GDPR requirements to selling of personal data. CCPA vs. GDPR on insurance and trade

Sale of personal information is a hard topic within the privacy field. Most companies do not sell the personal information of its customers or contractors however it may happen that company will be necessitates to undertake some actions which fall under the scope of selling of the personal data. Hence, let’s take a look at what the selling of personal information is and when the company is entitled to sell its customers’ personal data.

What the selling of personal data is?

Let’s clarify from the start: the GDPR is very limited on provisions regarding the selling and trade of personal data. On the contrary, the CCPA is quite focused on this topic. Thus, it is necessary to analyze the CCPA in this regard.

According to the CCPA, selling of personal data means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a customer’s personal data by the company to another company or a third party for monetary or other valuable consideration.

Many actions fall under the concept of selling of personal data. Usually, the most frequent example when the company sells the personal data of its customers is an M&A transaction. Customers’ database may be a valuable asset during such transaction. Another example is when the insurance companies purchase customers’ databases for the purposes of data profiling and then offering its services to the people from acquired databases.

What are the GDPR requirements to selling of personal data?

GDPR is literally silent on the selling of personal data. Therefore, it is necessary to analyze the principles of personal data processing to understand whether it is possible to sell the personal data of the customers under the GDPR or not.

Firstly, you need to have a legal basis to process the personal data of a customer. Consent is the most frequently used legal grounds. Other legal grounds are the necessity for the performance of a contract, compliance with the law, or a legitimate interest.

Secondly, personal data could be used only for the purposes for which the personal data were collected. You have to inform in the customers about the purposes of collection in advance. Therefore, you need to include such purpose as selling of personal data among other purposes in your privacy statement. If you have read this article and decided to amend your privacy policy and privacy statement – do not forget to inform the customers regarding these amendments or you will violate the GDPR.

Thirdly, customer has to have the right to withdrawn its consent for selling its personal data at any moment. Nobody canceled the right to object and right to be forgotten.

It is allowed to sell personal data under the GDPR subject to receipt of consent for it from data subject and compliance with the rights of data subject even if it decided to exercise the right to object or the right to be forgotten.

What are the CCPA requirements to selling of personal data?

One of the rights of the data subject provided under the CCPA is the right to opt out, namely to direct a company that sells personal data of such data subject not to sell this personal data. At the same time, a company that sells personal data of the data subjects is obliged to:

  • provide a clear and conspicuous link on the company’s website homepage, titled “Do Not Sell My Personal Information” to a webpage that enables a person to exercise the opt out right;
  • include a description of a data subjects’ rights along with a separate link to the “Do Not Sell My Personal Information” webpage in its privacy policy;
  • ensure that all individuals responsible for handling data subjects requests regarding the processing and security of personal data are informed of all requirements of CCPA.

If data subject decides to exercise its right to opt out, it has to send a verifiable consumer request to the company in this regard. After company receives such request it is prohibited to sell the data subject’s personal data unless the data subject provides its authorization in this regard. On the contrary, if company was not able to verify the request received from data subject it is not required to comply with such request. Verification of data subject’s requests may vary depending on the verification methods used by the certain company: password-protected accounts, two-factor authentication etc.

Company is prohibited to ask the data subject who has opted-out of the sale of its personal information to authorize the sale of its personal data again.

CCPA also provides restriction regarding selling of personal data of children. Under the CCPA, company shall not sell the personal information of data subjects if company knows that the data subjects is under 16 years of age. Selling of such personal data is allowed only subject to compliance with opt in right, namely company has to receive a consent for selling of personal data from:

  • data subject, if data subject is between 13 and 16; or
  • data subject’s parent or guardian, if data subject is under 13.
It is allowed to sell personal data of the data subject under the CCPA subject to compliance with opt out rules and limitations regarding the selling of personal data of minors.

Special rules applied to insurance companies

Insurance companies often sell or buy personal data for the purposes of advertising and offering its services and expanding the clients’ database. However, many personal data processed by the insurance companies could be a personal data of a special category, so-called “sensitive data” to which a higher threshold of protection of personal data is applied.

Under the GDPR, sensitive data are the personal data of data subject regarding:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data, biometric data processed for the purpose of uniquely identifying a natural person;
  • data concerning health or data concerning a natural person’s sex life or sexual orientation.

Under the general rule, processing of sensitive data is prohibited except if one of the circumstances provided under the GDPR is presented. The main circumstance allowing the processing of sensitive data is the explicit consent of data subject to the processing of its sensitive data for one or more specified purposes taking into account limitation imposed by member state law in this regard.

Also, processing and selling of sensitive data requires the company to undertake several other measures, i.e. to keep records of your data processing activities, conduct data processing impact assessment, exclude profiling of sensitive data except if person provided direct consent to it, assign data protection officer etc.

If insurance companies sell personal data that consist of or include sensitive data they are obliged to comply with all the data processing principles and data subjects’ rights under the GDPR and additionally apply more serious and complex organizational and technical measures regarding the processing and security of personal data they sell.

On the contrary, CCPA does not divide personal data into general and sensitive and provide single rules for all categories of personal data. Therefore, insurance companies which sell personal data under the CCPA have to comply with general CCPA rules regarding the selling of personal data specified above.


Selling of personal data is a complicated and serious matter. It is not welcomed to sell personal data unless the company is ready and able to provide the appropriately high level of security of personal data during its selling.

Obviously, CCPA provides less strict requirements regarding the selling of personal data than GDPR hence it is easier to sell personal data if you operate under the CCPA. However, most companies target its services worldwide and EU is a zone with one of the highest customer flow therefore many companies in any case receive personal data of Europeans. Taking this fact into account, we highly recommend you to use the best practices available and comply with GDPR requirements regarding the selling of personal data.

Do well to be well – this is the Way.

    Your question to IT lawyers