In today’s ever changing data environment, businesses everywhere rely on partnerships with third parties to help drive their business efforts. Our data-driven economy allows organizations to build customer engagement, increase consumer insight and grow revenue, but with the new restrictions the CCPA is putting on organizations, is the use of third party data a thing of the past? Luckily, for many organizations, complying with this restriction in the CCPA will simply be a matter of identifying your third party vendors, defining those relationships within contracts, and implementing processes to comply with the new opt-out of sale rules.
To start, organizations will need to understand how the CCPA defines 3rd parties. According to Section 1798.140(w) a “Third party” means a person who is not any of the following:
This is not to be confused with a “service provider”, which the CCPA defines as a legal entity that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract”. This means the business organization itself and it’s service providers which are using data as instructed are not considered 3rd parties. However, many other organizations exchanging data with a business would fall into the 3rd party category.
In order for organizations to determine how to handle these vendor relationships, they will need to start by creating a list of all vendors and third parties that are receiving data from the organization. As mentioned in our previous blog on the CCPA vs. GDPR, having an existing data map from GDPR preparations should be helpful in this process. The data map should include all of the organizations that your business is sharing data with, as well as the purpose of sharing the data. It will require you to consider all functional areas of your organization as well, from engineering to HR to finance. It’s likely your company shares data outside of just product development in order to conduct every day business, which needs to be accounted for.
Once you have an understanding of where your data is being sent outside of the organization, you will want to review the contracts with those organizations to assess the rights the partner/vendor has to the data and determine if additional Privacy Impact Assessments will be required. Can the third party use the data only for the purposes of providing your organization with designated services or are they able to act as a controller and determine what can be done with the data (It’s also important to note that although the CCPA doesn’t have the controller/processor language (unlike GDPR), it may help to identify controllers and processors in contracts so you know who is the decision maker when it comes to the data being shared among organizations)? If it’s the latter, your organization will likely need to disclose this relationship with your consumers, as well as offer them an option to “opt out” of the sale of their data.
Here is where things could get tricky and disrupt a lot of data-driven business relationships. Because of the broad definition of “selling” data under the CCPA, organizations will really have to review their vendor/partner relationships to determine who they may be “selling” data to and if they will need to add the “Opt Out” feature to their website. As a reminder, according to Section 1798.140(t) “Sell,” “selling,” “sale,” or “sold,” means:
That’s a really long way of saying that an organization may not necessarily receive payment in exchange for personal information, yet it could still be considered a “sale” of data. As an example in the email context, a sender may make information collected about its subscribers (through tracking or online collection) available to a third party analytics organization to provide detailed demographic insight. No money is exchanged, as the third party adds the data provided by the email sender to their larger database. Because the third party is now obtaining the data for its own use or the use of other customers, it would fall under the third party umbrella as defined by the CCPA, despite no money being exchanged. This means the email sender would need to provide their subscribers an easy way to opt out of their data being passed to this third party. Adding another layer of complexity, organizations will have to communicate to all of their third parties when a consumer exercises their rights, typically requiring organizations to implement technical measures to ensure a smooth process.
So where does that leave your organization? Although it may seem like a really tedious process, everything mentioned is imperative to ensuring your organization and the companies you work with are compliant once CCPA comes into enforcement. Fines could be up to $7500 per intentional violation, potentially resulting in fines in the millions for organizations that are caught out of compliance. Nobody wants to be faced with a multi-million dollar fine for neglecting to ensure their third-party relationships are buttoned up.
CCPA continues to evolve, but it’s important for your organization to start getting your vendor management process organized in order to be prepared when it comes into effect. Although this is the last scheduled post in our CCPA series, we will continue to publish ad hoc posts as the law is finalized, so stay tuned!