It’s time to end magical thinking about sales under CCPA
Organizations can no longer risk trying to parse out the difference between “sharing” and “selling” consumer data under California's privacy legislation, argue IAB's Michael Hahn and Tony Ficarrotta.
/ Sergey Zolkin
For some, the allure of not “selling” personal information under California’s privacy law is strong. Businesses that don't sell personal information have fewer and simpler compliance requirements.
In particular, they do not need to cope with the complex process of segregating data flows that involve sales and implement corresponding mechanisms to limit those flows when consumers opt-out. These businesses also do not need to disclose that they sell personal information – a statement that some advertisers and publishers are reluctant to make out of fear of consumer backlash.
The draw of this position, however, has given rise to some magical thinking among a few publishers, advertisers, and adtech providers – namely that there are certain digital advertising data disclosures that need not be purpose limited by service provider agreements and that consumers do not have the right to opt-out of.
This thinking is based on an interpretation of the CCPA that stretches a possible ambiguity into a significant statutory gap, is contrary to the broader structure of the law and ignores the California Attorney General’s focus on enforcing opt-out rights. Businesses that disregard these facts invite regulatory scrutiny and are more likely to be caught scrambling to comply with CCPA (and privacy laws in other states). With the California Privacy Rights Act (CPRA) just around the corner, now is the time to ditch magical thinking and work toward a more stable and sustainable approach to handling sales and shares.
Third parties, service providers and the ‘third box’ of disclosures
By now, privacy professionals are accustomed to assigning personal information disclosures to one of two categories. If the data recipient processes the personal information on behalf of a business for a “business purpose,” and assuming the corresponding contractual requirements are satisfied, the CCPA recognizes the recipient as a service provider, and there is no sale.
By contrast, if the recipient uses personal information for its own benefit or does not fulfill a business purpose, the disclosure is a sale. Sales and service provider relationships are the exclusive and non-overlapping categories of personal information disclosures under the CCPA with respect to a given data flow.
A few participants in the digital advertising industry, however, claim that there is another ‘box’ under the CCPA, where personal information can be transferred to a third party without a “sale” occurring, but also without being subject to the CCPA’s strictures on service providers. The key to this interpretation lies in the CCPA’s definition of “sales”: “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” (It's worth noting that the CPRA deletes the phrase “another business or” but does not otherwise change this definition).
According to this interpretation, if an advertiser or publisher provides personal information to an adtech vendor or other recipient but receives nothing in return – no “valuable consideration” – the transfer is not a sale. But because the adtech vendor does not process the personal information solely on behalf of the advertiser or publisher that made the personal information available, the adtech vendor is not a service provider, either.
In short, the transfer effectively falls outside of the CCPA: the recipient is not a service provider that is required to limit its processing of the consumer’s personal information and the consumer has no right to opt-out of the disclosure because it is not a “sale.”
Why the CCPA doesn’t support the ‘third box’ theory
We are deeply skeptical that this magical ‘third box’ exists as a matter of statutory interpretation. Regulating sales of personal information is a central purpose of the CCPA, and courts are unlikely to find a significant loophole that is based on a narrow interpretation of “valuable consideration.” Moreover, regulators almost never take a narrow view of the statute they are enforcing, and the “anti-avoidance” principle directs courts and enforcement agencies to “disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title,” including “steps or transactions” that are structured “to avoid the definition of sell or share.”
Additionally, the factual predicate necessary to apply this interpretation – that advertisers and publishers provide gifts of personal information to adtech companies and receive no benefit in return – is fanciful. Advertisers and publishers increasingly recognize that their first-party data is highly valuable. An interpretation that runs contrary to prevailing commercial practices and attitudes is on shaky ground at best. If there is no benefit to the business that provides valuable personal information, why do it?
Whatever limited viability the ‘third box’ interpretation may have had during the early days of CCPA implementation has certainly vanished. In August 2022, the California Attorney General announced the first public settlement of a CCPA enforcement action. The defendant in that case – beauty products retailer Sephora – allegedly sold personal information to adtech and analytics companies without providing the required disclosures and opt-out choice.
Paragraph 12 of the Sephora complaint sets forth the Attorney General’s interpretation of “sale” that should alarm companies that have relied on the third box: “Section 1798.140, subdivision(t), broadly defines the exchange of personal information for anything of value. Sephora’s relationships with advertising networks, business partners, and data analytics providers met that definition, because Sephora gave companies access to consumer personal information in exchange for free or discounted analytics and advertising benefits.” This allegation strongly suggests that the Attorney General’s Office is not out to establish limits to “valuable consideration.” A similar conclusion should be drawn from other anonymous enforcement examples published at the same time Sephora was announced.
CPRA “shares” are not distinct from sales
The CPRA further closes the lid of the ‘third box.’ Providing personal information for the purpose of “cross-context behavioral advertising” is considered a “share” even if there is no consideration involved. Shares are subject to the same disclosure, opt-out and other compliance obligations as sales.
Nonetheless, some stakeholders now postulate that with CPRA there exists a ‘fourth box’ – namely, that certain disclosures are “shares” but not “sales.” This view is based on the supposition that there is a meaningful difference between sales and shares under which digital advertising and analytics can evade classification as sales.
Proponents of this view say that Sephora leaves some wiggle room because the complaint asserts that Sephora received analytics data and the “valuable option” to serve targeted ads to consumers on other websites. These proponents further assert that consideration-free transfers might be shares, but they are not sales, and the CPRA allows businesses to tell consumers that they only share personal information. Finally, they contend that allowing a third party to collect a consumer’s personal information from a page – for example, through a pixel or SDK – where no analytics are provided to the publisher or advertiser is neither a sale (because no analytics are provided as consideration) nor a share (because the information is not made available for purposes of cross-context behavioral advertising).
This interpretation ignores the history of the CPRA and California regulators’ guidance. Take it from Californians for Consumer Privacy, the organization that Alistair Mactaggart – the main backer of the CCPA and CPRA, and current California Privacy Protection Agency board member – founded: the “CPRA simply clarifies and underlines what businesses should already be doing as a result of the CCPA.” The CPRA prescribes specific language – “Do Not Sell or Share My Personal Information” – for opt-out links. The statute does not offer the option to distinguish sales from shares in this link, nor does the alternative – a “Your Privacy Choices” link and icon – support a distinction between sales and shares. The Attorney General Office’s enforcement examples describe several instances in which companies faced scrutiny for providing allegedly confusing opt-out language and choices. Finally, the CPPA’s draft CPRA regulations and “Initial Statement of Reasons” treat sales and shares consistently, without drawing a distinction between them. These sources provide no indication that regulators will accept the legalistic hair-splitting that is the foundation for the fourth box.
The end of magical thinking about CCPA sales
After two years of enforcement history with the CCPA and unambiguous signals in the CPRA and its draft implementing regulations, it’s clear that the time for magical thinking about the scope of “sales” of personal information is over.
The intent of the CCPA – as is further emphasized by the CPRA – is not to create intricate exceptions to consumer opt-out rights based on the kind of consideration given or the specific purpose of a disclosure to a third party. Instead, it is to give consumers a broad, effective right to opt-out of those disclosures and avoid the very hair-splitting exercises that result in the magic third and fourth boxes that limit consumer opt-out rights. Companies that do not come to terms with this new reality will find themselves with a significant regulatory challenge.
Michael Hahn is Executive Vice President, General Counsel, IAB, and IAB Tech Lab. Additional contribution from Tony Ficarrotta, assistant general counsel at IAB.