How CCPA Affects the Sale of Customer Data

The California Consumer Privacy Act (CCPA) allows the sale of customer data, even personally identifiable data, but it does add new restrictions.  In this post we will discuss whether or not the new law applies to your organization, the restrictions on selling data without consent, and the restrictions for selling personally identifiable data.

If you’re short on time, here are the rules in brief:

  • Selling non-personal information from California residents — Data must be de-identified or bundled in aggregate
  • Selling the personal information from California residents obtained while they were in California —  They must be given the clear option to opt-out of the sale of their information
  • Sale of personal information for users under 16 years of age — This is prohibited unless parental consent is received (0-13 years old) or the person offers affirmative consent (13-16 years old)

Does the CCPA apply to my organization?

If your company does business in California and meets any of these three benchmarks, then the law applies:

  1. Receive, buy, share, or sell the personal information of ≥50,000 consumers, households, and/or devices annually
  2. Obtain ≥50% of annual revenue from the sale of customer/consumer data
  3. Annual gross revenue >$25,000,000

Does my organization need consent to sell consumer data?

Companies can sell consumer data without consent as long as it is either de-identified or sold in aggregate.  De-identification means that all personally identifiable information is removed from the data set. To comply with the de-identification exception, safeguards need to be in place to prevent the re-identification of a user.

Selling consumer information in aggregate means that saleable information for a group of users is gathered together and sold as a collection.  In this way, identities cannot be determined.

For instance, an online marketplace can sell information back to its wholesalers about how often their individual products are viewed in different cities, but cannot give the IP addresses connected to those searches (without the following considerations in mind).

What if personally identifiable data is important to the value of the information?

If your organization relies on the sale of personally identifiable information, then you will need to give consumers a clear way to opt out.  This opt-out option must be clearly visible, such as a link with the header “Do Not Sell My Personal Information.”

The right to opt-out of the sale of personal information must also be included in your organization’s privacy policy.

Finally, the personnel working with the data must be explicitly trained in the CCPA, and there must be written standards and practices for in-house CCPA compliance.

What are the CCPA rules for monetizing minors’ data?

In the case of minors, defined in this law as persons under 16 years of age, there are two facets.

For consumers that are less than 13 years old — Organizations need to obtain parental consent to sell a consumer’s data.

Consumers that are 13-16 years of age — Organizations need consumers to explicitly opt-in to the sale of personal data.  This is juxtaposed to adults who must “opt-out” of the sale of personal data.

Interested in data architecture advising and implementation to support compliance with CCPA?  Contact us today to learn more about how we can help.

Looking for more information on the CCPA?

For more resources on the CCPA check out our other articles on the topic.

Learn the about the CCPA and if affects your organization

How to prevent data breaches in light of the new CCPA imposed minimum damages

DISCLAIMER – The information provided in this post should serve solely as an overview for readers to understand why certain technology optimizations could be helpful for their companies, and it should not serve in any way as or take the place of legal advice. Companies should consult a legal professional and the law directly for more information.

Dattell LLCData consulting and implementation services from Dattell provide STRATEGY, ENGINEERING, and PERSPECTIVE to support your organization’s data projects. Our services include custom Data Architecture, Business Analytics, Operational Intelligence, Centralized Reporting, Automation, and Machine Learning. Dattell specializes in Apache Kafka and the Elastic Stack for reliable data collection, storage, and real-time display.

Dattell customers and partners

Leave a Reply