Many online businesses utilize map services to provide location, distance, and direction information to consumers. The provision of map services inherently requires the business to share consumers’ personal information with the map provider (e.g., location information, IP address, etc.).
The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another, and in some cases might include personal information that is shared between a business and its vendors. There are two primary ways to avoid characterizing this type of disclosure as a “sale”:
- The vendor is considered a “service provider” under the CCPA (i.e., the contract with the vendor has use, disclosure and retention prohibitions).1
- The consumer “uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party.” In either case the consumer’s actions must be “deliberate” and “intentional.”
If the contract between the business and the map provider limits the provider’s use, disclosure, and retention of the personal information as required by the CCPA, the provider would be considered a “service provider” and the disclosure would not be a “sale.” In the event the provider cannot be considered a “service provider,” the disclosure might be a sale depending, in part, on whether the consumer intentionally directed the business to disclose personal information.
Businesses generally utilize maps within a website or application in one of two ways: 1) the consumer must choose to interact with the map or 2) the website or application is inherently interconnected with the map (the consumer has no choice as to whether or not they interact with the map). The type of utilization affects whether the consumer can be said to have intentionally and deliberately directed the business to disclose personal information.
Chosen interaction with the map
A consumer who, for example, scrolls to the bottom of a web page and interacts with an embedded map is arguably making an affirmative act. Information disclosed to the map provider in this scenario would likely not be a “sale” of data.
Application or website is interconnected with the map
A consumer who, for example, opens an app on their phone and is immediately sent to a map page has not necessarily intentionally or deliberately interacted with the map provider. Instead, the consumer has intentionally interacted with the business; the map is a secondary interaction. As such, an argument could be made that the disclosure of information to the map provider might be a “sale” under the CCPA.