We take the privacy and security of personal information very seriously, so it took us a while to answer this question. Apologies for the wait, but we needed the time.
To get right into it: no, Stack does not sell your personal data. And under the current text of the Privacy Policy, couldn't engage in a practice that would be the equivalent of a CCPA sale under GDPR without your opt-in consent. We currently apply an opt-in regime across the board, mirroring GDPR requirements. In a general context, a sale typically refers to the exchange of goods, services, or property for money. A sale in the context of privacy law refers to a concept under the California Consumer Privacy Act (CCPA), which defines sale as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” As stated in our privacy notice, Stack does not sell your personal data.
The CCPA has a few exceptions that make a practice that would otherwise be considered a sale not a sale:
- When a consumer intentionally directs a business to disclose
their personal information;
- When a business shares personal information with a service provider for a “business purpose”; and
- When a business transfers a consumer’s personal information as part of a merger, acquisition, bankruptcy, or other transaction.
Specifically, for (2), a business purpose isn’t just “making money”. There are more details right below (see the bulleted list).
As for under the GDPR, there are no general restrictions on the sale of personal data. However, data controllers (like Stack) must comply with the principles of the GDPR, including fairness and having a lawful basis for the processing. In other words, if we did sell personal data, we could not and would not sell yours without, for example, first obtaining your consent.
I believe that there are some things being conflated on the initial question that are generating some confusion, so hopefully, the following brings clarity.
For example, the quote that was classified as “contrasting claims”
We may engage with third parties in business transactions, including the buying and selling of assets, the auditing of our business practices and financials, and to engage in business development opportunities. This may involve the processing and/or disclosure of some limited personal information, which may be necessary and within our legitimate interests to develop the Stack Overflow brand and business. If we transfer any personal information in pursuing such a business transaction we will always ensure that strict confidentiality measures are in place to protect your privacy interests.
Under the CCPA, a business may disclose personal information where it is reasonably necessary and proportionate for operational purposes, which include:
- Auditing;
- Security;
- Debugging;
- Short-term, transient use;
- Performing services on behalf of a business or service provider;
- Undertaking internal research; and
- Quality assurance and improvement.
The quoted statement refers to a scenario where Stack uses a third party to support some aspect of a business transaction, where personal data is processed/disclosed as part of the transaction (not sold). For example, hosting our sites’ databases includes personal information about our users, and they process your personal information. This would not occur unless processing is done when it’s necessary and within Stack’s legitimate interests, which is a legally defined term under the GDPR and not a broad “any interest the company has” and that we take steps to protect privacy, such as for example having contractual clauses about the data.
As for the other quote about parts of the business:
If we choose to sell, transfer, or merge parts of our business or our assets, your personal data would be shared with such third parties as part of such a transaction. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
I do understand your concerns about business transactions and whether that would be considered a sale. The CCPA’s definition of sale explicitly excludes this scenario.
For purposes of this title, a business does not sell personal information when:
(C) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business…
Therefore, in the event of a business transaction (sell, transfer, or merge parts of the business), we would inform you about the transfer of your personal information and provide you with all other required information. Again, while sale isn’t a concept under the GDPR, we would still be required to inform data subjects in the event of a business transaction, particularly if it involves the transfer of personal data. This does not cover the sale of personal data, but rather the sale of part (or the entirety) of the business that results in the transfer of personal data. So it doesn’t mean the reading you mention of “if we sell your data to someone then they get your data.”
Stack Overflow does not sell (as the term is defined in the CCPA) the personal information we collect (and will not sell it without providing a right to opt out). Please note that we do use third-party cookies for our advertising purposes, as described in our cookie policy.
This is standard language about the sale of data. It reinforces that we do not sell personal data (as defined in the CCPA). And if we were to engage in such practice, we wouldn’t do it without providing a right to opt-out (also as per the CCPA).
I hope this helps clarify things some. Our Privacy Team remains available at [email protected] for individual questions.
