Right to Opt-Out of Sale
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
Already have an account? Sign In »
4 hours 41 minutes
Hello, everyone and welcome to less than 3.5. As we discuss the right to opt out of sale of personal information,
the format for less than 3.5 will be very similar to how we reviewed the concept of a deletion request. Under less than 3.4, we will kick this off first by reviewing what opt out of sale request is,
we will then move on to defining what a sale of information truly is.
I will tell you ahead of time.
All third party data transfers are not necessarily sales of personal information and we will help to market that line.
Then number three, we will review to help really explain this concept further, Some examples of inter vs intra corporate data transfers. I always learn best by reviewing examples. And so, for those of you who always learn that way, we're gonna go through some common riel world scenarios
the same way we started last lesson. We're going to start out with a baseline rule once more.
Under the CCP A. A consumer has the right at any time to direct a business that sells personal information about that consumer to a third party not to sell the consumer's personal information
similar to delusion requests. This right here was one of the main reasons why the CCP a past
privacy advocates were very worried that businesses were able to sell personal information about consumers through third parties, and consumers had no capacity to object or opt out to that behavior at all.
The C C p A. Now provides consumers with the rights to stop and opt out of that transaction
Now. Important to note here,
you might have probably already seen when going through Web sites and surfing the Internet that there are do not sell links already popping up on the Internet.
That's actually a requirement of the C c. P. A.
We will discuss the do not sell link more in depth in module eight. Let's just put a mental note on that.
what is a sale?
A sale is defined again by the CCP A. As making available or transferring a consumer's personal information by one business to another business or third party for some sort of monetary or other valuable consideration.
I remember the first time I read that sentence. I was beyond lost, and I have a lot agreed. So I imagine you are probably equally lost.
So let's take a moment to unpackaged this a little further.
Let's keep in mind
if it's going to be monetary, then it'll be obvious. A third party or a separate businesses giving your employer money in order for you to transfer that information out of the network.
valuable consideration is so much more difficult to review.
We're actually going to give you some concepts. Basically, if the business that is receiving the information is in any way helping to expand your company's bottom line by transferring that information out,
it's likely that the C C P. A. Is going to apply to that scenario. And consumers have the ability to opt out of the transfer.
The California attorney general, funnily enough this summer, was given the opportunity to clarify what this sentence means
and actually refused to.
I think the sentence, they said, was we will follow the plain language meaning of what valuable consideration means,
very difficult to decipher.
So let me give some further context to what this means by identifying what isn't a sale, and then that should hopefully help us identify what is, if there ever is a situation in which a consumer direct your business to disclose or interact in any way with a third party,
that's not a sale.
There are situations where a consumer might approach your business and say, I'd like to buy this item. Please also use this certain shipping company etcetera to ensure that the package comes to my home.
If you are being instructed in any way to interact with the third party, that's not a sale, even if that's, in theory, expanding your revenues by engaging with that third party.
There also could be scenarios where the business might need to disclose personal information to a third party. In orderto stop this selling itself again
that won't apply.
Let's look at the bottom left of your screen for a moment.
Service providers. In the previous lessons, I've actually been specifically calling out companies like Salesforce or Office 3 65 or your cloud networks. All those vendors and service providers don't fall into this category because they're providing some sort of service to your company in order for your company to be able to operate
very important here,
the vendor cannot later in time sell the information on their end,
they have to honor that the information will stay essentially trapped with the third party vendor.
In most cases, vendors understand that if you are looking at your outbound data flows, you can in most instances ignore your vendors because that's not what this section of the law is defined to regulate.
Then the top left. If there's ever a merger or acquisition that your business is going to experience, data is obviously going to be transferred from one parent company to another parent company.
But that doesn't count as a sale of data under the sea CPA.
I was having trouble. I have to tell you, trying to explain what a third party is under the C C p A.
When I was thinking about this and making these slides, I happen to be walking through the mall.
I passed these stores and I thought to myself, Oh, this is a great way to explain this concept.
You may or may not be aware that Gap Incorporated actually owns the four stores that I have on screen now. Old Navy, Banana Republic and Athleta all fall under Gap Incorporated.
If you were to buy a pair of jeans that say Old Navy,
You are likely and especially if you were to sign up for one of their loyalty programs and you were later in time were to enter a Banana Republic store.
They're going to already have your personal information.
Why? Because these four companies all fall under the same corporate umbrella.
They all provide more or less the same goods or service.
They interact with each other consistently.
In situations like these, that's not going to be considered a sale.
The general rule is the more connected a group of companies are, the less likely it is going to be considered a sail under the C C P. A.
Again, I recommend you get further outside. Help to try toe really understand if an exception applies here.
I understand that in the modern business environment, a lot of businesses owned other businesses.
And when there are those types of weird relationships,
those air typically not considered sales of personal information.
Now, an exception would maybe be, for example, if an airline is selling information toe Ah, hotel company.
That is clearly not the same as the scenario you see on screen here because it's providing a different type of good or service.
They are also independently owned by different shareholders.
Keep an eye on that. If you're looking at your opt out data flows, ask yourself, Does my company have any stake in that other company? Or do we usually interact with that other third party? Because we need to in order to complete the transaction?
It's a very hot topic and one that is going to get a lot of attention from regulators in the future.
In summary, we define for you. Hopefully what a sale is
again. It's a transfer of data from one business to another business for some sort of monetary or valuable consideration.
You're going to need my friends to use your best judgment, hopefully by providing for you examples of what is not considered a sale. That helps provide further clarity for scenarios that might be defined as a sale.
Then we've also reviewed typical third party transfers
Again, I tried to use the example of Old Navy and Banana Republic all falling under the corporate umbrella of Gap Incorporated
that would not be considered a third party data transfer, but scenarios where, like I said. If it's an airline transferring information to a cruise line or a hotel company or a rental car company, something like that
that is likely to be considered a sail under the C C p A.
That finishes up module three. We have a quick quiz and I will see you in Module four.