Think your business doesn’t need to worry about the California Consumer Privacy Act (CCPA) because you don’t sell any data for business purposes?
You may want to take a second look.
Under the broad definition of “sale” used in CCPA, you could very possibly be subject to CCPA requirements and unknowingly failing to achieve and maintain compliance. With the financial penalties associated with non-compliance, not to mention the data security risk that results from ignoring CCPA requirements, it’s absolutely vital to make sure that you know whether or not your business activities would be considered to be “selling data” under the CCPA.
What is the CCPA?
At a high level, the CCPA is a comprehensive data privacy law that covers any data and personal information related to California residents, including both individual consumers and households.
Similar to Europe’s General Data Protection Regulation (GDPR), the CCPA is largely about protecting consumer’s right to have control over their personal information and other sensitive data.
The CCPA is a set of regulations that applies to most businesses. Notable exemptions include health providers already regulated under HIPAA, financial companies covered under Gramm-Leach-Bliley, and credit reporting agencies.
You can get a detailed overview of how the CCPA works and how to achieve CCPA compliance here.
What the “sale” of personal information means under CCPA
For most people, the word “sale” means giving something to someone in exchange for money, plain and simple. Intuitively, this would mean that personal information or other data is exchanged for monetary consideration.
When it comes to CCPA, however, the definition isn’t so straightforward. In fact, it’s incredibly broad.
The CCPA defines sale as, “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information to another business or a third party for monetary or other valuable consideration.”
Most people understand monetary consideration when it comes to sales, but what counts as valuable consideration?
The broad definition of ‘valuable consideration’
So, you don’t receive monetary consideration for your users’ data – but what about valuable consideration?
The truth is that your business may actually be engaging in the sale of their personal information under the wide definition under CCPA which essentially includes any transfer of data that benefits another party.
Specifically, in the context of CCPA, a sale is a disclosure of personal data that:
- The consumer did not intentionally trigger. When the customer directs the business to make the disclosure, it cannot be deemed a sale.
- Is not operationally required. In other words, your business can run without the exchange of data.
- Does not constitute non-commercial speech. CCPA provides a carve-out for non-commercial speech, like political speech or journalism.
- Involves consideration being provided in exchange for the user’s personal data.
- While you may not be selling your customers’ personal information outright, you could easily be participating in one of the transactions listed above.
For example, if a business offers a SaaS solution, it may be a service provider, but if the business uses multiple customers’ data to forecast market trends, that could be considered a sale.
What to do if you fall within scope of CCPA requirements
If you find that you are potentially engaging in activities that could be defined as a sale, and you “sell” the data of more than 50,000 households or individuals, your business is going to have to comply with CCPA.
CCPA requirements guide how transparent a business should be when it comes to its Californian users’ personal data and puts control of its data into the hands of consumers. This includes knowing where your data goes through data mapping, revising your privacy notice to meet the law’s requirements, having an option to opt-out of the sale of data on your home page, and responding to consumer requests to exercise their rights – the list goes on.
The CCPA is enforced through fines, and a consumer doesn’t have to prove actual damages. Instead, they only have to prove that the business violated CCPA. A business found in violation of CCPA can expect to pay $100 to $750 in fines or front the actual damage costs - whichever is greater.
For many businesses, the high costs and human resources that need to be dedicated to CCPA compliance can be overwhelming.
Fortunately, companies can work with a data privacy and compliance partner who will streamline their CCPA journey while more effectively securing consumer information.
VGS provides tools to make compliance with CCPA easier, including tools to help you map your data flows. In addition, VGS’ data aliasing technology provides businesses with security to protect their customers’ personal information. Businesses can offload their CCPA compliance concerns onto VGS, allowing them to work with sensitive data as they normally would – with none of the risks.
Learn more about how VGS can fast-track your CCPA compliance here.