CCPA Disclosure of Consumer Information Sold or Disclosed to Third Parties (115.c)

Overview:
A business that sells consumers' personal information, or that discloses consumers' personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:
(1) The category or categories of consumers' personal information it has sold, or if the business has not sold consumers' personal information, it shall disclose that fact.
(2) The category or categories of consumers' personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers' personal information for a business purpose, it shall disclose that fact.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Train employees on the handling of access requests.
5) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
6) Establish a means to establish a request is a proper Verifiable Consumer Request (VCR). A "Verifiable Consumer Request" means a request where a Business can verify that the Consumer making the request is the Consumer about whom the business has collected Personal Information or is a person authorized by the Consumer to act on such Consumer's behalf. The attorney general will need to promulgate guidance on what constitutes a VCR, although the Act suggests that a Business can deem a request from a Consumer who is already logged into a service to be verified.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to ensure compliance with the Response Time and that the request complies with the Applicable Time Period. Business must respond to a VCR by mail or electronically within 45 days (which can be extended for an additional 45 days upon notice to the consumer). The Business needs to inform the Consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay. Note: In a different section, the CCPA states the response to any VCR can be extended for an additional 90 days. It is unclear whether this is in addition to the two 45 day periods noted here. There is no obligation to provide this information to a Consumer more than twice in a 12-month period, and the information provided need only cover the 12-month period prior to the VCR.
9) Create a means to provide requested Personal Information in a portable and readily usable format. The Personal Information, if provided electronically, should be in a portable and in a readily usable format that allows the consumer to transmit this information from one entity to another entity "without hindrance." If the Consumer has an account with the Business the Personal Information should be delivered through that account. If the Consumer does not have such an account, it can be delivered by mail or electronically at the Consumer's option. Note that a Business cannot require a consumer to create an account in order to submit a VCR.
10) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data
4) List of the categories of personal information that the business collected about consumers
5) List of categories of personal information that the business sold about the consumer
6) List of the categories of personal information that the business disclosed about the consumer for a business purpose.

Additional Guidance:
Whether or not information has been "collected" triggers a number of CCPA requirements. Here the CCPA adopts a broad definition.

Collection of Personal Information
Collection is defined as "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a Consumer by any means." Collecting also includes receiving information from a Consumer "either actively or passively, or by observing the consumer's behavior."

Sale of Personal Information
A "sale" of Personal Information under the CCPA is defined broadly to include the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the Personal Information of a Consumer to another business or third party "for monetary or other valuable consideration."

This broad definition suggests that if Personal Information is provided as part of a larger business relationship, a "sale" may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be "selling" Personal Information by passing such information to third-party ad networks through cookies.

Exceptions
The CCPA outlines certain exceptions to what would be deemed a sale, including when:
1) A Consumer uses or directs the Business to intentionally disclose Personal Information to a third party. An "intentional" interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a "deliberate action". 2) A Business shares a Consumer identifier to alert a third party of a Consumer's opt-out decision.
3) Personal Information is shared with a third party to perform a "business purpose" (explained below) and: the Business has provided notice of this sharing and the opt-out right; and the third party does not further collect, sell or use the Personal Information except as necessary to perform the business purpose.
4) The Personal Information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below). If the acquirer plans to alter how it will use or share the Personal Information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a "prominent and robust" notice so the Consumer can opt out. Note that the CCPA also warns Businesses that material, retroactive privacy policy changes must not violate California's Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.