“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner and co-chair of the advertising + marketing and privacy + data security practice groups, and Zachary Klein, associate in the privacy + data security and advertising + marketing practice groups, both at Davis+Gilbert.
Companies throughout the ad tech ecosystem are reckoning with the fact that, due to the revised definition of “business purpose” in the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), they may no longer qualify as “service providers” under California privacy law. Instead, they might be treated as “third parties” – and possibly even as “businesses.” As a result, their compliance obligations are likely to be more challenging.
The CPRA provides that, while businesses can still disclose personal information to “service providers” for “business purposes,” those “business purposes” do not include “cross-context behavioral advertising.” Any disclosure for such advertising activities will disqualify any recipient of that information from being considered a “service provider.”
On top of these restrictions, “service providers” will face significant limits on their ability to combine personal information received from a “business” with personal information collected from other sources. This will significantly impact ad tech vendors that conduct measurement or analytics services.
If these changes apply to your organization – such that you lose the “safe harbor” of your “service provider” designation – here is what to expect.
Contractual obligations
As an initial matter, “service providers” that are about to become third parties will need to rethink the contracts under which they receive data from a “business.” The CPRA obligates “businesses” and “third parties” to enter into written agreements with terms that, while not as restrictive as those governing “service providers,” subject “third parties” to contractual limitations and oversight by the disclosing “business.”
This essentially imposes a “Data Processing Agreement” or “DPA” requirement on third parties. Plus, it places “third parties” in the somewhat disadvantageous position of being unable to enjoy exemption from certain statutory obligations and liabilities as a “service provider,” while also not having the full range of options afforded to a “business.”
Specific obligations as a third party
Although most CCPA/CPRA requirements apply to “businesses” generally, there are a few provisions that specifically refer to “third parties.”
Some of these provisions clarify when and how “third parties” should provide consumers with privacy disclosures. For example, the CPRA explains that a business “acting as a third party” that controls the collection of consumers’ personal information may satisfy these obligations “by providing the required information prominently and conspicuously on the homepage of its internet website.”
Additionally, unless consumers have “received explicit notice” and are given “an opportunity to exercise the right to opt out,” the CPRA prohibits a third party from selling or sharing personal information that a business has disclosed to it. This language suggests not only that “third parties” share a responsibility to provide the necessary privacy notices, but that they also may be liable for failing to do so.
Finally, the wording of the regulations suggests that “third parties” may be directly liable under the CCPA/CPRA for not having an appropriate contract in place or even for failing to honor the terms of such a contract.
Requirements for businesses
Companies that are “third parties” under the CCPA/CPRA by virtue of no longer meeting the criteria of a “service provider” may be treated as “businesses” in many cases. However, the CCPA/CPRA has threshold standards for determining whether a company is a “business.” Namely, a “business” must meet one of the following criteria:
- Have had annual gross revenues in excess of $25 million in the preceding calendar year;
- Annually buy, sell or share the personal information of 100,000 or more consumers or households; or
- Derive 50% or more of its annual revenues from selling or sharing consumers’ personal information.
Accordingly, if a company receiving personal information as a “third party” does not meet one of these three factors, it will not be treated as a “business.” Moreover, there may be circumstances where, despite meeting the above criteria, the “third party” is not a “business” because its contract with the disclosing entity prohibits it from determining “the purposes and means of the processing.”
The takeaway
Changing status from “service provider” to “third party” does not automatically subject a company to the full range of CCPA/CPRA “business” obligations.
However, if an entity receiving personal information meets the “business” standard, it must be prepared to provide a notice at collection, facilitate consumer rights requests and satisfy other statutory requirements as a “business.”
Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.