September 24, 2019
No matter what your business deals with at its core, it is likely that you rely on third parties to help with everyday operations. They can be a great option when it comes to almost any aspect business operations, giving you more time to manage the most important elements while outsourcing those that do not necessarily require internal review. However, relying on third parties also means that you need to pay attention to new requirements under the California Consumer Privacy Act (“CCPA”), which goes into effect on January 1, 2020. As it currently stands, the CCPA promises to immediately impact your negotiated agreements with third parties, especially if you currently sell data to them. In this article, we will lay out (1) how the CCPA defines third parties; (2) what requirements it imposes on businesses that use third-party vendors; and (3) how you can ensure your business is in compliance with these requirements. If you aren’t sure whether your business is required to comply with the CCPA, be sure to take our free CCPA Applicability Quiz before continuing on below.
How the CCPA Defines Third Parties
Section 1798.140(w) of the CCPA defines third parties in the negative, which is to say, the law tells us what a third party is not. Specifically, third parties are people or organizations that are not the following:
1. The business that collects personal information from consumers under the CCPA (so third parties are not your organization if your organization is the one collecting the information);
2. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract with certain, very specific stipulations laid out.
Under option (2), the contract governing the party’s use of personal information must prohibit that person from:
1.Selling the personal information;
2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract; and
3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
Additionally, the third party receiving the personal information must certify that they understands the above limitations and will comply with them. Vendors that fall under option (2) are generally referred to as Service Providers.
Understanding the CCPA’s Requirements for Third Parties
Right out of the gate, Section 1798.115(d) of the CCPA limits third parties’ ability to resell personal information they obtain from your business. It requires that they give consumers explicit notice of the sale of their information and provide them with the ability to opt out of that sale (Curious about who counts as a consumer under the CCPA? We cover that here.) Sections 1798.120(a-b) offer more detail regarding the consumer’s right to notice and to opt out of the sale of personal information. When your business receives a verified information access request from a consumer, you must provide the following individualized information:
1. the categories and specific pieces of personal information the business has collected about the consumer;
2. the categories of personal information the business sold about the consumer;
3. the categories of third parties to whom the consumer’s personal information was sold (identified by category of personal information for each third party); and
4. the categories of personal information that the business disclosed about the consumer for a business purpose.
Importantly, third parties are defined and treated differently from service providers, which the CCPA notes are entities that only “process information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” This means that both your business and its service providers that use data as instructed are not necessarily considered third parties under the CCPA. However, how these vendors are defined really matters because your business is required to make the disclosures noted above with regard to third parties, but the same requirement does not apply to service providers. Conversely, businesses must require service providers to delete personal information when a consumer requests the business to do so, but they do not have the same requirement with regard to third parties.
If you do not have the proper contracts with your service providers, they may be treated as third parties under the CCPA. In order to avoid becoming a third party under the law, the contract must contain the certification that the party receiving the personal information understands the requirements and will comply with them. Failure to include the certification means that information you share with service providers would be treated as a sale and come under the requirement that you allow consumers to opt out of your sharing of information with those vendors.
Furthermore, under Title 1.81 of California law, a limited group of customers are already able to bring a civil suit for actual and statutory damages if you are found to have violated their notice and choice rights with regard to the sharing of personal information with third parties for the business’s own direct marketing purposes (the Shine the Light Act). Thus, it is in your company’s best interest to ensure that your contracts with third parties and service providers not only use the appropriate language under the CCPA’s definitions, but also that you develop risk management strategies with regard to third-party use of your consumers’ personal information. Below, we share some more thoughts on how to begin developing such a plan.
Third-Party Compliance Under the CCPA
Once you understand which vendors qualify as third parties and the new requirements for them under the CCPA, you can start to take steps towards compliance. First, you will need to determine which third parties you are currently providing with personal information in order to review any related contracts and make any required changes. Second, you will want to ensure that your company has appropriate risk management policies and procedures in place for dealing with these same vendors. Opening channels of communication with those third parties can also ensure that if a breach or unauthorized sale does occur, the matter can be addressed quickly and efficiently. In order to help you identify third parties with whom you share consumer information, you will first want to create a list, or data map, that covers all of the data or personal information your organization collects and shares.
A thorough data map is vital to help identify your third party vendors and differentiate them from service providers. This will help you identify which contracts need to implement the new CCPA-required contract terms that limit your need to disclose information and limit your business’s liability. If your business has not already done so, ow is the best time to start the process of creating new contracts and renegotiating where necessary. Similarly, your organization should plan to include the CCPA-required terms in any new contracts that involve the sharing, transfer, or sale of personal information on a go-forward basis. SixFifty Privacy can provide you with automation tools for the creation of these contract terms along with timely updates should the California rules change. To learn more about how SixFifty can help your company expedite CCPA compliance, visit www.sixfifty.com/products/ccpa, or schedule a demo with SixFifty here.
***DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.***