Written by: Sean Cox, Esq.

The California Consumer Privacy Act of 2018 (“CCPA”) officially went into effect on January 1, 2020. According to the California Attorney General, enforcement will begin on July 1, 2020. One of the most important provisions of the CCPA allows consumers to opt-out of the sale of their personal information.

Among other provisions, the CCPA requires that websites must include a page called Do Not Sell My Personal Information that allows consumers to opt-out of the sale of personal information. Businesses must also include a link on their homepage that directs to that page. Once a consumer opts-out, a business must accept the consumer’s decision for at least 12 months.

Many companies may think this prohibition does not apply to them because they do not sell data in the traditional sense. However, a “sale” under CCPA may be much broader than many assume. CCPA defines “sale” broadly as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” That last part of the definition may gather in many more transactions than expected.

Anytime a company is sharing personal information with a third-party, there is likely a reason and some type of benefit to the company. Maybe it is so the third-party can provide another service in exchange. Perhaps it is so the company can get access to other useful information. Under either of these examples, a company my in fact be “selling” personal information. This is yet another reason it is critical for all companies to determine exactly what information they are obtaining and exactly how they are using it. Otherwise, companies may unwittingly be in serious violation of the CCPA.