Since the implementation of the California Consumer Privacy Act (CCPA), many companies have become comfortable with its requirements regarding sharing data with third parties. However, those requirements are about to become more onerous. The California Privacy Rights Act (CPRA) third party requirements, which amends the CCPA and went into effect in January 2023, added new definitions as well as new requirements that will change how companies pass data to third parties–be they service providers, contractors, purchasers of the data, or partners.
Important Definitions
In order to understand the new requirements, an organization first needs to know how the CPRA defines certain terms.
First, is your organization a covered business?
Under the CCPA, covered businesses are for-profit* organizations that do business in California and either:
(1) have an annual gross (worldwide) revenue of over $25 million
(2) buy, sell, or receive the personal information of 50,000 or more California consumers, households, or devices; or
(3) derive 50% or more of their revenue from selling California residents’ personal information.
The applicability thresholds have been slightly amended by the CPRA, so in 2023, the California privacy laws will apply to for-profit businesses that do business in California and either:
(1) have an annual gross (worldwide) revenue of over $25 million,
(2) buy, sell, share, or receive the personal information of 100,000 or more California consumers or households, or
(3) derive 50% or more of their revenue from selling California residents’ personal information.
Second, is your organization a service provider, a contractor, or a third party?
Under the CPRA, a service provider and a contractor are treated virtually the same in terms of the requirements that apply, but they are defined differently.
Service Provider
A service provider is a party “that processes personal information on behalf of a [covered] business and that receives from or on behalf of [that] business [a] consumer’s personal information for a business purpose pursuant to a written contract.” Essentially, they are data processors who receive a consumer’s personal information either directly from or on behalf of the covered business.
Contractor
A contractor is a party “to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract.” This definition of a contractor seems to be broader than that of a service provider. Since a contractor is “anyone” to whom a business makes consumers’ personal information available while a service provider “must process” the personal information for the business. It is likely that many organizations you previously treated as a service provider under the CCPA may now be classified as contractors under the CPRA. There is a limiting factor on contractors—they may only receive personal information directly from the covered business, i.e., they cannot collect the information on behalf of the business.
Third Party
While in ordinary language, you might say that both contractors and service providers are “third parties,” the CPRA defines “third parties” differently. A third party is essentially defined by what it is not. It is not a covered business, a service provider, or a contractor. Under the CPRA, covered businesses are required to put in place certain contractual requirements when they share or sell personal information with a third party. While these requirements are less extensive than those for service providers or contractors, it is the first time we have seen a US jurisdiction require certain contractual obligations for third parties who are not somehow providing a service to the covered business.
So, as a covered business, how can you determine whether a party you are sharing data with is a contractor or service provider? One easy rule of thumb is that, if the party is collecting the information on your behalf, they are a service provider. If you are providing the personal information to them, you would have to analyze the situation more closely to determine whether they are a service provider or a contractor. Are you disclosing the personal data to them for a business purpose that is not the processing of the data? If yes, then they are a contractor. If no, they are processing it for you and they are a service provider. You might say that the difference between a contractor and a service provider appears to be that the sharing of personal data is incidental to the relationship between the parties, not the purpose of the relationship.
What Does this Mean for You?
Disclosing Information to Any Party
Under the CPRA, if your business collects California consumer personal information and then discloses the information to another party–whether bysale, share, or other disclosure–you are now required to enter into a contract with that party that does the following:
(1) specifies that the PI is sold or disclosed by the business only for limited and specified purposes
(2) obligates the recipient party to comply with applicable obligations under the CCPA and CPRA and to provide the same level of privacy protections to the data as California’s privacy law requires
(3) grants the business the right to take reasonable and appropriate steps to ensure that the other party uses the PI in a manner consistent with the businesses’ obligations under the law
(4) requires the other party to notify the business if it determines that it can no longer meet its obligations under California privacy law
(5) grants the business the right to take reasonable and appropriate steps (in compliance with the CCPA) to stop and remediate any unauthorized use of the personal information.
In regard to service providers and contractors specifically
For both service providers and contractors, businesses are required to enter into contracts that protect the personal information in some additional ways that are not required for third parties. Service provider and contractor data agreements must, in addition to the above requirements, prohibit: (1) selling or sharing the personal information, (2) retaining, using, or disclosing the PI for any purpose other than for the business purposes laid out in the contract, (3) retaining, using, or otherwise disclosing the PI outside of the direct relationship between the parties, and (4) combining the PI with PI received/collected in other contexts.
In addition to these contractual limitations for service providers and contractors, contractors must have data contracts with a few additional requirements. Under the CPRA, a contractor is required to certify that it understands its responsibilities (i.e., the prohibitions listed above) and permit the covered business to monitor its contractual compliance. Monitoring can be accomplished through various measures that, according to statute, might include manual review, automated scans, regular assessments, audits, or other technical measures and testing. Contractually, these could be conducted by the business at least once a year. The CPRA states that in regard to service providers, contracts may require such monitoring, but it is not required.
In Summary
Covered businesses in California need to be prepared to implement new data processing agreements starting in 2023 in order to disclose personal information for any reason, including, for the first time, for the purpose of selling data. These data processing agreements will, no matter the type of data disclosure or recipient, have some common elements that enable the covered business to exercise some control of personal information through the stream of commerce throughout its lifecycle. It will become more important for covered businesses to be able to differentiate between a contractor, a service provider, and a third party in order to ensure that they put the right contractual protections in place for the personal data being disclosed to the other party. Overall, all parties involved in the exchange of data will have higher duties placed on them than in the past. The covered business will have one benefit–if it can show it exercised its legal obligations under the CPRA, it may be able to transfer some of its legal liability to those parties to whom it disclosed the data if the compliance failures happen downstream.
Need help complying with the CPRA?
SixFifty’s California Privacy toolset helps businesses navigate these complex and dynamic privacy laws. With SixFifty, your privacy documents will never be out of date, even as the laws change. Schedule a demo today.
*Be aware that there are some limited situations in which the CCPA and CPRA are applicable to non-profit organizations. See Cal. Civ. Code § 1798.140.
