CCPA Right to Disclose the Purpose for Collection or Sale of Information (110.a.3)

Overview:
A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following: The business or commercial purpose for collecting or selling personal information.

Action Items:
1) Review existing privacy notices and verify that they meet each of the new requirements of the CCPA.
2) Identify instances in which you may be collecting information about Californians and do not currently have a privacy notice. In such situations, draft a privacy notice that conforms with both the CCPA and with other privacy laws that may apply (e.g. the GDPR).
3) Review existing methods for submitting access requests to your organization to verify they comply with the CCPA.
4) Draft a "play book" that provides standard communications that can be sent to individuals that make access requests, and standard formats for reporting personal information.
5) Train employees on the handling of access requests.
6) Verify that the policy in place facilitates the fulfillment of access requests within the time period permitted by the statute.
7) Create a process to readily access the specific Personal Information the Business has about each Consumer. This includes knowing what Personal Information is held and what "category" it falls into; where it is stored; and having the ability to extract it.
8) Create a tracking system to each access request and how it was handled to be able to demonstrate compliance.

Related Documents:
1) Privacy Notice
2) Evidence that consumers can submit a Verifiable Consumer Request (VCR), pursuant to request submission requirements
3) Sample of a VCR submitted by a consumer to ensure it captures all relevant data

Additional Guidance:
Whether or not information has been "collected" triggers a number of CCPA requirements. Here the CCPA adopts a broad definition.

Collection of Personal Information
Collection is defined as "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a Consumer by any means." Collecting also includes receiving information from a Consumer "either actively or passively, or by observing the consumer's behavior."

Sale of Personal Information
A "sale" of Personal Information under the CCPA is defined broadly to include the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means" the Personal Information of a Consumer to another business or third party "for monetary or other valuable consideration."

This broad definition suggests that if Personal Information is provided as part of a larger business relationship, a "sale" may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be "selling" Personal Information by passing such information to third-party ad networks through cookies.

Exceptions
The CCPA outlines certain exceptions to what would be deemed a sale, including when:
1) A Consumer uses or directs the Business to intentionally disclose Personal Information to a third party. An "intentional" interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a "deliberate action". 2) A Business shares a Consumer identifier to alert a third party of a Consumer's opt-out decision.
3) Personal Information is shared with a third party to perform a "business purpose" (explained below) and: the Business has provided notice of this sharing and the opt-out right; and the third party does not further collect, sell or use the Personal Information except as necessary to perform the business purpose.
4) The Personal Information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CCPA disclosure requirements relating to the disclosure of information collected or sold (discussed below). If the acquirer plans to alter how it will use or share the Personal Information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a "prominent and robust" notice so the Consumer can opt out. Note that the CCPA also warns Businesses that material, retroactive privacy policy changes must not violate California's Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.