SUMMARY OF CAN-SPAM AND CCPA SELECT ISSUES RELATING TO EMAIL MARKETING

Chanley Howell
Foley & Lardner, LLP
Updated: March 18, 2021

Disclaimer.  This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all issues and requirements relating to the topics discussed. If you have any questions about any of these issues you should contact your legal counsel.

Introduction.  Using existing technology (referred to herein as a “Technology”), companies are able to obtain email addresses of visitors to websites who have not and do not disclose their email address to the website owner. This Summary discusses some of the legal issues relating to use of this technology.

CAN-SPAM

  • Email Harvesting. CAN-SPAM prohibits email harvesting which is generally defined as obtaining email addresses from a website using an automated means when the website as a notice stating that the operator of the website will not give, sell or otherwise transfer email addresses maintained by the website for the purposes of allowing others to send emails to the address.
    • Thus, the Technology should not collect or provide email addresses to users of the Technology if those email addresses were acquired from a website that prohibits email address harvesting.
  • Opt-Out – Not Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require an affirmative opt-in in order to send marketing or commercial emails, the US has been, since the passage of CAN-SPAM, an opt-out jurisdiction. This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.
    • Accordingly, a user of the Technology can send emails to email addresses acquired through the Technology provided that the recipient has not previously opted-out to receiving marketing emails from the Technology user / sender.
    • The sender of marketing emails acquired using the Technology should include an unsubscribe link or other opt-out mechanism in all marketing emails and promptly honor all opt-outs.
  • Other CAN-SPAM compliance tips include:
  • Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  • Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  • Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  • Tell recipients where you are located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  • Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

California Privacy Rights Act (CPRA) amending the California Consumer Privacy Act (CCPA)

The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the CCPA to the CPRA. The CPRA includes additional privacy protections for consumers as discussed below.

  • Opt-Out of Sharing for Targeted Advertising. The CPRA extends a consumers right to opt-out of sales to include a right to opt-out of the sharing of the consumer’s personal information for targeted advertising (defined as “cross-contextual behavioral advertising”), whether such sharing is made with or without consideration. The CPRA contains an opt-out requirement for the sharing or sales of personal information, with the exception of the sharing or sales of personal information relating to children under the age of 16. (Children aged 13 to 16 must provide opt-in consent for the sale of their personal information. Website owners collecting, using, selling, or sharing personal information relating to children under the age of 13 must obtain verifiable parental opt-in consent to do so.).
    • The CPRA does not outright prohibit the sharing of personal information. Rather, if a company shares personal information for targeted advertising the company must provide notice of this to the consumer and give the consumer at least 2 methods for opting-out of the sharing of personal information for targeted advertising, one of which must be an interactive webform to opt-out requests. Use of the Technology to acquire email addresses and send emails to those addresses is sharing under the CPRA, which would require notice and the ability to opt-out of such sharing.
    • There are few exclusions from a “sharing” of personal information triggering the opt-out requirements, including when a Technology user directs the Technology provider to intentionally disclose personal information with one or more third parties.
    • If the Technology user desires to permit the Technology provider or any other third party to use the personal information for their own purposes outside of providing services to the Technology user, the Technology user should comply with the notice and opt-out requirements under the CPRA relating to the sharing of personal information for targeted advertising.
  • CPRA Notice. One of the primary requirements of the CPRA is the obligation to provide a “Do Not Sell or Share My Personal Information” and a privacy notice or privacy policy to website visitors complying with the requirements of the CPRA. All of the various notice requirements required under the CPRA are outside the scope of this summary. With respect to the Technology, generally speaking the CPRA requires notice to website visitors if personal information that identifies or can be reasonably used to identify them is collected by the website owner, the purposes for collecting, selling, or sharing the personal information, and the categories of third parties to whom the personal information is disclosed.
    • On its website homepage, a user of the Technology should provide a clear and conspicuous link titled “Do Not Sell or Share My Personal Information” that enables a user to opt-out of the sharing of a visitor’s personal information.
    • In its CPRA privacy notice, a user of the Technology should disclose and describe that, among other things, the website owner uses tracking technology to collect identifiable information about visitors (e.g., an email address or hashed email address), how it uses the information and that it shares the information with third parties (e.g., with the Technology provider to identify email addresses of visitors). Details will vary depending on the nature of the website and particular Technology used.
  • Vendor Agreements. Under the CPRA, specific language is required in business agreements depending on the nature of the business arrangement between the parties.
  • Sale of Personal Information. While the CPRA does not outright prohibit the sale of personal information, the newly defined term “sharing” broadly encompasses targeted advertising. The implication of the separate definition of sharing, suggests that such activities be may no longer considered sales under the CPRA.
  • Opt-out of Profiling and Automated Decision Making. While not detailed in the CPRA, the CPRA vests the Attorney General or a soon to be formed governing body, the California Privacy Protection Agency, with the authority to further establish rules governing access and opt-out rights with respect to automated decision-making technology, including profiling.

OPT-OUT AND COMPLYING WITH THE CAN-SPAM ACT

Chanley Howell
Foley & Lardner, LLP

Disclaimer.  This summary is intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. If you have questions about complying with the CAN-SPAM Act you should contact your legal counsel.

  1. Introduction. The CAN-SPAM Act of 2003 establishes requirements for companies that send commercial emails. The law covers email whose primary purpose is advertising or promoting a commercial product or service. This includes content on a Website. A “transactional or relationship message” – an email that facilitates an agreed-upon transaction or updates a customer in an existing business relationship – may not contain false or misleading routing information, but otherwise is exempt from most provisions of the Act. Violations of the Act can result in civil fines and criminal liability. The Act applies to consumer and business recipients and makes no exceptions for business-to-business emails.
  2. Commercial Emails v. Transactional or Relationship Emails. The requirements of the CAN-SPAM Act differ based on whether the email is (1) a “commercial” email or (2) a “transactional or relationship email.”  An email is “commercial” if the primary purpose of the email is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose). A “transactional or relationship” email facilitates a commercial transaction (e.g., purchase of products or services) that the recipient has previously entered into, or to provide information relating to a product or service already purchased by the recipient from the sender, such as warranty or recall information or account balances. Most requirements and prohibitions of the Act apply only to commercial messages, but the Act does prohibit both commercial and transactional / relationship messages from containing false or misleading routing information (e.g., the source, destination, originating email address, “from” line, etc.).
  3. Prior Consent / Opt-In Not Required. Opt-Out Mechanisms and Procedures. Prior express consent or opt-in consent is not required in order to send commercial emails. Commercial emails may not, however, be sent to recipients who have opted-out or unsubscribed from receiving commercial emails from the sender.
    1. Opt-Out Rather than Opt-In. While some jurisdictions outside of the United States (e.g. the European Union and Canada) require opt-in an order to send marketing or commercial emails, the US has been an opt-out jurisdiction since the passage of CAN- This means marketing emails can be sent to recipients unless and until they have opted out of receiving marketing emails from the sender.

Section 7704(a)(3)[1] of the Act requires that marketing messages contain an opt-out or unsubscribe mechanism:

* * *

(3)  Inclusion of return address or comparable mechanism in commercial electronic mail

  • (A)  In general, it is unlawful for any person to initiate the transmission to a protected computer of a commercial electronic mail message that does not contain a functioning return electronic mail address or other Internet-based mechanism, clearly and conspicuously displayed, that—
    • (i)  a recipient may use to submit, in a manner specified in the message, a reply electronic mail message or other form of Internet-based communication requesting not to receive future commercial electronic mail messages from that sender at the electronic mail address where the message was received; and
    • (ii)  remains capable of receiving such messages or communications for no less than 30 days after the transmission of the original message.
    • * * *

Section 7704(a)(4) of the Act states the opt out requirements:

* * *

(4)  Prohibition of transmission of commercial electronic mail after objection

  • (A) IN GENERAL, if a recipient makes a request using a mechanism provided pursuant to paragraph (3) not to receive some or any commercial electronic mail messages from such sender, then it is unlawful:
    • (i) for the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message that falls within the scope of the request;
    • (ii) for any person acting on behalf of the sender to initiate the transmission to the recipient, more than 10 business days after the receipt of such request, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message falls within the scope of the request;
    • (iii) for any person acting on behalf of the sender to assist in initiating the transmission to the recipient, through the provision or selection of addresses to which the message will be sent, of a commercial electronic mail message with actual knowledge, or knowledge fairly implied on the basis of objective circumstances, that such message would violate clause (i) or (ii); or
    • (iv) for the sender, or any other person who knows that the recipient, has made such a request, to sell, lease, exchange, or otherwise transfer or release the electronic mail address of the recipient (including through any transaction or other transfer involving mailing lists bearing the electronic mail address of the recipient) for any purpose other than compliance with this Act or other provision of law.
    • * * *
    • Thus, the Act does not contain any requirements or reference to opting-in to receive marketing email messages.  As the Federal Trade Commission has stated in public guidance[2],
    • * * *
  • Here’s a rundown of CAN-SPAM’s main requirements:
  1. Don’t use false or misleading header information. Your “From,” “To,” “Reply-To,” and routing information – including the originating domain name and email address – must be accurate and identify the person or business who initiated the message.
  2. Don’t use deceptive subject lines. The subject line must accurately reflect the content of the message.
  3. Identify the message as an ad. The law gives you a lot of leeway in how to do this, but you must disclose clearly and conspicuously that your message is an advertisement.
  4. Tell recipients where you’re located. Your message must include your valid physical postal address. This can be your current street address, a post office box you’ve registered with the U.S. Postal Service, or a private mailbox you’ve registered with a commercial mail receiving agency established under Postal Service regulations.
  5. Tell recipients how to opt out of receiving future email from you. Your message must include a clear and conspicuous explanation of how the recipient can opt out of getting email from you in the future. Craft the notice in a way that’s easy for an ordinary person to recognize, read, and understand. Creative use of type size, color, and location can improve clarity. Give a return email address or another easy Internet-based way to allow people to communicate their choice to you. You may create a menu to allow a recipient to opt out of certain types of messages, but you must include the option to stop all commercial messages from you. Make sure your spam filter doesn’t block these opt-out requests.
  6. Honor opt-out requests promptly. Any opt-out mechanism you offer must be able to process opt-out requests for at least 30 days after you send your message. You must honor a recipient’s opt-out request within 10 business days. You can’t charge a fee, require the recipient to give you any personally identifying information beyond an email address, or make the recipient take any step other than sending a reply email or visiting a single page on an Internet website as a condition for honoring an opt-out request. Once people have told you they don’t want to receive more messages from you, you can’t sell or transfer their email addresses, even in the form of a mailing list. The only exception is that you may transfer the addresses to a company you’ve hired to help you comply with the CAN-SPAM Act.
  7. Monitor what others are doing on your behalf. The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible.

* * *

  • As required by the Act, the FTC recently reviewed the law and accepted public comments in order to determine whether the law was still appropriate as written. On February 12, 2019, the FTC confirmed:
  • (B) The Act does not require that recipients affirmatively consent or opt-in to receiving commercial emails. Rather, each email must contain a clear and conspicuous notice the recipient can opt-out of receiving more commercial email from the sender.
  • (C) Commercial emails must contain a return email address or another Internet-based response mechanism that allows the recipient to indicate it does not want future email messages to that email address. It is permissible to create a “menu” of choices to allow a recipient to opt-out of certain types of messages, but the email must include the option to end any and all commercial messages from the sender.
  • (D) The return email address / opt-out mechanism must be able to process opt-out requests for at least thirty (30) days after the commercial email is sent. When a sender receives an opt-out request, the sender must honor and stop sending email to the requestor’s email address no later than ten (10) business days after receipt of the request. A sender cannot help another entity send email to that address, or have another entity send email on the sender’s behalf to that address. It is also a violation of the Act to sell or transfer the email addresses of people who choose not to receive commercial email, even in the form of a mailing list, unless the sender transfers the addresses so another entity can comply with the law.
  • (E) The sender cannot require a recipient to pay a fee, provide information other than the person’s email address and opt-out preferences, or take steps other than sending a reply email or visiting a single Web page, as a condition of receiving or honoring opt-out requests.

4.     Identification of Commercial Email as an Advertisement. Commercial emails must be clearly and conspicuously identified as an advertisement or solicitation. The email should state at the beginning of the message (there does not have to be ADV or similar identification in the subject line) that it is an advertisement from the sender, and generally describe the products or services being advertised. If the recipient previously provided consent to receive commercial emails from the sender (e.g., through an opt-in process), then the email does not have to be conspicuously identified as an advertisement.

5.      Message Routing / Header Information Cannot Contain False or Misleading Information. The “From,” “To,” and routing information on a commercial email – including the originating domain name and email address – must be accurate and identify the person who initiated the email.  As noted above, this applies to commercial as well as transactional / relationship emails.

6.      Subject Lines May Not Be Deceptive. The subject line should be clear, truthful and accurate, and cannot be misleading to the recipient about the content or subject matter of the message.

7.      Identification of Postal Address. A commercial email must include the sender’s valid physical postal address, which can be a post office box or private mailbox.

8.      Multiple Senders / Advertisers. In the event two or more advertisers desire to send an email including content on behalf of each advertiser (e.g., a joint-marketing arrangement), the advertisers must designate one of them as the sender that must honor opt-out requests and satisfy the other statutory obligations. Then sender must be the only person identified in the “from” line of the email and must comply with all requirements under the Act. Even though there is one sender, all other advertisers are still responsible for compliance under the Act. Accordingly, each advertiser should carefully review and assess the compliance of the joint email, investigate the reputation of the sender, and take appropriate steps to ensure the sender’s compliance with the Act, including the all opt-out requests.

9.      No Sexually-Explicit Material. The email should not include sexually-explicit material. The Act provides additional requirements for labeling, disclaimers and presentation of emails with sexually-explicit content.

10.    No Harvesting or Automatic Email Generation. Senders should not use automated means to gather or “harvest” email addresses from third party web sites with terms that or randomly generating possible email addresses.

[1] 15 USC § 7704(a)(3)

[2] https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

FREQUENTLY ASKED QUESTIONS REGARDING THE CALIFORNIA CONSUMER PRIVACY ACT

Chanley Howell

Foley & Lardner, LLP

Updated: March 18, 2021

Disclaimer.  These FAQs regarding the California Privacy Rights Act (CPRA), amending and renaming the California Consumer Privacy Act (CCPA) are intended solely for informational purposes and is not intended to constitute legal advice or to create an attorney-client relationship between Foley & Lardner and any recipient or reader of this summary. This is not intended to be an exhaustive summary of all requirements of the CPRA. If you have questions about complying with the CPRA, you should contact your legal counsel.

The CPRA, a ballot initiative passed by voters in November 2020, amends the CCPA and renames the law. Frequently asked questions relating to the CPRA are discussed below.

  1. Who does the CPRA apply to?

The CPRA applies to any business— a for-profit legal entity — that collects and sells consumer “personal information”, with a few exemptions discussed below. The law sets a floor in terms of revenue and the number of consumer records being processed for the CPRA to kick in. A company has to meet one or more of the following for the CPRA to apply:

  • Have $25 million or more in annual revenue (not limited to revenue generated in or from California); or
  • Annually buys, sells or shares personal information of 100,000 or more California consumers or households; or
  • Earn more than half of its annual revenue selling or sharing consumers’ personal data.

There are few entity exemptions under the CPRA, limited only to:

  • Non-profit entities and
  • Health providers and insurers already under HIPAA
  • There are more limited exemptions for the following types of information, for the following businesses: Banks and financial companies covered by Gramm-Leach-Bliley and
  • Credit reporting agencies  (Equifax, TransUnion, etc.) that are under the Fair Credit Reporting Act
  1. What if we are not located and have no facilities in California?

If you collect personal information from residents of the State of California while they are in California you are likely doing business in California. Thus the law would apply to you if your company satisfies any of the applicability triggers discussed above.

  1. What qualifies as “personal information” under the CPRA?

The CPRA defines personal information broadly to include information that can identify, relate to, describe, be associated with, or be reasonably capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer or household. The CPRA’s private right of action provision relating to data breaches incorporates a narrower definition of personal information (discussed below).

The law identifies a non-exhaustive list of categories of personal information, including:

  • Identifiers including real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
  • Personal information defined in other California laws, such as a signature, physical characteristics or description, telephone number, state identification card number, education, employment, employment history;
  • Characteristics of protected classifications under California or federal law;
  • Commercial information, including records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
  • Geolocation data;
  • Audio, electronic, visual, thermal, olfactory, or similar information;
  • Professional or employment-related information; and
  • Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA).

The definition also pulls in inferences from personal information used to create a profile about a consumer that would reflect the person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Thus, for example, businesses that leverage artificial intelligence (AI) to help determine consumer preferences or identify preferred job candidates must look more carefully at what personal information they may maintain about their consumers (including employees) for purposes of CPRA.

Personal information does not include de-identified or aggregate consumer information.

 

  1. Does the CPRA apply to protected health information governed by HIPAA and other medical or health information?

Personal information does not include protected health information (PHI) governed by HIPAA or medical information under California’s Medical Information Act (CMIA). Additionally, the CPRA exempts an organization that “maintains patient information in the same manner” as PHI under HIPAA. Thus, to the extent the data involved includes were arguably could include any PHI or medical information under the CMIA.

  1. Does the CPRA apply to employee (or independent contractor personnel) information?

Employee (including independent contractor) related data is excluded from most provisions of the CPRA until January 1, 2023. Employers do, however, need to provide a brief privacy notice to employees regarding the nature of personal information collected, for what purposes, and a general description of who it is disclosed to (e.g. service providers).

  1. What rights do consumers have under the CPRA?

The new rights under the CPRA are similar to many contained in the EU’s General Data Protection Regulation. The CPRA gives California residents the right to request that a business:

  • Disclose the categories and specific pieces of personal information it has collected.
  • Disclose the categories of sources from which the personal information is collected.
  • Disclose the business or commercial purpose for collecting, selling or sharing the personal information.
  • Disclose the categories of third parties with which the business discloses the personal information.
  • Request access to, transportation of, correction of and deletion of any personal information about the consumer that the business has collected from a consumer, subject to certain exceptions.
  • Not use automated decision-making and profiling to Profiling uses automated processing to evaluate a consumer’s personal aspects and make predictions concerning the consumer’s performance at work, economic situation, health, preferences, interests, reliability, behavior, location, or movements.
  • Not “sell” (broadly defined) or “share” the consumer’s personal information if the consumer opts-out (the “do not sell or share my personal information” opt-out).
  • Limit the use of sensitive personal information, which includes personal information that reveals a consumer’s social security number or other government-issued ID number, a consumer’s account log-in or financial information with any required security credentials, a consumer’s “precise” geolocation (within 1850 feet), a consumer’s health, sex life, or sexual orientation, racial or ethnic origin, religious or philosophical beliefs, or union membership, a consumer’s genetic data, and the contents of a consumer’s mail, email, text message (unless the business is the intended recipient of that communications).
  1. Do we need to revise our privacy policies; and if so, what should it cover?

Probably; if the law applies to you. The CPRA has added several new substantive elements to the required disclosures that must be included in a privacy notice or policy. In addition to the information that must be included under the existing California laws or provided pursuant to California’s “Shine the Light” law, online privacy policies must include:

  • A description of consumers’ rights under the CPRA.
  • A description of the categories of personal information collected by the business in the preceding 12 months.
  • The commercial and business purposes for which the personal information is collected.
  • The categories of personal information sold or disclosed for a business purpose in the preceding 12 months.
  • The categories of third parties with which personal information is shared.
  • If the Company sells or shares personal information, a link to a “Do Not Sell or Share My Personal Information” web-based opt-out link.
  • A description of any financial incentives for providing data or not exercising rights (e.g., if the company offers a 15% discount to individuals who provide their email address for marketing purposes, this incentive must be disclosed in the privacy policy).
  1. For the “do not sell” opt-out, what constitutes the “sale” of personal information?

A “sale” of personal information under the CPRA is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the personal information of a Consumer to another business or third party “for monetary or other valuable consideration.”

This broad definition suggests that if personal information is provided as part of a larger business relationship, a “sale” may have occurred even if no amounts are paid directly for the data itself. In addition, a website may be “selling” personal information by passing such information to third-party ad networks through cookies.

  1. What would NOT be considered a “sale” of personal information?

The law provides a non-exhaustive list of examples which would not be considered a sale of personal information:

  • A Consumer uses or directs the Business to intentionally disclose personal information to a third party. An “intentional” interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a “deliberate action”.
  • A Business shares a Consumer identifier to alert a third party of a Consumer’s opt-out decision.
  • Personal information is shared with a third party to perform a “business purpose” (explained below); the Business has provided notice of this sharing and the opt-out right (as described below); and the third party does not further collect, sell or use the personal information except as necessary to perform the business purpose.
  • The personal information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CPRA disclosure requirements relating to the disclosure of information collected or sold (discussed above). If the acquirer plans to alter how it will use or disclose the personal information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a “prominent and robust” notice so the Consumer can opt out. Note that the CPRA also warns Businesses that material, retroactive privacy policy changes must not violate California’s Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.
  1. For the “do not share” opt-out, what constitutes the “sharing” of personal information for “cross-context behavioral information”?

“Sharing” of personal information under the CPRA is defined broadly to include the “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, In writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business In which no money is exchanged.”

“Cross-context behavioral advertising” means the targeting of advertising to a consumer based on the consumer’s personal Information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally Interacts.

The new definition of “sharing” makes it clear that the disclosure of personal information (including unique identifiers in cookies) for targeted advertising with or without consideration will be subject to the rights of a consumer to opt-out of such a disclosure.

  1. What would NOT be considered “sharing” personal information?

The law provides limited exclusions from “sharing” under the CPRA, including:

  • A Consumer uses or directs the Business to intentionally disclose personal information to a third party or intentionally interact with one or more third parties. An “intentional” interaction occurs when the Consumer intends to interact with the third party via one or more deliberate actions. Hovering over a piece of content or closing it does not qualify as a “deliberate action”.
  • A Business shares a Consumer identifier to alert a third party of a Consumer’s opt-out decision.
  • The personal information is an asset that is part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the Business, provided the Business complies with the CPRA disclosure requirements relating to the disclosure of information collected or shared (discussed above). If the acquirer plans to alter how it will use or share the personal information in a manner materially inconsistent with the promises made at the time of collection, it must provide prior notice of the new practices to the Consumer and include a “prominent and robust” notice so the Consumer can opt out. Note that the CPRA also warns Businesses that material, retroactive privacy policy changes must not violate California’s Unfair Competition Law — a statement apparently designed to address Businesses that want to make significant changes to a privacy policy in light of an impending deal.