- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
If an App asks users to consent to a privacy notice, and the privacy notice discloses that the App shares user information with AdTech partners, would that sharing be considered a “sale?”
Some privacy advocates and plaintiffs’ attorneys have argued that the CCPA’s broad definition of the term “sell” might encompass the transmission of user information from an App to an AdTech partner. Specifically, they claim that the CCPA considers any “disclos[ure]” of personal information to be a “sale” when a company receives “monetary or other valuable consideration.” As the definition of “personal information” includes “unique identifiers” – a term which includes “mobile ad identifiers, or similar technology” – the act of transmitting information about a user’s device to an AdTech partner that then leads to ad revenue should be considered a “sale” for the purposes of the Act.
While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, that exception may not apply to all AdTech partners.1 Specifically, to invoke the service provider exception the contract between an App publisher and an AdTech partner must “prohibit” the partner “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”2 Behavioral advertising networks that retain the information that they obtain from Apps and use that information for the benefit of themselves (or the benefit of other members of a behavioral advertising network) may not satisfy the definition of a “service provider.”
The definition of “sale” under the CCPA contains a second exception for situations in which a “consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.”3 In order to mitigate the risk that sending user information to AdTech partners might be interpreted as a “sale” of information, some App publishers disclose that they transmit information to AdTech partners in their privacy notices, and then ask users to consent to those notices (and, hence, consent to the sharing of their information). If the App publisher obtains consent to its privacy notice, it could argue that the consumer has “direct[ed] the business to intentionally disclose” information and, therefore, the transfer of information is not a sale. The strength of such an argument may depend, in part, on the prevalence of the privacy notice, and the manner in which consent is solicited and obtained.