The following document is meant to explain our reasoning for certain service defaults categorized as a sale within the generator and serve as a basic guide in cases where you’re unsure if our defaults apply to you. In practice, we can’t confirm whether or not your individual use of a service can be considered a sale – this is something that you must decide based on your individual processes. In cases where you’re still unsure whether or not your use of a service constitutes a sale, we suggest that you consult with your lawyer.
To get started, we’ll explain in detail what constitutes a sale under the CCPA, what classifies an exception to sale then examine iubenda “sale” defaults for services within the generator. 👇
Under the CCPA, a sale is defined as:
“selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”
In other words, any arrangement between a business and a third party or other business, that allows the business to receive some value (monetary or not) in exchange for the personal information of consumers* is virtually included in the “sale” definition.
*See CCPA definition of “consumer” here.
Under the CCPA, consumers have “the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” This is the right to opt out.
If the exchange of personal information between a business and other business is not defined as a “sale,” then the business is not prohibited from disclosing personal information to the other business without the opt-out option provided some conditions and thresholds are met. In other words, exchanging information that does constitute a “sale” under the CCPA does not trigger additional obligations about the opt-out process.
The CCPA does provide exceptions to its definition of a “sale” of a consumer’s personal information.
(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:
(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).
In other words, a “sale” does not occur when:
Let’s focus on the “service provider” exception. Under (C) in the above (more information about the definition of a “service provider” and “business purpose” is discussed below).
If a business discloses personal information to a service provider, then the business is obligated to:
It is important to note that disclosure of personal information to service providers from businesses are permitted, even where a consumer has opted out. This is because, as stated above, this does not qualify as a “sale” of personal information.
The “service provider” exception to a sale of personal information may be the most popular exception and allows a business to seek shelter under this exception where it applies. Under the CCPA, a “service provider” is defined as:
a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
In other words, under the CCPA, a “service provider” meets these conditions:
A business will not be deemed to be a seller of consumer personal information when this information is exchanged with a “service provider” where:
First, let’s go over the written contract requirement. The written contract can take the form of a CCPA Service Provider Addendum attached to other existing terms and contracts. The CCPA specifies that this written contract include provisions that “prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business[.]”
(A) Prohibits the person receiving the personal information from:
(i) Selling the personal information.
(ii) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
(B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
A person covered by paragraph (2) that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by paragraph (2) in compliance with paragraph (2) shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.
In review, the written contract must include:
Now, let’s go over the “business purpose” requirement. The CCPA defines “business purpose” broadly.
“Business purpose” means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
(3) Debugging to identify and repair errors that impair existing intended functionality.
(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
(6) Undertaking internal research for technological development and demonstration.
(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
In other words, a business purpose is:
Listed below are a few examples of service providers that collect, access, maintain, use, process and transfer the personal information of the customers of a business for the business’ purpose of performing the service providers obligations.
Here are just a few examples of potential service providers:
As stated above, a written contract and conditions must be in place with any and all third-party businesses that act as “service providers” to qualify for the exception to “sale” of personal information.
It is important to note that while using personal information for a “business purpose” does exempt that information from opt-out requirements, it does not exempt that personal information from CCPA disclosure requirements.
The services categorized inside the following purposes would most likely be a “sale” of personal information because they likely involve a transfer to personal information outside the scope of a business purpose or any other exception to a “sale”:
iubenda categories/purposes | how we categorize by default |
Access to third-party accounts | (likely) sale |
Advertising | (likely) sale |
Advertising serving infrastructure | (likely) sale |
Analytics | (likely) sale |
Beta Testing | (likely) sale |
Commercial affiliation | (likely) sale |
Contacting the User | (likely) sale |
Content commenting | (likely) sale |
Content performing and features testing (A/B testing) | (likely) sale |
Data transfer outside the EU | (likely) sale |
Displaying content from external platforms | (likely) sale |
Heat mapping and session recording | (likely) sale |
Interaction with data collection platforms and other third parties | (likely) sale |
Interaction with external social networks and platforms | (likely) sale |
Interaction with live chat platforms | (likely) sale |
Interaction with online survey platforms | (likely) sale |
Managing data collection and online surveys | (likely) sale |
Managing landing and invitation pages | (likely) sale |
Managing web conferencing and online telephony | (likely) sale |
Platform services and hosting | (likely) sale |
Registration and authentication | (likely) sale |
Remarketing and behavioral targeting | (likely) sale |
RSS feed management | (likely) sale |
Social features | (likely) sale |
Tag Management | (likely) sale |
User database management | (likely) sale |
The following services would most likely provide a necessary “business purpose” (the personal information is used for a business’ or service provider’s operation purposes) and, therefore, fall under the “business purpose” exception to a “sale” of personal data. Remember, as discussed in the CCPA, the business is required to enter into a written contract with the service provider that “prohibits the [service provider] receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business[.]”
iubenda categories/purposes | how we categorize by default |
Device permissions for Personal Data access | (possibly) no sale |
Handling activity data | (possibly) no sale |
Handling payments | (possibly) no sale |
Registration and authentication provided directly by {insert application} | (possibly) no sale |
Selling goods and services online | (possibly) no sale |
SPAM protection | (possibly) no sale |