CCPA, Customer Interviews, and What Counts as 'Selling' Data

The Compliance Trap in Market Research

Most B2B product managers think CCPA only matters when they’re selling email lists to brokers. They assume that if they’re just "talking to customers" to validate a roadmap, privacy law doesn't touch them.

They are wrong.

Under the California Consumer Privacy Act (CCPA) and its successor, the CPRA, the definition of "selling" and "sharing" is broad. If you exchange personal information (PI) for "valuable consideration"—which can include discounted software, gift cards, or even access to early features—you are entering a regulatory grey area. If that data ends up in your CRM and is used to target ads later, you might be "selling" data without a contract in place to protect you.

For the Director of Product at a Series C fintech, a single sloppy interview thread can trigger an audit trail nightmare. Here is how to navigate the intersection of CCPA and customer interviews without nuking your velocity.

What Actually Counts as 'Selling' or 'Sharing'

The biggest misconception is that "selling" requires a bank transfer. In the eyes of California regulators, value is the metric.

1. The Incentive Swap: If you give a VP of Engineering a $200 Amazon card for a 30-minute transcript, you have purchased their PI (name, title, face, voice, opinions). If you then upload that transcript to an AI synthesis tool that uses that data to train models or shares it with third parties, you may have "sold" that data under current interpretations.
2. The Retargeting Loop: You interview a prospect. Your marketing team sees the record in Salesforce and adds them to a "Custom Audience" on LinkedIn. Because you transferred PI to a third-party platform for advertising purposes, this is officially "sharing." Under CCPA, the user must have the right to opt-out of this specifically.
3. The 'Service Provider' Defense: To avoid these labels, everyone you work with—from transcription tools to recruitment platforms—must be a "Service Provider" or "Contractor" with specific language in their DPA (Data Processing Addendum) that forbids them from using the data for any purpose other than the specific project.

The 'Incentive' Audit Trail

If you pay for an interview, you need a paper trail that matches your privacy policy. You cannot simply Venmo a participant and call it a day.

An auditor will look for three things in your interview workflow:

• Notice at Collection: Did the participant see a link to your privacy policy at the exact moment they provided their email to book the call?
• Purpose Limitation: Did you state the data would only be used for research, then use it to train a sales rep? That’s a violation.
• Right to Delete: If that participant emails you six months later asking to be forgotten, can you actually find the video file, the transcript, and the synthesis notes in your Notion board?

Most teams fail on the third point. They have snippets of interviews scattered across Slack and various AI summarizers with no central index. BuyerSignal solves this by providing a compliance-first environment where the exchange of value and the professional identity are handled within a structured framework, ensuring you aren't accidentally "selling" data through improper third-party handoffs.

Why 'Anonymization' is Usually a Lie

A common "hack" among RevOps leads is to strip names from transcripts and assume the data is no longer PI.

CCPA identifies PI as information that "identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

If your transcript says, "As the Head of Infrastructure at a 500-person cloud security firm based in Oakland," you haven't anonymized anything. There is likely only one person with that description. In a B2B context, professional attributes are often unique identifiers. True de-identification is a high bar that simple "find and replace" tools don't meet.

The One Permission Most People Forget

The "grab-bag" consent form is dead. You cannot have one checkbox that covers "recording the call, using my likeness in marketing, and sending me newsletters."

Under CCPA/CPRA, consent must be specific and informed. If you want to use a quote from a research call in a slide deck for your Board, that's one permission. If you want to use it in a public-facing case study, that is a separate, higher-level permission.

Keep your research data in a silo. Do not let it bleed into your general marketing automation platform unless the participant explicitly opted into your marketing list during the research onboarding. Mixing these two data streams is the fastest way to get a "Request to Opt-Out" that you physically cannot fulfill because your data architecture is a bowl of spaghetti.

Five Requirements for a Compliant Interview Program

• Verified DPA: Ensure your recording tool (Zoom/Gong/Otter) has a signed DPA that explicitly limits their use of "Member Content."
• Granular Opt-In: Separate the "record this call" consent from the "contact me for future sales" consent.
• Data Inventory: Maintain a spreadsheet or database of every research participant, the date of the interview, and where their recording is stored.
• The 30-Day Rule: Have a cadence for deleting raw recordings. You need the insights, not the 2GB video file of a guy sitting in his kitchen.
• Vendor Vetting: If you use a marketplace to find participants, ensure they are the ones handling the financial nexus/W-9s. If you pay participants directly, you are collecting even more sensitive PI (tax IDs) which puts you in a much higher risk bracket.

Building a research loop shouldn't require a law degree, but it does require a system. Avoid the "grey market" of unverified outreach and stick to platforms that treat professional identity with the weight the law requires.

BuyerSignal handles the compliance, verification, and structured delivery of professional insights so you can focus on the roadmap. Run your next category discovery loop on BuyerSignal to ensure every conversation is audit-ready and CCPA-compliant.