“Data Driven Thinking” Written by members of the media community, it contains fresh thoughts on the digital revolution in media.
Today’s column is written by Richard Eisert, Partner and Co-Chair, Advertising + Marketing and Privacy + Data Security Practice Groups, and Zachary Klein, Partner, Privacy + Data Security and Advertising + Marketing Practice Groups, both at Davis + Gilbert.
Companies across the ad tech ecosystem are considering the fact that they may not No longer qualifies as a “Service Provider” under the California Privacy Act. Instead, they may be considered “third parties” — and possibly even “businesses.” As such, their compliance obligations may be more challenging.
The CPRA states that while businesses may still disclose personal information to “service providers” for “commercial purposes,” these “commercial purposes” do not include “Cross-Context Behavioral AdvertisingAny disclosure of such advertising activities will disqualify any recipient of that information from being considered a “Service Provider.”
In addition to these limitations, Service Providers will face significant limitations in their ability to combine Personal Information received from the Business with Personal Information collected from other sources.This will significantly impact ad tech vendors Perform measurement or analysis services.
If these changes apply to your organization – such that you lose your “Safe Harbor” or your “Service Provider” designation – this is to be expected.
contractual obligations
First, soon-to-be third-party “service providers” need to rethink the contracts under which they receive data from “enterprises.” CPRA requires a “business” and a “third party” to enter into a written agreement whose terms, while not as restrictive as those governing a “service provider,” subject the “third party” to contractual restrictions and oversight of the disclosure “business.”
This essentially imposes a “data processing agreement” or “DPA” requirement on the third party. In addition, it puts the “third party” at a somewhat disadvantageous position, that is, it cannot enjoy immunity from certain statutory obligations and responsibilities as a “service provider”, and it does not provide the “enterprise” with all the options.
Specific obligations as a third party
While most CCPA/CPRA requirements generally apply to “businesses,” there are provisions that are specific to “third parties.”
Some of these provisions specify when and how “third parties” should disclose private information to consumers. For example, the CPRA explains that businesses that control the collection of consumers’ personal information “as third parties” can comply with those obligations “by prominently and conspicuously making the required information available on the home page of their Internet sites.”
Additionally, the CPRA prohibits third parties from selling or sharing personal information disclosed to them by businesses unless consumers “received clear notice” and were given an “opportunity to exercise their right to opt-out.” Not only does this language indicate that “third parties” are responsible for providing the required privacy notice, but they may also be held liable for failure to do so.
Finally, the wording of the statute suggests that a “third party” may be directly liable under the CCPA/CPRA for not having an appropriate contract or even failing to perform the terms of such a contract.
Requirements for enterprises
A company that becomes a “third party” under the CCPA/CPRA because it no longer meets the criteria for a “service provider” may be considered a “business” in many cases. However, CCPA/CPRA has threshold criteria for determining whether a company is a “corporation.” That is, the “Business” must meet one of the following criteria:
- Gross annual revenue for the preceding calendar year exceeds $25 million;
- Buy, sell or share personal information of 100,000 or more consumers or households each year; or
- 50% or more of its annual revenue comes from selling or sharing consumers’ personal information.
Therefore, if a company that receives personal information as a “third party” does not meet one of these three factors, it will not be considered a “business.” Furthermore, in some cases, despite meeting the above criteria, a “third party” is not a “business” because its contract with the disclosing entity prohibits it from determining the “purpose and means of processing”.
take away
Changing the status from “Service Provider” to “Third Party” does not automatically subject the company to full CCPA/CPRA “business” obligations.
However, if an entity receiving personal information meets the “business” criteria, it must be prepared to provide notice at the time of collection, facilitate consumer enforcement requests, and meet other statutory requirements as a “business.”
According to Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.