What is a Sale under CCPA?

The CCPA defines “sell” or “sale” broadly to include many information transfers that would not ordinarily be considered a sale. There is no requirement for money to change hands in order to make a sale. Essentially, any information you share with a third party, where that third party does not promise to use the information only as needed to serve your business, is considered a sale. 

What is a Sale?

Am I Selling Personal Information if I use Facebook Ads?

If you share consumer information with Facebook e.g., by adding the Facebook pixel to your site, Facebook will both help you to target relevant ads to your consumers, and they will also use the data they collect about your consumers to enhance their own databases and to help other businesses engage in better ad targeting. Facebook admits this is a sale by you to them, and they offer a setting called Limited Data Usage that you can enable either for all consumers or just those who have clicked your Do Not Sell button. 

Does CCPA Require a Cookie Banner and What Should my Cookie Banner Message Say?

While CCPA does not require a cookie banner, it does require businesses to notify consumers about privacy privacy practices, “at or before the point of collection.” Since websites collect personal information as soon as they load, having to scroll to the bottom of a page to find a privacy policy link is technically non-compliant. While you could place your privacy policy link at the top of your homepage rather than the bottom, at this point cookie banners are so ubiquitous that they have become a convenient way for businesses to give the type of “in-the-moment” disclosure that CCPA requires.

If you’re going to use a banner, what should it say? Of course you can look at examples of what others are doing in your industry, but in general the banner notice should refer to information collection, use and disclosure and should provide a link to your full privacy policy. For example: 

We use cookies and collect information to enhance your site experience, to understand our site visitors, and to provide relevant ads. See our privacy policy for details. [Accept] [Customize]

Here, the Accept button dismisses the banner and the Customize button leads to information about how to make privacy choices such as rejecting cookies and making other CCPA information requests. If you’re a WordPress publisher, Complianz.io provides a simple but powerful CCPA plugin to help you implement a cookie banner for CCPA. For businesses using other platforms, including Shopify and Squarespace, we recommend the privacy banner tools offered by TrustArc and Secure Privacy.

Businesses that “sell” personal information according to the CCPA’s definition also need a link called, “Do Not Sell My Information” in their homepage footer that enables consumers to opt out of personal information sales. CCPA Toll Free provides a solution for collecting and managing CCPA rights requests, including “Do Not Sell” functionality.

Note you should provide privacy notices in all languages in which you usually do business with or advertise to consumers. 

Do I Need a DPA or Service Provider Agreement for My Vendors for CCPA?

Unlike GDPR, the CCPA does not require a data processing agreement with vendors. However,  to be certain that working with a particular vendor will not be deemed an information “sale” to that vendor, check to the vendor’s MSA, TOS or other contract to see if it says the vendor is acting as your “service provider” for CCPA purposes. Service provider is a special CCPA status for vendors that agree to limit their data usage to serving your interests only, ensuring that the transfer is not a sale. If the vendor does not have service provider terms in their contract, ask them to sign a standalone agreement such as this model CCPA Short-Form Addendum

Remember, if you work with a vendor that does not promise to be your service provider, then you may be selling personal information to the vendor, triggering the requirement for you to include a Do Not Sell My Personal Information link in your homepage footer.

Personal Information—CCPAWhat Contact Methods Must I Provide to Consumers Under CCPA?