CPRA countdown: The new concept of "sharing"

This is the seventh installment in our series on the California Privacy Rights Act, which takes effect January 1, 2023.

The California Privacy Rights Act (CPRA) introduces a new concept, “sharing,” that provides California residents with the right to opt-out of certain disclosures of personal information for behavioral advertising. In this post, we describe the difference between CPRA “sharing” and the California Consumer Privacy Act’s different, but somewhat related, concept of “sales”, the consequences of engaging in disclosures that constitute “sharing” under the CPRA, including the potential need to display a “Do Not Share My Personal Information” link on digital properties, and the CPRA exceptions applicable to sharing.

 

What is the difference between “sharing” and “selling”?

Many organizations are familiar with the CCPA concept of a “sale,” which refers to the disclosure, making available or otherwise communicating of personal information to a business or third party for monetary or other valuable consideration.  Businesses assessing whether they are “selling” personal information must therefore focus on whether they receive consideration for disclosing personal information to businesses or other third parties. 

The CPRA concept of “sharing,” on the other hand, focuses on whether personal information is used by third parties for cross-context behavioral advertising, rather than on whether there is monetary or other valuable consideration for the disclosure.

“Sharing” means “communicating orally, in writing, or by electronic or other means, a consumer’s personal information . . . to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration”

A key difference between the concepts of “sale” and “sharing” is that “sales” of personal information under the CPRA require consideration; “sharing” does not. 

To understand what constitutes “sharing,” therefore, one must understand what cross-context behavioral advertising is and what entities are third parties.  The CPRA defines the term as:

“the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”

CPRA sharing therefore involves the disclosure, transfer, or other communication of personal information to third parties for purposes of advertising that is targeted based on a consumer’s activities on third-party and distinctly branded digital platforms.  

Under the CPRA, third parties are entities that are not:

  • The business that a consumer intentionally interacts with;

  • Service providers or contractors to such businesses that provide services to the business for specified purposes.

Therefore, if businesses engage online advertisers, cookie providers, or other adtech providers to support cross-context behavioral advertising in the roles of service providers or contractors, the disclosure of personal information will not be considered “sharing.”  

The key questions for assessing whether information is “shared” are, therefore:

  1. Is the personal information of California residents disclosed to an entity for cross-context behavioral advertising (e.g., interest-based advertising targeted based on activities across the digital properties of other businesses or distinctly branded digital properties)?

  2. Is the recipient a third party, rather than a contractor or service provider?

If the answer to both questions is, “yes,” the practice likely constitutes sharing, subject to the exceptions discussed below.

What is the impact? 

Under the CPRA, businesses must offer California residents the opportunity to opt-out of sharing and must provide notice of the right in their privacy notices.  In addition, CPRA requires businesses to:

  • Obtain opt-in consent before sharing personal information from California residents under sixteen years of age (individual consent for those aged thirteen to sixteen, parental consent for those under thirteen);

  • Wait twelve months after receiving a sharing opt out request before asking the consumer to consent to sharing; and

  • Include a “Do Not Sell or Share My Personal Information” link on all digital locations (e.g., web pages) where personal information is collected (or alternatively comply with a global opt-out signal—specifics of this approach are expected to be published in the forthcoming regulations)

For some organizations, implementing the opt out may not require much effort. Many of the advertising disclosures that will be considered “sharing” may also constitute “sales”, as the recipients of the information provide consideration (monetary or otherwise) for providing the advertising services.  If all of the “sharing” disclosures constitute “sales” disclosures, then the Do Not Sell My Personal Information link can simply be updated to “Do Not Sell or Share My Personal Information.” 

However, for those organizations that “share” information in ways that do not constitute “sales” (such as where the recipients of personal information provide no consideration for receiving the personal information), opt out mechanisms will need to be updated.   

[To learn more about the CPRA’s opt-out rights, see our post here].

Exceptions to the opt-out right

Disclosures of personal information do not constitute “sharing” in the following circumstances:

  • A consumer intentionally discloses personal information to the recipient or intends to interact with the recipients. 

    • For example, if a consumer directs a business to share personal information with a social media platform, the business’ disclosure of personal information to the social media platform for cross-context behavioral advertising may not be considered “sharing.” 

  • Disclosing information for purposes of honoring opt out requests.

  • The disclosure occurs as part of a merger, acquisition, bankruptcy, or similar transaction in which the recipient assumes some control of the disclosing party’s business. 

Next steps for CPRA-covered entities

In light of the CPRA’s increased focus on transactions involving the transmission of personal information, businesses and other entities covered by the CPRA should take steps to integrate the concept of data sharing into their compliance roadmaps:

  • Analyze whether the business shares personal information.  Consider whether your organization’s practices constitute sharing and whether any exceptions, such as directed disclosures, may or could apply.

  • Review agreements with contractors and service providers.  Businesses that engage contractors and service providers (as those terms are defined) under the CPRA must have a written agreement prohibiting those parties from sharing personal information.

 

Authored by James Denvil and Sophie Baum.

 

This website is operated by Hogan Lovells Solutions Limited, whose registered office is at 21 Holborn Viaduct, London, United Kingdom, EC1A 2DY. Hogan Lovells Solutions Limited is a wholly-owned subsidiary of Hogan Lovells International LLP but is not itself a law firm. For further details of Hogan Lovells Solutions Limited and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.