Is Your Business Unintentionally Selling Personal Information under the CCPA? 

The CCPA has redefined what it means to be a Business, Third Party, and Service Provider, and it is important to get the terms right to understand how to comply with the California Consumer Privacy Act (CCPA). We conducted an empirical analysis of how and if organizations in traditional vendor roles identify themselves under the CCPA.

Author’s Note: We use the terms “organization” and “vendor” throughout the analysis to avoid confusion with the terms “business,” “third party,” and “service provider,” which are defined in the CCPA and are also common nomenclature within an organization’s everyday activities.

Executive Summary

When viewed through a privacy lens, the terms “sale,” “third party,” and “service provider” take on new meanings under the CCPA than traditionally understood in the business world. Organizations must understand these terms and how they are defined under the CCPA to know and comply with the CCPA adequately. These terms play a large part in whether the business is selling personal information. 

Our findings show that most vendors have not publicly stated their roles under the CCPA. We discovered that certain services or fields are clear in their role and have readily available contract addendums to ensure their clients can easily review and execute contracts. At the same time, other industries are inconsistent or silent on the matter. Detailed findings can be found below. But first, a quick refresher on the CCPA and these definitions.

An Overview of the CCPA

The CCPA was signed into law in June 2018, went into effect on January 1, 2020, and AG enforcement started on July 1, 2020. The intent of the CCPA is to provide consumers with more transparency and control surrounding the uses of their personal information. These principles are embodied in the CCPA by protecting the personal information of California consumers (i.e., California residents). As such, organizations processing personal information of California consumers have new obligations, including providing specific notice disclosures, honoring consumer privacy rights, and managing breach notifications. Which of these obligations apply depends on what the organization is defined as under the CCPA.

Are Businesses Unintentionally Selling Personal Information under the CCPA? 

It becomes painfully obvious very early when reading the CCPA that organizations need to not only determine if they are a business, third party, service provider, or some combination of the three but also determine what the organizations they are sharing personal information with are defined as under the CCPA. This will assist in determining if the organization is selling data, the disclosure requirements, the applicability of the various consumer rights, and breach efforts and obligations.

Below we provide our empirical findings of whether organizations in a vendor role define themselves as either a third party and/or service provider or remain silent under the CCPA. This study was conducted by reviewing an organization’s web-facing properties, including privacy policies, terms and conditions, and any other information we found available on the web. The organizations analyzed are the most common across our clients, and you may recognize many of them. If you have in-depth questions or need assistance with operationalizing your privacy program to comply with the CCPA, check out our CCPA Playbook.

Key Definitions under the CCPA

1.  “Business” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information…and that…determines the purposes and means of the processing…that does business in the State of California, and meets one of the following:
   1. Has annual gross revenues in $25 million or more;
   2. Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
   3. Derives 50% or more of its annual revenues from selling consumers’ personal information.
2. “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.
3. “Third party” means a person who is not any of the following:
   1. The business that collects personal information from consumers under this title.
   2. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
      1. Prohibits the person receiving the personal information from:
         1. Selling the personal information.
         2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
         3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
   3. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.
4. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

The “sale” of personal information is broadly defined under the CCPA, and if a business is sharing personal information with another business or a third party for monetary (money) or other valuable consideration, then that business is likely selling the personal information and is therefore responsible for allowing consumers to opt-out of said sale and making certain disclosures through their privacy policy as well as when honoring right to know requests. 

Therefore, it is obvious why organizations have an incentive to not only be a service provider but also why a business under the CCPA wants to ensure they are limiting the sharing of personal information with only service providers. The obligations on businesses are substantially reduced if only sharing personal information with service providers as opposed to selling personal information to third parties. Sharing personal information with service providers is not considered a sale of personal information, and it is imperative that organizations first determine what their vendors are under the CCPA.

Why We Did This Research

As we work with our clients to assess and implement privacy programs surrounding the CCPA, we receive the following two questions most often:

1. “Are vendors and other organizations we are sharing personal information with a business, third party, service provider, or some combination of the three?”
2. “Are we selling personal information?”

To answer these questions, we review if the organization has publicly released information surrounding their roles (and the context within which they fall under that definition) under the CCPA when acting in a vendor role as well as any available contractual terms that our clients rely upon. 

We found that organizations may act as just a service provider, just a third party, or just a business. However, some may act as some combination of the three depending on the context of the sharing and processing activities of the personal information. We want to caveat that we do not rely solely on an organization’s self-designation under the CCPA and perform a thorough review of the processing and sharing activities to ensure we agree with how their vendors are defined under the CCPA. We recommend your organization conduct a similar review of any available addendums prior to execution.  

What Did Our Research Reveal?

Overview of Findings

We analyzed the most common vendors we see among our clients, and you will likely recognize some of the organizations analyzed as part of this empirical study. Below is a sample of the organizations analyzed.

Key Insight: Our research indicated that organizations are hesitant to publicly define themselves as Third Parties under the CCPA. This is not a surprising result given the role is a relatively new concept, and the impact of selling personal information under the CCPA.

Vendors per Department

Through client engagements, CompliancePoint typically finds certain departments using the most vendors, including Marketing (20%), Website (18%), IT (18%) and Human Resources (17%). Below is a breakdown of the vendors analyzed as part of this study.

Further, CompliancePoint found that the majority of vendors utilized by departments that typically process consumer (non-employee context) information, such as Marketing, Customer Support, Finance, and Website, have publicly stated they act as a service provider. 

Key Insight: Marketing typically utilizes the most vendors (20% of the organizations analyzed as part of this empirical study). Customer Relationship Management (CRM), Email Service Providers (ESPs), social media management platforms, and SMS platforms all typically process a lot of personal information on behalf of businesses, so it is no surprise that over half (52%) of the marketing vendors analyzed have determined they act as service providers.

Percent of Organization Type as Service Providers

The chart below outlines the most common organization types we see and the percentage of those that have determined they act as a service provider.

Key Insight: The CCPA currently exempts personal information collected within the employment context from the consumer privacy rights requirements (including the right to opt-out of the sale of personal information), which is likely why none of the HRIS organizations analyzed have been determined to be service providers under the CCPA.

Service Providers with Publicly Available Addendums

Conclusion

Our research indicates organizations are hesitant to put a stake in the ground when it comes to defining themselves in writing as a business, third party, and/or service provider under the CCPA. We believe this is due in part to the relatively new concept of these definitions, as well as the ambiguity in the regulation and lack of guidance that comes from enforcement actions and court decisions. Organizations that have not already done so should compile a list of organizations they are sharing personal information with and begin determining what these are defined as under CCPA. This can be accomplished through a data mapping engagement and though interviews with the business departments. 

Download our comprehensive findings here. Please note, this is a point in time study, and results are subject to change. We did not include the links to the publicly available addendums within the comprehensive findings as the location of these frequently change. We will update this list regularly, so continue to check in with us.

If you have any questions about this study or anything related to the CCPA or data privacy, please contact us at connect@compliancepoint.com.