Everything You Need to Know About CPRA Data Sharing Requirements

What is meant by data sharing under the CPRA?

The CPRA is built on the data privacy management principles introduced by the CCPA in 2018. However, one of the major criticisms of the CCPA was that the expression ‘sale of personal data’ was never clear on whether it included sharing personal information between businesses and third parties for non-monetary consideration. The CPRA clarified this by explicitly providing a new term, ‘sharing of personal information.’

The CPRA defines data sharing as any disclosure of personal information (renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means) to third parties for cross-contextual behavioral advertising. Cross-contextual behavioral advertising is when a consumer is profiled and targeted based on personal information gained from his/her activity across various distinctly-branded businesses, websites, applications, or services. The purpose of sharing personal information can be for monetary benefits to the organization or any other enhanced personalization of services for the consumer.

The CPRA defines a “third party” as an entity with which the consumer is not intentionally interacting and to whom the consumer’s personal information is either sold or shared. Third parties are different from service providers and contractors, with whom businesses do not share or sell consumer personal information. They disclose consumer personal information for business or commercial purposes. Service providers and contractors have greater limitations on using, processing, and disclosing personal information than third parties.

It is easy to understand the data sharing concept by breaking it down into two key factors. For data to be “shared” under the CPRA, an organization must have:

1. Shared personal information with any third party entity which is neither a service provider nor a contractor, and
2. Used the information gained from other distinct and independent sources to provide targeted advertising to the consumer.

What is not included in personal information sharing?

The CPRA lists certain actions which are not considered the ‘sharing of a consumer’s personal information by a business with a third party.’ Those actions are:

• When consumers use or direct the business to disclose their personal information to a third party intentionally,
• When a consumer intentionally interacts with a third party,
• When a business shares an identifier with a third party to indicate that the consumer has opted-out of the sharing of their personal information, and
• Finally, when a business transfers the personal information of a consumer to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business. However, it is conditional that the personal information is used or shared according to the purpose informed to the consumer at the time of personal information collection. If the usage or sharing purpose changes, the third party must notify the consumer again.

What is allowed under the data-sharing requirement of CPRA?

Suppose consumers do not opt-out of sharing their personal information with external entities for cross-context behavioral advertising. In that case, the organization can share all the collected personal information with third parties for monetary or non-monetary consideration.

Broadly speaking, consumer personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Organizations also track and record consumer activity on their website. This includes tracking web page visits, product pages, time spent on each page, clicks on product links/descriptions, cart additions, checkouts, etc. This data is used to re-target visitors with ads to increase site traffic and conversions. The CPRA (similar to the CCPA) also considers this data as personal information.

Sensitive Personal Information Sharing

The CPRA also introduces the new Sensitive Personal Information (SPI) category and provides that businesses may only use consumers’ SPI for limited business purposes. Consumers retain the power to restrict businesses from any other uses.

Some of the limited business purposes for which businesses can use consumer SPI include short-term use of the SPI, such as for non-personalized advertising to the consumer during the current interaction of the consumer - not utilizing profiling or sharing of the SPI with third parties.

For any further use, the consumer must be notified by the business and given a chance to opt out of the use of their SPI for that purpose.

Under the CPRA, SPI includes the following information:

• Government-issued identifiers — Social Security, driver’s license, state identification card, or passport number.
• Finances — Account log‐in, financial account, debit card, or credit card number combined with any required security or access code, password, or credentials allowing access to an account.
• Geolocation — a consumer’s precise geolocation, including address, ZIP code, and city.
• Race, religion, and union membership — Racial or ethnic origin, religious or philosophical beliefs, or union membership.
• Communications — the contents of a consumer’s private communications, unless the company is the intended recipient of the communication.
• Genetics — a consumer’s genetic data.
• Biometrics — the processing of biometric information to uniquely identify a consumer.
• Health — personal information collected and analyzed concerning a consumer’s health.
• Sexual orientation — personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.

It is important to note that SPI collected or processed without the purpose of inferring characteristics about a consumer is not subject to these restrictions.

What are your organization’s obligations before sharing data with contractors?

Have a written agreement with the third party before sharing personal information

According to the CPRA, businesses must sign agreements with third parties if they share consumer personal information with them. The agreements should explicitly:

1. State the limited and specified purposes explaining why the consumers’ personal information is being shared,
2. Obligate third parties to comply with the applicable obligations of the CPRA and provide a similar level of privacy protection to the disclosed consumers’ personal information as granted by the CPRA,
3. Grant businesses the right to take reasonable and appropriate steps to help ensure the third parties are using the transferred personal information in a manner that is consistent with their obligations under CPRA,
4. Require third parties to inform the business if they are unable to meet their obligations under the CPRA,
5. Provide businesses the right to stop and remediate the unauthorized use of transferred personal information either:
   • After receiving a notice from a third party stating that they cannot meet their obligations under the CPRA.
   • Or when the business has notified the third party to comply with their obligations under the CPRA, but they fail to do so.

Notify consumers at every point of personal information collection

The CPRA imposes additional obligations on the organization, collecting personal information (even if personal information is collected by service providers or contractors on the organization’s behalf) and sharing it with third parties.

Businesses that share consumers’ personal information with third parties are required to notify consumers at or before every collection point. The notification must include the following:

• The categories of both personal information and sensitive personal information being collected,
• The purpose for the collection and use of personal information and sensitive personal information,
• Whether the business will share any of the collected information with external contractors,
• The ‘retention period,’ which is the length of time each category of information is retained or the criteria for determining the retention period.

Organizations can notify consumers via display banners on their websites. These banners must have Opt-out links that are clearly visible and readable. The banners must also be placed in a prominent position on the landing page.

Inform consumers about personal information sharing details

The CPRA mandates that businesses disclose within their privacy notice the following information about their personal information sharing activities:

• Whether or not the business shares consumers’ personal information with third parties,
• The business or commercial purpose for sharing the personal information,
• The categories of consumers’ personal information they have shared with third parties, and
• The categories of third parties with whom they are sharing the personal information.

Update Opt-out links and prominently display them on the homepage

Organizations that engage in sharing personal information must provide consumers with an option to opt out of sharing their personal information. The CPRA clarifies that any personal information that is disclosed for targeted advertising must have an option to opt out.

Additionally, organizations must update the “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information” and prominently display it on the website home page.

Businesses must wait at least twelve months before re-asking opted-out consumers for consent to share their personal information with third parties.

Gain Opt-in consent before sharing Children’s personal information

The CPRA mandates that businesses may not knowingly share children’s personal information without first gaining affirmative opt-in consent from the parents/guardians if they are below 13 years of age or directly from the child if they are aged between 13 and 15 years. Any business which ignores a consumer’s age shall be considered to be in actual knowledge.

Do not discriminate against Consumers who Opt-out

Consumers cannot be discriminated against if they choose to opt out of sharing their personal information. Businesses are barred from retaliating against consumers or employees who choose to exercise their rights under the CPRA in any of the following manners:

• Denying goods or services to the consumer,
• Charging different prices or rates for goods or services, including through the use of discounts, other benefits, or imposing penalties. (There are more qualified rules of how a business can offer financial incentives to consumers for allowing the sharing of their personal information),
• Providing a different level or quality of goods or services to the consumer,
• Suggesting that the consumer will receive a different price, different rate for goods and services, or a different level/quality of goods and services,
• Retaliating against an employee, an employment applicant, or independent contractor for exercising their rights under the CPRA,
• Degrading the consumer’s experience on the web page, they intend to visit after exercising the right to opt-out. The webpage must have a similar look, feel, and size relative to other links on the same web page.

Notify Third Parties of any Consumer Deletion Requests

The CPRA mandates that organizations must notify third parties, with whom they share consumer personal information, about any data deletion requests of their personal information.

Restrict re-sharing of personal information by Third Parties without notification

Third parties with whom businesses have shared personal information must not further sell or share consumer personal information unless the concerned consumer has been informed, via an explicit notice, and provided a right to opt-out of the further sharing of their personal information.

Frequently Asked Questions (FAQs)