Many online businesses utilize “bot” detection services to determine whether actions taken on a website or application have been made by a human or by an automated program (i.e., a “bot”). The provision of bot detection services inherently requires the business to share consumers’ personal information with the bot detection provider (e.g., browsing history, a consumer’s interaction with a website, IP address, etc.).

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another, and arguably includes personal information that is shared between a business and its vendors. There are two primary ways to avoid characterizing this type of disclosure as a “sale”:

  1. The vendor is considered a “service provider” under the CCPA (i.e., the contract with the vendor has use, disclosure and retention prohibitions).1
  2. The consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.” In either case, the consumer’s actions must be “deliberate” and “intentional.”

If the contract between the business and the bot detection provider limits the provider’s use, disclosure, and retention of the personal information as required by the CCPA, the provider would be considered a “service provider” and the disclosure would not be a “sale.” In the event the provider cannot be considered a “service provider,” the disclosure might be a sale depending on whether the consumer intentionally directed the business to disclose personal information.

Bot detection services generally utilize one of two methods for verification. The type of verification used affects whether the consumer can be said to have intentionally and deliberately directed the business to disclose personal information.

“Challenge” bot detection services:

Bot detection services that validate requests with a “challenge” typically require users to click a checkbox or pass a visual test to prove they are not a robot. There is commonly a logo displayed alongside the test indicating the third party that is providing the challenge. An interaction with the challenge, especially where the third party challenge-provider is identified, is arguably an affirmative act by a consumer. In such situations, information disclosures to the bot detection service would not be a “sale” of data.

“Score” bot detection services:

Bot detection services that validate requests with a “score” typically analyze the activity that occurs on a website or application (e.g., mouse movements, IP address, and length of visit) and returns a “score” to the business. The business can then look at the score and respond by requiring additional factors of authentication or eliminating bots that may be scraping content. These bot detection services are often invisible and give no indication that information is being collected or analyzed in the background. As there is no direct interaction by the consumer with the website, this service would not fall under the “user directed” exception to “sale.”