CCPA: What if I don't sell data?
Last week, we discussed the kinds of businesses that must comply with the California Consumer Privacy Act of 2018. Now we will turn to some of the activities that need to be disclosed under the law.
Some businesses may be under the impression that they do not need to worry about compliance because they do not sell data. That is not true.
Under the CCPA, a business also needs to give consumers various notices if the business "discloses it [consumer data] for a business purpose."
"'Business purpose' means the use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:
"(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
"(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
"(3) Debugging to identify and repair errors that impair existing intended functionality.
"(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
"(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
"(6) Undertaking internal research for technological development and demonstration."
The notice must include the following:
1. "The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact."
2. "The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact."
These notices must be updated every 12 months, and the notices must accurately reflect the categories the business has disclosed and sold over the preceding 12 months.
A business that does not sell data, but does disclose it must also be prepared to respond to consumer requests for the following information:
"Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months . . . and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months . . . ."
Thus, even businesses that do not sell consumer data need to take a hard look at the CCPA to see if how it discloses any consumer data requires it to comply with these notice and response requirements.
This article is for informational purposes only and does not constitute legal advice. This article does not create any attorney-client relationship between Gundersen & Gundersen LLP and the recipient. Any testimonial or endorsement in this document does not constitute a guarantee, warranty, or prediction regarding the outcome of your legal matter. Previous results do not guarantee a similar outcome.