Skip to content

Modern data privacy statutes create special rules for activities that involve “selling.” Among other things, most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information sold. As the following chart indicates, the term “sale” is defined slightly different between and among state statutes, with some statutes defining the term as including exchanges of personal information in return for valuable consideration, others only exchanges of personal information in return for monetary consideration, and some defining it as both valuable and monetary consideration.

Definition explicitly includes

Europe

GDPR

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Exchange of personal data for monetary consideration N/A[1] ✓[2] ✓[3] ✓[4] ✓[5] ✓[6]
Exchange of personal data for other valuable consideration N/A ✓[7] ✓[8] X[9] ✓[10] X[11]

[1] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[2] Cal. Civ. Code 1798.140(t) (West 2020).

[3] Cal. Civ. Code 1798.140(ad) (West 2021).

[4] Va. Code 59.1-571 (2022).

[5] C.R.S. 6-1-1303(22)(a) (2022).

[6] Utah Code Ann. 13-61-101(31)(a) (2022).

[7] Cal. Civ. Code 1798.140(t) (West 2020).

[8] Cal. Civ. Code 1798.140(ad) (West 2021).

[9] Va. Code 59.1-571 (2022).

[10] C.R.S. 6-1-1303(22)(a) (2022).

[11] Utah Code Ann. 13-61-101(31)(a) (2022).