Third Parties and the California Consumer Privacy Act (CCPA)

Posted by Elizabeth Schweyen 

In today’s ever changing data environment, businesses everywhere rely on partnerships with third parties to help drive their business efforts. Our data-driven economy allows organizations to build customer engagement, increase consumer insight and grow revenue, but with the new restrictions the CCPA is putting on organizations, is the use of third party data a thing of the past? Luckily, for many organizations, complying with this restriction in the CCPA will simply be a matter of identifying your third party vendors, defining those relationships within contracts, and implementing processes to comply with the new opt-out of sale rules.

To start, organizations will need to understand how the CCPA defines 3rd parties. According to Section 1798.140(w) a “Third party” means a person who is not any of the following:

  1. The business that collects personal information from consumers under this title.
  2. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
    1. Prohibits the person receiving the personal information from:
      1. Selling the personal information.
      2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
      3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
    2. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

This is not to be confused with a “service provider”, which the CCPA defines as a legal entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract”. This means the business organization itself and it’s service providers which are using data as instructed are not considered 3rd parties. However, many other organizations exchanging data with a business would fall into the 3rd party category.

In order for organizations to determine how to handle these vendor relationships, they will need to start by creating a list of all vendors and third parties that are receiving data from the organization. As mentioned in our previous blog on the CCPA vs. GDPR, having an existing data map from GDPR preparations should be helpful in this process. The data map should include all of the organizations that your business is sharing data with, as well as the purpose of sharing the data. It will require you to consider all functional areas of your organization as well, from engineering to HR to finance. It’s likely your company shares data outside of just product development in order to conduct every day business, which needs to be accounted for.

Once you have an understanding of where your data is being sent outside of the organization, you will want to review the contracts with those organizations to assess the rights the partner/vendor has to the data and determine if additional Privacy Impact Assessments will be required. Can the third party use the data only for the purposes of providing your organization with designated services or are they able to act as a controller and determine what can be done with the data (It’s also important to note that although the CCPA doesn’t have the controller/processor language (unlike GDPR), it may help to identify controllers and processors in contracts so you know who is the decision maker when it comes to the data being shared among organizations)? If it’s the latter, your organization will likely need to disclose this relationship with your consumers, as well as offer them an option to “opt out” of the sale of their data.

Here is where things could get tricky and disrupt a lot of data-driven business relationships. Because of the broad definition of “selling” data under the CCPA, organizations will really have to review their vendor/partner relationships to determine who they may be “selling” data to and if they will need to add the “Opt Out” feature to their website. As a reminder, according to Section 1798.140(t) “Sell,” “selling,” “sale,” or “sold,” means:

  1. selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
  2. For purposes of this title, a business does not sell personal information when:
    1. A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
    2. The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
    3. The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purposes if both of the following conditions are met: services that the service provider performs on the business’ behalf, provided that the service provider also does not sell the personal information.
      1. The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.
      2. The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
    4. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

That’s a really long way of saying that an organization may not necessarily receive payment in exchange for personal information, yet it could still be considered a “sale” of data. As an example in the email context, a sender may make information collected about its subscribers (through tracking or online collection) available to a third party analytics organization to provide detailed demographic insight. No money is exchanged, as the third party adds the data provided by the email sender to their larger database. Because the third party is now obtaining the data for its own use or the use of other customers, it would fall under the third party umbrella as defined by the CCPA, despite no money being exchanged. This means the email sender would need to provide their subscribers an easy way to opt out of their data being passed to this third party. Adding another layer of complexity, organizations will have to communicate to all of their third parties when a consumer exercises their rights, typically requiring organizations to implement technical measures to ensure a smooth process.

So where does that leave your organization? Although it may seem like a really tedious process, everything mentioned is imperative to ensuring your organization and the companies you work with are compliant once CCPA comes into enforcement. Fines could be up to $7500 per intentional violation, potentially resulting in fines in the millions for organizations that are caught out of compliance. Nobody wants to be faced with a multi-million dollar fine for neglecting to ensure their third-party relationships are buttoned up.

CCPA continues to evolve, but it’s important for your organization to start getting your vendor management process organized in order to be prepared when it comes into effect. Although this is the last scheduled post in our CCPA series, we will continue to publish ad hoc posts as the law is finalized, so stay tuned!

Author Image

About Elizabeth Schweyen

Elizabeth Schweyen is the Privacy Specialist at Return Path. She's involved in helping Return Path prepare for the GDPR and ensuring we stay ahead of industry standards when it comes to Privacy. Elizabeth's previous role on the Return Path Compliance team makes her a stickler for the rules, putting her in an excellent position to help lead the company into GDPR compliance! Outside of work you can find Elizabeth exploring the Rocky Mountains, catching up with friends, or watching Michigan football (Go Blue!).

Author Archive