the CCPA is to regulate the sale and distribution of consumer information to third parties for business purposes. It notifies consumers of their right to request that businesses disclose the information that has been collected about them, to request the deletion of that information, to direct a business not to sell their personal information, and to request disclosure of the types of information sold to third parties, and to whom it was sold.

But CCPA does not apply to the Commission's efforts to obtain either geolocational data or personal information. First, CCPA is designed to regulate business efforts at consumer data collection. Business is defined as:

A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of [*67] the processing of consumers' personal information, that does business in the State of California.

The Commission, as a state regulatory agency, does not fit within CCPA's definition of a business.

Second, CCPA places restrictions on the selling of consumer information. The statute defines "sell, selling, sale, and sold" as releasing, disclosing or otherwise communicating a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration (emphasis added). The Commission is not gathering and selling consumer personal information for monetary or other valuable consideration.

In Brooks v. Thomson Reuters Corp., 21-cv-01418-EMC (N.D. Cal. 2021), the United States District Court for the Northern District of California found that the defendant's provision of an opt-out mechanism pursuant to the CCPA did not necessarily mean that the defendant's unauthorized sale of the plaintiffs' personal information was fair under California's Unfair Competition Law (UCL) as a matter of law. The Court explained that the UCL fairness prong may provide broader protection than specific statutes such as the CCPA. Furthermore, there was a serious question of material fact as to whether the opt-out mechanism provided by the defendant complied with the CCPA as the complaint alleged that the opt-out provision was not reasonably accessible to consumers or clear and conspicuous:

According to Thomson Reuters, its conduct is not “unfair” under the UCL because it is (1) expressly permitted by the California Consumer Privacy Act (CCPA), Cal Civ. Code §§ 1798.100-1798.199.95, and (2) does not meet any of the tests used by California courts for unfair conduct. This Court disagrees.

a. CCPA Defense

Under the CCPA, “[a] consumer[4] shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt-out.” Cal Civ. Code § 1798.20. Relying on this statutory language, Thomson Reuters argues its conduct cannot be unfair because the CCPA expressly allows it to sell Plaintiffs' personal information if it provides Plaintiffs a mechanism to opt out of such sale. Mot. at 15-16 (citing Compl. ⁋⁋ 46-47, 57).

This is a meritless argument for multiple reasons. As an initial matter, Thomson Reuters does not cite a single case where the court dismissed a plaintiff's claim that the dissemination of their personal information is unfair under the UCL simply because the defendant provided an adequate opt-out mechanism under the CCPA.

Moreover, several provisions of the CCPA clearly state that the law is not meant to curtail other privacy statutes. For example, the CCPA explains that the private right of action it creates under section 17980.50 for the “unauthorized access and exfiltration, theft, or disclosure [of consumer's personal information] . . . shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitutions.” Cal. Civ. Code § 1798.50(a)(1), (c). More broadly, section 1798.175 explains that the CCPA “is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers' personal information, ” and that, “[w]herever possible, law relating to consumers' personal information should be construed to harmonize with the provisions of this title.” Id. § 1798.175 (emphasis added). The statute goes further: “in the event of a conflict between other laws and the provisions of [the CCPA] the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Id.

Here, the Court can easily harmonize the CCPA's right to opt-out with Plaintiffs' claim under the unfair prong of the UCL by concluding that CLEAR's opt-out mechanism does not necessarily mean Thomson Reuters's unauthorized sale of Plaintiffs' personal information is fair under the UCL as a matter of law. The UCL fairness prong may provide broader protection than specific statutes such as the CCPA. This interpretation of both statutes controls because it “afford[s] the greatest protection for the right of privacy for consumers.” Id.

Even if providing an opt-out mechanism under the CCPA was a defense, there is a question of fact as to whether CLEAR's opt-out mechanism complies with the CCPA. To actualize the “right to opt-out” in section 1798.120,

[a] business . . . shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business's Internet homepage, titled “Do Not Sell My Personal Information, ” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer's personal information.

Cal Civ. Code §§ 1798.135(a)(1) (emphases added). Similarly, the regulations that implement the CCPA's opt-out mandate also specify that

A business's methods for submitting request to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer's choice to opt-out.

Cal. Code Regs. tit. 11, § 999.315(h) (emphasis added). The regulations also prohibit an opt-out mechanism that “require[]s the consumer to provide personal information that is not necessary to implement the request.” Id. § 999.315(h)(4).

The complaint here alleges that Thomson Reuters places a “tiny link” at the bottom of its CLEAR homepage and “provides no notice to consumers that the link exists. Nor does the company enable consumers who happen to find out about the link to easily make use of it.” Compl. ⁋⁋ 46-48. It also alleges that when both named Plaintiffs attempted to opt out by clicking on the small link at the bottom of the CLEAR website, “Thomson Reuters required that [they] provide a photograph of [their] government-issued identification card as well as a separate picture of [their] face.” Compl. ⁋⁋ 49, 57. Taking these allegations as true and drawing every inference in Plaintiffs' favor, the Court cannot determine as a matter of law that CLEAR's opt-out mechanism complies with the CCPA and its implementing regulations. In the words of the statute, CLEAR's opt-out mechanism-as alleged in the complaint-is not “reasonably accessible to consumers” or “clear and conspicuous.” Cal Civ. Code §§ 1798.135(a)(1). Nor is it “easy for consumers” to opt-out using “minimal steps.” Cal. Code Regs. tit. 11, § 999.315(h). In fact, plaintiff alleges that CLEAR required Plaintiffs' photo identifications and faces to opt out. If true, those allegations could easily lead a reasonable trier of fact to conclude that CLEAR's opt-out mechanism, itself, is unfair under the UCL.

Accordingly, compliance with the CCPA is not a defense to Plaintiffs' claims that the sale of their personal information is an unfair business practice under the UCL. At the very least, there is a serious question of material fact as to whether Thomson Reuters's opt-out mechanism even complies with the CCPA.

Alexsei publishing date:
2022-03-25 16:17:38.400661
142