The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Do companies have to affirmatively state within their privacy policy that they “do not sell” personal information?

Most United States federal data privacy laws apply to specific sectors (e.g., financial institutions, health care providers, or educational institutions), and most state data privacy laws are triggered by the collection of specific types of personal information (e.g., Social Security Numbers), or by the collection of personal information through specific mediums (e.g., online collections of personal information). In situations in which a data privacy law does apply, and mandates that a privacy notice be provided, the majority of federal and state statutes do not require that the privacy policy affirmatively state whether an organization sells or does not sell a consumer’s personal information.

The exception is California. Within California two laws sometimes require that companies affirmatively disclose when information is sold.

The California Shine the Light Law applies to companies that have a business relationship with a consumer that is “primarily for personal, family, or household purposes.”1 As a result, the statute does not apply to collections of personal information in other contexts (e.g., business-to-business relationships, or situations in which no consumer-business relationship has formed). If the statute applies, it requires that a company either notify all of its agents and managers how to convey to a consumer that they can obtain information about the type of information that the business allows third parties to use for the third parties’ direct marketing purposes, or provide a description on its website or within its privacy policy of that consumer right.2 It is important to note, however, that if a business does not sell personal information (or allow other third parties to use personal information for their direct marketing), the business is not required to make an affirmative statement to that effect. In other words, the statute requires that a company state if it provides information to third parties for their own direct marketing; it does not require that a company state if it does not provide information to third parties for their own direct marketing.

The California CCPA also requires that a business that sells personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumer in the preceding 12 months.”3 When compared to the Shine the Light Law, the CCPA has both a broader and more narrow reach. It is broader in the sense that the CCPA applies to businesses regardless of whether they have a relationship with a consumer, or whether they collect information for consumer or business purposes. It is narrower in the sense that the CCPA only applies if a business has gross revenue in excess of $25 million, transacts personal information of at least 50,000 consumers or devices, or derives 50% of its revenue from selling consumer personal information.4 Unlike the Shine the Light Law, if a business does not sell personal information it may be required to make an affirmative statement to that effect. The language of the CCPA appears circular on this point. The Act states that “[a] business that sells consumers’ personal information . . . shall disclose . . . [t]he category or categories of consumers’’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.”5 A literal reading of the clause seems contradictory – companies that sell personal information must, if they do not sell information, disclose that fact. It is possible that a California court may interpret this provision as creating an affirmative obligation for companies that do not sell personal information to make an affirmative statement in that regard.