The California Consumer Privacy Act (CCPA), which went into effect January 1, 2020, took a different approach to how it defines a third party. The privacy law doesn’t indicate what a third party is but rather explains what it is not.
What Third Parties Are Not
Under the privacy law, third parties are people or organizations that are not the following:
- The business that collects consumers’ personal information from consumers under the CCPA.
- A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract that lays out certain, very specific stipulations.
Under the second option, the contract that governs the third party’s use of a consumer’s personal information must prohibit that third party from:
- Selling the consumer’s personal information.
- Retaining, using, or disclosing the consumer’s personal information for anything other than performing the services specified in the contract. These vendors are typically called “service providers.”
- Retaining, using, or disclosing the consumer’s personal information outside of the direct business relationship between the individual and the business.
In addition, the third party that receives the consumer’s personal information under the CCPA is required to certify that it understands the requirements of the privacy law and will comply with the requirements of the privacy law.
The Goal of the CCPA
The privacy law aims to improve the data privacy and protection rights for California residents by imposing rules on how businesses handle and use consumers’ personal information.
The CCPA, the most extensive consumer privacy law to pass in the United States, has been compared to the European Union’s General Data Protection Regulation (GDPR), other data privacy laws, and data privacy regulations.
However, when it comes to CCPA vs. GDPR, the GDPR focuses on creating a “privacy by default” legal framework for the entire European Union, while the CCPA is about creating transparency by giving California residents certain rights pertaining to their personal data.
The privacy law requires companies to tell California residents what personal data they are collecting. Under the CCPA, California residents have the right to tell businesses not to sell their personal information and request that those companies delete their personal information.
How the CCPA Defines a ‘Business’
Under the California privacy law, a “business” is defined as a “sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Under the CCPA, the business must also collect the personal data of California residents, operate in California, and meet at least one of the following criteria:
- Has annual gross revenues of at least $25 million
- Annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, the personal information of at least 50,000 California residents or households
- Earns more than 50 percent of its annual revenue from selling consumers’ personal information
The privacy law requires that businesses that collect consumers’ personal information tell consumers, at the time they collect the personal data of California residents or before they collect that personal data, about the categories of personal information that they will be collecting. Under the privacy law, the organization must also tell California residents how it will use the categories of personal information it collects.
How the CCPA Defines a Sale
The California Consumer Privacy Act defines “sale” very broadly. Sale basically includes any method of transferring consumers’ personal information. However, under the privacy law, such transfers have to be made in exchange for money or other “valuable consideration.”
Although the CCPA doesn’t define valuable consideration, the privacy law does allow the California attorney general to provide guidelines to further the CCPA’s purpose. And that could mean offering a more specific definition of valuable consideration. However, until that happens, there is nothing definite as to what would constitute valuable consideration under the privacy law.
The California Consumer Privacy Act also limits the ability of third parties to resell consumers’ personal information that they obtain from businesses as defined under the privacy law.
The California Consumer Privacy Act requires that third parties give consumers explicit notice of the sale of their personal information and provide them with the ability to opt-out of the sale of their personal data.
When third parties receive verified consumer requests for access to their personal data, they must give those California residents the following information:
- The categories and specific pieces of personal information the business has collected about the California residents.
- The categories of personal information the business sold about the California residents.
- The categories of third parties to whom they sold consumers’ personal information (identified by the category of personal information for each third party)
- The categories of personal information that the businesses disclosed about the consumers for business purposes.
Under the CCPA, Service Providers Treated Differently than Third Parties
It’s also important to note that third parties are defined and treated differently than service providers, which the California Consumer Privacy Act defines as entities that only “process” information on behalf of businesses and to which those businesses disclose consumers’ personal information for a business purpose specified in their written contracts (as noted above).
This means that businesses and their service providers that use data as specified in their contracts aren’t necessarily considered third parties under the California Consumer Privacy Act.
However, how a business defines its vendors matters because under the privacy law, the business has to disclose to California residents the information about their personal data as noted above as it pertains to third parties. But a business is not required to disclose this information to California residents as it pertains to service providers.
On the other hand, a business must require that its service providers delete consumers; personal information when those California residents request it. But those businesses don’t have that same requirement when it comes to third parties.
Under the California Consumer Privacy Act, if organizations don’t have the proper contracts in place with their service providers, those service providers may be treated as third parties under the privacy law.
If businesses don’t want their service providers to become third parties under the privacy law, those contracts must contain a certification that the party receiving the personal data of California residents understands the requirements of the CCPA and will comply with them.
Not including that certification means that the personal data of California residents that businesses share with service providers would be treated as sales, requiring those businesses to allow California residents to opt-out of having their personal data shared with those third parties.