Back to Blog

Selling vs Sharing : The CPRA Introduces Complexity For Software Vendors

Third-party software libraries, also known as software development kits (SDKs), have become an integral part of modern software development. These pre-built libraries and modules offer a wide range of functionality from basic everyday utility to advanced machine learning algorithms and can be quickly integrated into a software project. The use of third-party software has grown in popularity as it allows developers to quickly and easily add functionality to their applications and, hence, to move from concept to finished software product in record time. Using pre-built functionality from open-source libraries and frameworks can save significant amounts of time compared to developing that functionality from scratch. Popular package managers like npm for JavaScript, pip for Python, and Maven for Java make it easy for developers to discover and use these libraries which can save time and improve the quality of the software being built.

A study published in 2018 found that the average number of third-party libraries included in mobile apps on the Google Play Store was around 9 per app. Another study published in 2017 looked at the use of third-party libraries in Python projects on the popular code-sharing platform GitHub and found that the median number of third-party libraries per project was around 3, but that some projects included as many as 77 different libraries. A 2016 study of Java projects on GitHub found that the average number of third-party libraries per project was around 12, and that the most commonly used libraries were for tasks such as logging, unit testing, and handling JSON data. The use of third-party code also comes with risks. Third-party software may collect and transmit personal information, such as browsing history, search queries, and location data. Many individuals and software vendors that offer software libraries are not transparent about the types of data they are collecting, how they use that data, or for how long it is retained.

The California Consumer Privacy Act (CCPA) is a law passed in California in 2018 that gives California residents more control over their personal information. One key aspect of the law is the requirement for businesses to disclose when they “sell” personal information. The CCPA defined “selling” personal information as the exchange of personal information for monetary or other valuable consideration. This includes renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. The CCPA’s definition of selling data is quite broad, and it can include many common business practices such as sharing data with third-party service providers or partners for marketing or advertising purposes. For example, if a business collects personal information from its customers and then shares that information with a data broker who uses it to create targeted advertising campaigns, the business would be considered to be “selling” personal information under the CCPA.

Although the CCPA’s definition of selling personal information is quite broad and it requires businesses to disclose when they share personal information with third parties for monetary or other valuable consideration, it’s important to note that it did not include sharing personal information for the specific purpose of fulfilling a transaction, providing a requested service, or carrying out a requested business function. More importantly, it did not include the sharing of information without any specific financial benefit.

The California Privacy Rights Act (CPRA) is an amendment to the California Consumer Privacy Act (CCPA) that was passed in 2020. It strengthens the privacy rights of California residents and expands the scope of the CCPA. One aspect of the CPRA is the requirement for businesses to obtain explicit consent before sharing personal information with third parties. The CPRA has expanded the CCPA-granted right for consumers to opt-out of the sale of their personal data to also include the sharing of personal information. The CPRA definition of sharing has been purposefully and widely defined as “disclosing, disseminating, making available, and transferring” and, notably, does not have to be “for profit”. This means that software producers must comprehensively understand all of the third parties that have access to their codebases and where, exactly, the PII and SPI that they collect or otherwise govern may be exposed.

To understand this information, including the inventory of third-party software libraries that are utilized across our collection of applications, we conduct regular software architect and developer interviews. Conducting privacy-focused developer interviews can require a significant amount of effort as they involve assessing the privacy practices and data handling of the application being developed on a regular basis. It’s key for organizations to allocate the necessary resources and effort to identify and address any privacy-related issues and ensure that the application is developed in compliance with relevant laws, regulations, and internal standards, but this becomes a heavyweight and challenging process across disparate application infrastructure and hundreds and thousands of software repositories that evolve quickly over time.

Privya is a software code scanner that scans source code and identifies and maps PII, SPI, and related risks focused on data storage, retention, third parties, and more. Privya deploys where your code lives and scans each code-level change when it happens rather than waiting months to identify them in interviews, if ever. Privya identifies the specific information shared with third parties that your developers utilize in the building of your applications as it happens in real time. As a privacy analyst you’ll gain the objective and continuous visibility you require to make key decisions around your privacy position and communicate those specifics to stakeholders in flexible ways. Privya provides all of the information you require to understand, map, and document PII and privacy related risks like data protection and retention, data sovereignty, model bias, and much more. We’d love to show you how!

Uzy Hadad
Uzy Hadad


Scroll to Top