"Seller" Beware!!!

August 8, 2019

In my last posting, I discussed the extraordinarily broad coverage of the California Consumer Privacy Act (CCPA). Clearly, the CCPA is the most sweeping privacy legislation ever adopted in the United States.  Of special concern are several CCPA provisions regarding the so-called “sale” of information, which pose very serious challenges for the advertising community. 

Dictionaries contain clear definitions of the term “sale,” yet the drafters of the CCPA apparently decided not to consult them.  As a result, the CCPA’s wide-ranging definition of “sale” could severely restrict data use, because it includes no requirement of a monetary transfer – so lots of things that today aren’t thought of as a “sale” would be swept up by this term.  If you merely add a Software Development Kit (SDK) to an app or IOT device, or insert a pixel into a website, have you made a “sale” under the CCPA? 

The CCPA’s “sale” definition seems strongly to suggest that making any data available for any consideration or thing of value is a sale. If an entity then becomes a seller of data, how does it maintain rights over data that the entity no longer actually controls?

Then there are the provisions regarding loyalty and rewards programs. When it was signed into law, the CCPA contained highly ambiguous language that threatened the continued use and existence of such programs as gas station incentives, grocery store coupons, and the like.  Fortunately, ANA and others were able to secure an amendment clarifying that loyalty and rewards programs will continue to be permitted in California.  But the legislators “gave” with one hand and, at the same time, “took” with the other: a very harmful provision was added prohibiting the “sale” of any personal information gathered under loyalty and rewards programs. This is another example where the selling of information is going to be significantly undermined.

It gets worse. The new law prohibits a third party from “selling” personal information that was sold to it unless the consumer received “explicit notice” of that sale and was offered the opportunity to opt out by the entity selling data to the third party.  This approach doesn’t work in the real-world marketplace.  Third parties are left to rely on data providers to deliver explicit notice and an opt-out mechanism in order to efficiently function. This really matters, because whether one is a data provider or seller, failure to provide this notice may curtail the ability to continue offering services in that marketplace.

There are many other problems with the CCPA beyond these “sale” limitations and uncertainties that are very perilous for the ad community. ANA will continue our strong efforts to obtain both clarifying amendments to the CCPA as well as working with the California AG’s Office on the development of constructive regulations that are mandated to be promulgated under the CCPA.


You must be logged in to submit a comment.