Third Parties and the California Consumer Privacy Act (CCPA)

In the ever-changing data environment, companies around the world rely on partnerships with third parties to help them in their efforts commercial. Our data-driven economy allows organizations to increase customer engagement, increase awareness and increase revenue, but with new restrictions imposed by CACP on organizations , is the use of third-party data a thing of the past? Fortunately, for many organizations, adherence to this restriction in the CCPA will simply be to identify your third-party vendors, define those relationships in contracts, and implement processes to comply with the new churn rules.

To begin, organizations will need to understand how the CACP defines third parties. According to Section 1798.140 (w) "third party" means a person who is not one of the following persons:

The company that collects personal information about consumers under this title.
A person to whom the business discloses a consumer's personal information for commercial purposes under a written contract, provided that the contract:
Prohibited the person receiving personal information from:
Sell ​​personal information.
Maintain, use or disclose personal information for purposes other than performing the services specified in the contract, including the retention, use or disclosure of personal information for commercial purposes other than the provision of specified services in the contract .
Keep, use or disclose information outside the direct business relationship between the person and the company.

Includes a statement issued by the person receiving the personal information indicating that the person understands and will comply with the restrictions set out in sub-paragraph (A).

Not to be confused with a "service provider", defined by the ACCP as a legal entity: " processes information on behalf of a business and to which the 39; business discloses personal information a business object under a written contract ". This means that the sales organization itself and the service providers who use the data in accordance with the instructions are not considered third parties. However, many other organizations exchanging data with a company would fall into the category of third parties.

For organizations to be able to determine how to manage these supplier relationships, they should start by creating a list of all vendors and third parties who receive data from the organization. As mentioned in our previous blog on the CCPA Vs. GDPR having an existing data card prepared by the GDPR should be helpful in this process. The data card should include all organizations with which your company shares data, as well as the purpose of sharing data. You will also need to consider all the functional areas of your organization, from engineering to human resources to finance. It is likely that your company shares data outside of product development in order to conduct day-to-day activities that need to be accounted for.

Once you understand where your data is sent outside of the organization, you will want to review the contracts with these organizations to assess the partner / vendor's rights on the data and determine if it is necessary to protect confidentiality. Impact assessments will be needed. Can the third party use the data solely for the purpose of providing your organization with the designated services or are they able to act as a controller and determine what can be done with the data (it is also important to note that although the ACCP does the controller / processor language (unlike GDPR), it can be helpful to identify the controllers and processors in the contracts so that you know who the decision maker is in regards to is the sharing of data between organizations)? If this is the last case, your organization will probably have to disclose this relationship with your consumers and offer them an option to "opt out" of the sale of their data.

Here is where things could become difficult and disrupt many data-driven business relationships. Due to the broad definition of "selling" data in ACCP, organizations will need to really review their vendor / partner relationships to determine who they "sell" data for and if they will need to add the "Opt Out" feature. To their website. As a reminder, according to Section 1798.140 (t) "Sell", "sell", "sell" or "sell" means:

sell, rent, publish, disclose, distribute, make available, transfer or otherwise communicate orally, in writing, electronically or by any other means, the personal information of a consumer transmitted by the company to another company or a third party for monetary or commercial purposes. another valid consideration.
For the purposes of this title, a company does not sell personal information when:
A consumer uses or directs the company to intentionally disclose personal information or uses the company to intentionally interact with a third party, provided that the third party does not also sell the personal information, unless that disclosure is compatible with the provisions of this Title. Intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Overflight, silence, pause or closure of a given content does not constitute the intention of the consumer to interact with a third party.
The company uses or shares an identifier for a consumer who has chosen not to sell his personal information in order to warn third parties that the consumer has chosen not to sell his personal information.
The business uses or shares with a service provider the personal information of a consumer that is necessary for the fulfillment of its purposes if both of the following conditions are met: services that the service provider provides on behalf of a service provider the company, provided that the service provider also does it: not sell the personal information.
The company has notified that the information used or shared in its terms and conditions complies with section 1798.135.
The service provider does not collect, sell or use the consumer's personal information, unless it is necessary to achieve the objectives of the business.

The company transfers the personal information of a consumer to a third party as part of a merger, acquisition, bankruptcy or other transaction in which the third party assumes control of the consumer. all or part of the company, provided that this information is used or used. commonly compliant with Articles 1798.110 and 1798.115. If a third party significantly modifies the way in which it uses or shares a consumer's personal information in a way that is substantially inconsistent with the promises made at the time of collection, it will inform the consumer in advance. . The notification must be sufficiently visible and robust so that existing consumers can easily exercise their choices in accordance with Chapter 1798.120. This paragraph does not authorize a company to make material and retroactive changes to its privacy policy or any other changes to its privacy policy in a manner that would violate the law of unfair and deceptive practices ( Chapter 5 (from section 17200) of Division 2 of Division 7 of the Commercial and Professional Code).

This is a very long way of saying that an organization does not necessarily receive payment in exchange for personal information, but it can still be considered a "sale" of data. For example, in the context of email, a sender may put the information collected about its subscribers (via tracking or online collection) available to a third-party analytics organization to provide detailed demographic information. No money is exchanged because the third party adds the data provided by the sender of the email to its largest database. Since the third party now obtains the data for its own use or for that of other clients, this data would fall under the umbrella of the third party as defined by the CCPA, despite the absence of exchange of money. This means that the e-mail sender must provide its subscribers with a simple means of not receiving their data transmitted to that third party. Adding another layer of complexity, organizations will have to communicate with all their third parties when a consumer will exercise their rights, generally requiring them to implement technical measures to ensure the smooth running of the process.

So, where does this leave your organization? Although the process may seem tedious, it is imperative to make every effort to ensure the compliance of your organization and the companies you work with once the CACP comes into effect. Fines may be up to $ 7,500 per intentional violation, which could result in fines of several million euros for non-compliant organizations. Nobody wants to be fined millions of dollars for failing to ensure that their relationships with third parties are blocked.

CCPA continues to evolve, but it is important for your organization to start organizing its vendor management process so that it is ready as soon as it comes into effect. Although it is the last post planned in our CCPA series we will continue to publish ad hoc posts when the law is finalized, so stay tuned. 39; listen!

Related posts

Leave a Comment