What is a Sale under CCPA?
The CCPA defines “sell” or “sale” broadly to include many information transfers that would not ordinarily be considered a sale. There is no requirement for money to change hands in order to make a sale. Essentially, any information you share with a third party, where that third party does not promise to use the information only as needed to serve your business, is considered a sale.
Am I Selling Personal Information if I use Facebook Ads?
If you share consumer information with Facebook e.g., by adding the Facebook pixel to your site, Facebook will both help you to target relevant ads to your consumers, and they will also use the data they collect about your consumers to enhance their own databases and to help other businesses engage in better ad targeting. Facebook admits this is a sale by you to them, and they offer a setting called Limited Data Usage that you can enable either for all consumers or just those who have clicked your Do Not Sell button.
Does CCPA Require a Cookie Banner and What Should my Cookie Banner Message Say?
Here, the Accept button dismisses the banner and the Customize button leads to information about how to make privacy choices such as rejecting cookies and making other CCPA information requests. If you’re a WordPress publisher, Complianz.io provides a simple but powerful CCPA plugin to help you implement a cookie banner for CCPA. For businesses using other platforms, including Shopify and Squarespace, we recommend the privacy banner tools offered by TrustArc and Secure Privacy.
Businesses that “sell” personal information according to the CCPA’s definition also need a link called, “Do Not Sell My Information” in their homepage footer that enables consumers to opt out of personal information sales. CCPA Toll Free provides a solution for collecting and managing CCPA rights requests, including “Do Not Sell” functionality.
Note you should provide privacy notices in all languages in which you usually do business with or advertise to consumers.
Do I Need a DPA or Service Provider Agreement for My Vendors for CCPA?
Unlike GDPR, the CCPA does not require a data processing agreement with vendors. However, to be certain that working with a particular vendor will not be deemed an information “sale” to that vendor, check to the vendor’s MSA, TOS or other contract to see if it says the vendor is acting as your “service provider” for CCPA purposes. Service provider is a special CCPA status for vendors that agree to limit their data usage to serving your interests only, ensuring that the transfer is not a sale. If the vendor does not have service provider terms in their contract, ask them to sign a standalone agreement such as this model CCPA Short-Form Addendum.
Remember, if you work with a vendor that does not promise to be your service provider, then you may be selling personal information to the vendor, triggering the requirement for you to include a Do Not Sell My Personal Information link in your homepage footer.