Modern data privacy statutes create special rules for activities that involve “selling.” Among other things, most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information sold. As the following chart indicates, the term “sale” is defined slightly different between and among state statutes, with some statutes defining the term as including exchanges of personal information in return for valuable consideration, others only exchanges of personal information in return for monetary consideration, and some defining it as both valuable and monetary consideration.
Definition explicitly includes |
Europe GDPR |
California 2022 CCPA |
California 2023 CPRA |
Virginia 2023 VCDPA |
Colorado 2023 CPA |
Utah 2023 UCPA |
Exchange of personal data for monetary consideration | N/A[1] | ✓[2] | ✓[3] | ✓[4] | ✓[5] | ✓[6] |
Exchange of personal data for other valuable consideration | N/A | ✓[7] | ✓[8] | X[9] | ✓[10] | X[11] |
[1] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.
[2] Cal. Civ. Code 1798.140(t) (West 2020).
[3] Cal. Civ. Code 1798.140(ad) (West 2021).
[4] Va. Code 59.1-571 (2022).
[5] C.R.S. 6-1-1303(22)(a) (2022).
[6] Utah Code Ann. 13-61-101(31)(a) (2022).
[7] Cal. Civ. Code 1798.140(t) (West 2020).
[8] Cal. Civ. Code 1798.140(ad) (West 2021).
[9] Va. Code 59.1-571 (2022).
[10] C.R.S. 6-1-1303(22)(a) (2022).
[11] Utah Code Ann. 13-61-101(31)(a) (2022).