In this finale to our series comparing the Virginia Consumer Data Protection Act to the GDPR and CCPA/CPRA, we finally cover perhaps the most vexing of concepts in the emerging US law of data protection: sales.
To put this topic in context, recall that the GDPR regulates any sort of “processing” of personal data, and the definition of “processing” encompasses pretty much anything that you could imagine doing with data. Although both the California and Virginia laws share this breadth of scope, they share a particular preoccupation with a sub-category of processing: “sales.” Companies that are deemed to “sell” data need to provide extra disclosures in their privacy notices and policies. Companies must give those people an opportunity to opt-out. In the case of children, companies must get parental consent. If a person asks, companies need to account for prior “sales” of the person’s data, too. And perhaps most critically, companies deemed to be “selling” data need to publicly state that they sell personal data—which poses significant reputational risks.
That’s why it’s critical to understand what constitutes a “sale” of personal data.
The CCPA’s definition of “sale” didn’t win any awards for clarity. The CCPA defined “sale” to include any disclosures or transfers of personal data by a business “to another business or a third party” and “for monetary or other valuable consideration.” But then, the CCPA went on to state four activities that weren’t sales: user-directed disclosures, disclosures to service providers, disclosures made to effectuate a data subject’s request to have data deleted, and transfers in the context of a corporate transaction.
This definitional structure led to a number of problems, but three in particular warrant mention:
- What about intra-group transfers? The general view is that such transfers didn’t constitute “sales” because the disclosure was not “to another business or third party.” Because the predominant and better interpretation of “business” was that it could span multiple legal entities under common control and sharing common branding (discussed earlier in this series), it meant that intra-group transfers often weren’t “to another business or third party.” But that interpretation of “business,” though generally accepted, was still less clear than it could have been.
- What did the “monetary or other valuable consideration” requirement mean? “Monetary” was clear enough. But try as they might, most commentators couldn’t find a clear, universally accepted definition for “valuable consideration” in California law. And if “valuable consideration” were read broadly, then the definition of “sale” could bring in all sorts of disclosures that wouldn’t be a “sale” under any ordinary meaning.
- What about disclosures to (and from) service providers? The main problem here is that “service provider” is defined to mean someone who processes data on someone else’s behalf and who has entered into a particular form of contract. So if you disclose data to a processor, but your contract with the processor was somehow defective, then the processor wouldn’t be deemed a “service provider”... with the result that your disclosure wouldn’t fall within the service provider exception... and with the further result that the disclosure may be deemed a “sale.” iven that there was at least some uncertainty about what these agreements were meant to include, this draconian result was unfair to say the least.
Although the CPRA’s amendments to the CCPA made some structural changes to this definition, the changes don’t actually clarify anything. The phrase “to another business” has been removed and the definition of “third party” has received corresponding changes so that it’s now clearer that a transfer to the same business isn’t a “sale”—but the ambiguities in the definition of “business” remain, so this is cold comfort. The “for monetary or other valuable consideration” language hasn’t changed at all. And the service provider exception has merely been folded into the definition of “third party” (i.e., a service provider isn’t a third party), which doesn’t change the exception's substance.
The bottom line remains that the CCPA’s definition of “sale” continues to confound. As noted earlier in this series, the definition is so counterintuitive that many companies still enclose “sale” in quotation marks in their privacy policies, and at least one major company's policy distinguishes between the CCPA’s definition and “the conventional sense” of the word.
That's a lot of words devoted to California law. What about "sales" under the Virginia law? Virginia's definition is, at least, much clearer.
First, the CDPA doesn’t mess around with the CCPA’s “highly unusual” definition of “business” that spans legal entities. Instead, the CDPA’s definition of sale states outright that transfers to an affiliate aren’t sales. Simple, definitive, and intuitive.
Second, the CDPA’s definition only includes disclosures “for monetary consideration,” leaving aside the vague and uncertain phrase “other valuable consideration.” This definition not only provides more clarity, but it brings the definition of “sale” closer to what an ordinary person means they use the word “sale.”
Third, the service provider exception (or, in Virginia's nomenclature, the "processor" exception) applies to any disclosure to a processor. And processor is defined very simply to mean someone who processes data on someone else’s behalf. There’s no definitional requirement that the processor be party to a particular form of contract. If that contract is missing or defective, it doesn’t mean that the processor ceases to be a processor, with the result that the processor exception is unavailable, with the further result that the disclosure may constitute a “sale.” Instead, the result is simply that the controller has breached the separate, substantive provision that requires controllers and processors to have a prescribed form of contract—which is a far more reasonable result.
None of this is to say that the Virginia law provides substantively less protection that the California law. The Virginia law still imposes similar transparency obligations, affords the same basic data subject rights, and includes the same minimization and retention requirements as found under the CCPA/CRPA. But unlike the CCPA, which tried to regulate widely disparate categories of personal data processing by shoehorning them all into a convoluted definition of “sale,” the Virginia CDPA simply defines activities like targeted advertising or automated decision making and then regulates them.
In this series:
"Sale of personal data" means the exchange of personal data for monetary consideration by the controller to a third party. "Sale of personal data" does not include: 1. The disclosure of personal data to a processor that processes the personal data on behalf of the controller; 2. The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; 3. The disclosure or transfer of personal data to an affiliate of the controller; 4. The disclosure of information that the consumer (i) intentionally made available to the general public via a channel of mass media and (ii) did not restrict to a specific audience; or 5. The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets.