Yes.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.¹

Companies often struggle with anticipating the percentage of users that are likely to accept the deployment of cookies when prompted.  There is relatively little empirical data publicly available concerning website visitors’ interactions with cookie banners.  The little data that exists, however, indicates that acceptance rates differ depending upon the location of the website visitor.  Specifically, users in some European countries (e.g., Sweden and the Netherlands) appear to “accept” cookies when presented with a cookie notice that solicits opt-in at rates that may be more than double the acceptance rate in the United States.²

Sometimes.

Many companies today use “look-alike audiences” (a.k.a “mirror audiences” or “similar audiences”) to reach potential consumers through online advertising. A look-alike audience is created when a business sends information, typically in hashed form, about a group of its current customers (the “seed audience”) to an advertising platform who matches the seed audience to an entirely new audience (the “look-alike audience”). The matching process uses the aggregated seed audience information to identify new individuals who have similar purchase habits, preferences, search histories, or other relevant traits. After the match is complete and the look-alike audience created, the advertising platform then serves the business’s ads directly to the look-alike audience.¹ While the use of a look-alike audience can offer significant advantages to a company, it can also raise concerns that a company is “selling” personal information as defined by the CCPA.

Depending on the underlying contractual terms, the business’s initial transfer of customer’s personal data to the advertising platform could be considered a “sale” under the CCPA. The CCPA broadly defines “sale” to include “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating…a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”² As such, the very act of transferring the data arguably falls within this broad definition, since the business almost certainly gets valuable consideration in return.

However, a “sale” does not include sharing information with a “service provider.” A “service provider” includes an entity who “process[es] information on behalf of a business and to which a business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”⁴ Importantly, the contract must prohibit the entity from “retaining, using, or disclosing” the personal information for any purpose other than to perform the services specified in the contract.⁵ The contractual terms between the business and the advertising company governing the creation of the look-alike audience, such as the advertising platform’s terms of service, may exclude the initial data transfer from the definition of “sale” by qualifying the advertising platform as a “service provider.” Each advertising platform has different contractual terms, so in order to determine whether the creation of a look-alike audience is a “sale” under the CCPA, a business must determine the following:

1. Does the contract prohibit the advertising platform from “using” the data for any purpose other than to create the look-alike audience?
2. Does the contract prohibit the advertising platform from “disclosing” the data to another third party except for the purposes of creating the look-alike audience?
3. Does the contract prohibit the advertising platform from “retaining” the data longer than as necessary to create the look-alike audience?

If the contract fails to do any of those three things, or the contract does not govern all of the personal information subject to the transfer, the transfer of data to the advertising platform is likely a “sale” under the CCPA.

Federal and state privacy laws do not expressly prohibit most acquirers (e.g., acquirers of a retail brand) from internally transferring the target’s data for use by affiliated companies.  That said, in 2000, the Federal Trade Commission took the position that a company which had included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., hailed from the same industry).¹  Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that the information could never be transferred to an acquirer.²  As a result of the positions taken by the FTC and state regulators, as a best practice, most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition.  For example, many companies include a provision along the following lines:

“If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.”

If the target has a disclosure similar to the above, the acquirer arguably can take and disseminate to corporate affiliates the personal information collected by the target consistent with federal and (most) state laws.

This result is largely consistent with the approach taken by the California Consumer Privacy Act.  The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.³ The CCPA includes an exception to the sale of information, however, in situations in which information is transferred as part of an acquisition in which the acquirer “assumes control of all or part of” the target.⁴ In those situations, the Act permits internal transfers to occur without classifying those transfers as “sales” so long as the information is “shared” consistently with the target’s privacy notice.⁵  On a going forward basis (i.e., post acquisition) the CCPA’s rules concerning affiliate sharing likely apply.  Under those rules, an entity that is owned by another entity is considered a separate business unless the two companies “share[] common branding.”⁶  For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”⁷

The net result is that if a privacy notice states that information can be shared between and among acquirers and affiliates, such sharing is arguably permitted at the time of acquisition.  On a go-forward basis, at least in California, the target would need to share common-branding with the acquirer in order to continue the sharing of information without raising the possibility that such continued use constitutes the “sale” of information for which an opt-out right would need to be given.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.⁸

Yes.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.¹

Companies often struggle with anticipating the percentage of users that are likely to accept the deployment of cookies when prompted.  There is relatively little empirical data publicly available concerning website visitors’ interactions with cookie banners.  The little data that does exist, however, indicates that user acceptance rates are significantly greater when a user visits a website on their smartphone.  For example, in one study researchers placed the same cookie banner on the bottom-left of a website and on the bottom left bottom-left of a smartphone.² They found that desktop visitors accepted the banner 18.4% of the time, whereas smartphone visitors accepted the same banner 26.4% of the time.  When other variables were controlled the difference increased.  So, for example, when the banner was adjusted to present only two options – accept or decline – the acceptance rate increased to 45.6% for smartphones while it remained around 20% for desktop users.³ The increase was likely caused by presenting options that were, from a user-experience perspective, easy to select on a smartphone.

Yes.

Most cookie banners can be classified into one of three general categories: (1) notice only banners, (2) notice + opt-out banners, and (3) notice + opt-in banners.  If a company chooses to adopt a cookie banner that provides notice and solicits the opt-in consent (e.g., “I agree”) of website users, the company would have a strong argument that it does not need to disclose that it has sold information, does not need to forward deletion requests to the providers of its third party cookies, and does not need to include an “opt out of sale” link on its website.¹

Companies often struggle with how to display a cookie banner given the complexities of conveying information to individuals that may lack technical expertise, and “banner fatigue” – i.e., the fact that website visitors are presented with so many pop-ups and banners that they often do not spend the time to read banners that appear before closing them.

There is relatively little empirical data publicly available concerning website visitors interactions with cookie banners.  The little data that does exist, however, indicates that user acceptance rates are significantly impacted by where a cookie banner is placed on a screen.  For example, in one study researchers randomly placed the same cookie banner at the top, the top-left, the top-right, the bottom, the bottom-left, and the bottom-right of a website and then observed how 14,135 website visitors interacted with the banner.²  They found that when the banner was placed in a “bar” at the top of the page approximately 1.8% of visitors accepted cookies.  When the same banner was placed on the bottom-left of the screen the acceptance rate jumped to 18.4%.  While the researchers did not probe the cause of the difference, they suspected that the bottom-left placement was more likely to cover the main content of a website (in comparison, notices shown at the top often hide only design elements), and that website visitors were accustomed to the left-to-right directionality of Latin script.  Both factors may cause viewers to interact with a cookie banner at the bottom left.

The CCPA broadly defines the term “sale” as “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹  The CCPA implies that two (or more) entities are considered a single “business” if one of the entities “controls or is controlled by” the other, and the two entities “share[] common branding.”² A threshold question, therefore, asked by corporate affiliates that are part of large corporate structures is whether their relationship with a sister entity satisfies the “control[]” or “controlled by” language.

Confusion surrounding what it means to be “controlled” by another entity stems, in part, because the CCPA’s definition of “control” departs from the definitions used in other privacy statutes.  For example, the following compares the definition of “control” found within the CCPA and the definition of “control” found within the Gramm Leach Bliley Act’s (“GLBA”) Privacy Rule (Regulation P) that applies to financial institutions:

As indicated above, while the definitions are similar, an entity that owned a substantial, but minority, share of a second entity (e.g., 49%) would be considered to “control” the second entity under the GLBA, but would not be considered to “control” the second entity under the CCPA unless it also exercised some other control element (e.g., a controlling influence over management).

The CCPA adds additional confusion because, unlike many other privacy statutes, it does not define or use the term “affiliate” or “corporate group” to explicitly account for the reality that many modern corporate structures include intermediary ownership.  For example, Regulation P defines an “affiliate” to mean “any company that controls, is controlled by, or is under common control with another company.”¹¹  When the definition of “affiliate” is combined with the definition of “control,” it is clear that, under the following corporate structure, if Entity E were to transmit data to Entities A, B, C, D, F, G, H, I or J, they would be sharing with a corporate “affiliate:”

Because the CCPA lacks any definition of “affiliate” or “corporate group,” some companies have wondered whether the CCPA would only treat a transfer between two entities that are in a direct vertical relationship (e.g., Entity B and Entity A) as occurring within the same “business.”  Such an interpretation, however, would be highly unlikely for two reasons.  With regard to vertical transmissions of information up a corporate structure, as indicated above, the CCPA defines “control” as being not limited to just the entity that “owns” another entity, but an entity that “exercise[s] a controlling influence over the management” of another entity.  In the above corporate structure, it is likely that Entity A exercises a “controlling influence” (whether direct or indirect) with regard to all of the other corporate entities.  With regard to horizontal transmission of information (e.g., Entity B to Entity C), courts are likely to triangulate ownership such that if Entity B is “controlled by” Entity A it represents a single “business,”and if Entity A “controls” Entity C, then it too represents part of the same single business.

The net result is that while the language of the CCPA is far less artful than the language used in most other privacy statutes, it will likely be interpreted as permitting data to be shared between and among a corporate group, so long as all of the members of the group ultimately trace control or ownership back to a common source.

Probably not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹

The definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider.  Whether the exception applies to a third party fulfillment company that has been contracted by a loyalty program operator to provide benefits (e.g. free merchandise, goods, or services) depends in part upon the contract in place with the fulfillment company.²  Specifically, the service provider exception requires that following three conditions be present:

1. The transfer of information to the service provider must be “necessary” for the loyalty program’s business purpose.³ There is a strong argument that the use of a vendor to fulfill promised benefits is necessary to the operation of a loyalty program.
2. The transfer of information to the service provider must be disclosed to consumers.  Many loyalty programs meet this requirement by disclosing their use of service providers in their privacy policies.
3. The agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”⁴ Whether the contract in place with a fulfillment provider meets these requirements may be a case-by-case inquiry.

No.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹  In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem loyalty points accumulated through the loyalty program of business A in order to receive goods or services provided by business B.  For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.

Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business B), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider.  As a result, and depending upon the structure of the business relationships, it is possible that the arrangement could fit the definition of “sale” under the CCPA.

Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”²  As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.

Anytime a new statute or regulation comes along, some law firms unfortunately flag issues that may not be of true concern to companies, or highlight problems that may not, in fact, exist.  Unfortunately, that continues to happen in connection with the California Consumer Privacy Act (“CCPA”).  In the context of retailer loyalty or reward programs, firms have said that the CCPA may spell the “end of loyalty programs,” or implied that the CCPA could lead to “the potential elimination of loyalty programs due to the nondiscrimination requirements.”  Some law firms have gone so far as to advise retailers to “address the issue[s]” caused by their loyalty programs by “not offer[ing] preferential pricing through loyalty programs” or by “mak[ing] loyalty program pricing available to all customers” regardless of whether they are, in fact, members of the loyalty program.  Such changes would, of course, destroy the business-case for having a loyalty program in the first place.

These concerns are incorrect and demonstrate a lack of understanding of the requirements of the CCPA.  While the Act is, without a doubt, flawed, poorly drafted, and prone to misinterpretation, it does not lead to the conclusion that most loyalty programs are inherently problematic, nor should it cause most retailers to drastically change the terms and structure of their program.  The hyperbolic treatment of loyalty programs by some law firms may also have contributed to several companies and industry groups echoing these concerns with the California legislature and the California Attorney General and alleging (incorrectly) that “the CCPA may prevent[] marketers from offering loyalty programs,” or that the CCPA, as currently written, prohibits “tiered pricing, discounts or coupons.”

The following dispels five (mis)statements that have been made in connection with the CCPA’s impact on loyalty programs.

1. Myth: The CCPA prohibits “charging different prices or rates for goods or services.”

It does not.

The prohibition against price discrimination in the CCPA only applies to situation in which a consumer exercises a right conferred by the CCPA.  Nothing within the CCPA confers a right to join (or not join) a loyalty program.  For more information, see FAQ: Is a business prohibited from giving discounts to  loyalty program members?

2. Myth: The CCPA states that the benefit provided to the consumer through a loyalty program must be reasonably related to the value provided to the business by the consumer’s data.

It does not.

As indicated above, the CCPA prohibits a business from engaging in price discrimination when a consumer exercises  a right under the CCPA.  The CCPA provides an exception to that prohibition when the discrimination relates to a “price or difference” that is related to the value provided to a business by the consumer’s data.¹

While some lawyers have misinterpreted this as requiring that all loyalty program benefits be related to the value provided to the business by the consumer’s data, as noted above, the operation of the loyalty program itself is not prohibited by the CCPA and, thus, does not require the benefit of this exception.

For more information, see FAQ: Does a loyalty program benefit have to relate to the value provided to a business by consumer data?

3. Myth: Businesses must honor deletion requests for loyalty members.

They generally do not.

One of the rights conferred by the CCPA is the ability of a consumer to request that a business delete personal information “which the business has collected from the consumer.”²  While numerous retailers have expressed confusion regarding whether that right requires the deletion of loyalty program related data, it is important to remember the right to deletion is not an absolute right and may rarely apply in the context of a loyalty program.

As an initial matter, because the right to deletion is limited to information that the business has collected “from” the consumer, if a business receives a deletion request under the CCPA, there is a strong argument that the business is permitted to keep information about the consumer that it developed itself (e.g., its transactions or experiences with the consumer), or information that it received from third parties (e.g., third party businesses that may participate in the loyalty program).  As this information was not collected “from” the consumer, it arguably does not fall within the gambit of a deletion right.

In connection with information that is collected directly from a consumer (e.g., name, email address, enrollment details, etc.), there are several exceptions to the CCPA which would allow a business to refuse a deletion request.  For more information about each of those exceptions, and a description of how they apply to most loyalty programs, see FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an active member? and FAQ: Is a business required to delete loyalty program information if it receives a deletion request from an inactive member?

4. Myth: Businesses that offer loyalty programs must include a “do not sell my personal information” link.

Not necessarily.

The CCPA requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”³  The business must then include a link on its homepage titled “Do Not Sell My Personal Information” and allow consumers to opt-out of the sale.

The net result is that if a business sells loyalty program information, the business must disclose that fact and then include a “Do Not Sell” link; if a business does not sell loyalty program information, the business is not required to include such a link.

For more information go to FAQ: Is a business required to post a “do not sell” link if it offers a loyalty program?

5. Myth: Businesses that allow consumers to redeem points with third parties are selling information.

They generally are not.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.⁴  In the context of loyalty programs, it is not unusual for the operator of a loyalty program to enter into an agreement with a business partner (e.g., another company) to permit a consumer to redeem points accumulated through the loyalty program of business A in order to receive goods or services provided by business B.  For example, a hotel may have an agreement with a car rental service through which a consumer can redeem hotel loyalty points to receive a free car rental.

Such redemption arrangements may require the disclosure of personal information from one business (e.g., business A) to a second business (e.g., business B), and may include the payment of money or other consideration for the ability to receive advertising or promotion as a rewards provider.  As a result, and depending upon the structure of the business relationships, it is possible that, at first glance, the arrangement could fit the definition of “sale” under the CCPA.

Assuming that the transfer of information to a redemption partner did satisfy the definition of a “sale,” the CCPA contains an exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information.”⁵  As a result, if a consumer uses a loyalty program in order to interact with another business, or directs a loyalty program to disclose personal information as part of a points redemption, the loyalty program operator arguably has not “sold” information.

For more information, go to FAQ: If a business allows consumers to redeem loyalty program benefits for products or services offered by a partner, does that constitute the sale of information?