Historically, organizations haven’t had to publicly disclose the third parties they’ve hired to help them deliver a service, make money, etc. Under California’s new privacy law (CCPA), this changes. When CCPA goes into effect 1 Jan 2020, organizations must disclose to which third parties they’ve sold or transferred the personal data of California residents and more. In this article, we discuss that and other obligations organizations have in regards to their third parties under CCPA. 

Scoperisk meter

Note that the concepts covered in the rest of this article apply solely to the personal information of California residents. For more information on CCPA in general, see our CCPA: Foundations article.

 

Definitions

In order to fully understand CCPA’s third party requirements, it’s important to understand the following terms:

  • Personal information (PII)
      1. Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
  • Entity
      1. An individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.
  • Third Party
    1. A third party is any entity that is not any of the following:
      1. The business that collects personal information from consumers (i.e., your organization)
      2. An entity to whom your organization discloses a consumer’s personal information for a business purpose pursuant to a written contract, so long as the contract:
        1. Prohibits the entity that’s receiving the personal information from:
          1. Selling the personal information
          2. Retaining, using, or disclosing the personal information for any purpose, including retaining, using or disclosing the personal information for a commercial purpose, other than what’s been explicitly stated in the contract
          3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
        2. Includes a certification made by the entity receiving the personal information that the entity understands the restrictions listed above and will comply with them.

CCPA third-party riskRequirements Under CCPA

CCPA imposes several requirements on organizations in regards to the third parties that they either sell or transfer the personal data of California residents to. We’ll now cover each of these requirements.

When Selling PII

If your organization sells PII, it must disclose both:

  1. The categories of third parties to whom the organization has sold the individual’s PII
  2. The specific third-parties that have received the PII

Obfuscating the Sale of PII

If your organization takes a series of steps or transactions that are intended to avoid complying with CCPA (including transferring information to a third party in order to avoid selling information), California Courts disregard these steps/transactions. In short, if your organization’s intent is to sell the information, regardless of if your organization takes steps to obfuscate the sale, your organization and the third parties will still have to comply with CCPA, and your organization may be found to have violated CCPA.

When Transferring PII

If your organization is transferring PII to a third party, it must state the categories of third parties to whom your organization has transferred the individual’s PII.

When an Individual Opts-out of Having their Data Sold

At anytime, an individual can direct your organization or your third parties to not sell their PII. When an individual opts-out of having their PII sold, the organization or third party the individual has contacted must:

  1. Respect the individual’s decision going forward
  2. After 12 months, your organization/third party may ask the individual if the organization may sell their PII
  3. Not use any of the PII that was collected in order to fulfill the individual’s request

Note that if an individual contacts only one of your third parties and opts out, neither your organization nor your other third parties need to stop selling the individual’s data. 

When an Individual Requests Their PII be Deleted

When your organization receives a verifiable request (i.e., your organization has confirmed the request is legitimate and coming from the actual person making the request) from an individual to have their PII deleted, your organization must:

  1. Delete the individual’s PII from its records
  2. Direct any and all of your third-parties that had the individual’s PII to delete the individual’s PII from their records

Third Parties’ Obligations

  1. Your third parties must enter into a contract with you stating that they will comply with CCPA
  2. Your third parties must comply with CCPA
    1. This includes the requirement to implement and maintain a security program that appropriately protects the types of PII the organization processes
  3. Selling PII Received from Your Organization
    1. Third parties to whom your organization sells or transfers PII may not sell the PII they (the third party) have received from your organization. 
    2. Third parties may sell the PII they’ve received if the affected individuals:
      1. Received explicit notice of the intent to sell their PII
      2. Been given an opportunity to opt-out

Receiving Guidance from the Attorney General

Any organization or third-party can receive guidance from California’s Attorney General on how to comply with CPPA

Liability for the Actions of Third Parties

  1. An entity covered by bullet point (2) that violates any of the CCPA’s provisions shall be liable for the violations. 
  2. Your organization is not liable under CCPA if one of your third parties violates CCPA so long as all of the following conditions are met:
    1. The third party your organization discloses personal information to has entered into a contract, as specified in bullet point (ii) of the definition of third party
      1. This contract includes all of the requirements specified in bullet point (ii) of the definition of third party
    2. Your organization has never had any knowledge or reason to believe that the third party intended to violate CCPA

What this Means for Your Organization

When it comes to third parties and CCPA, your organization will need to be selective in which third parties you engage when it comes to processing the PII of California residents. Specifically, your organization should:

  1. Enter into contracts with all third parties to whom your organization has sold or transferred PII
    1. Ensure these contracts fulfill the obligations specified in this article
  2. Conduct thorough due diligence on all third parties your organization engages, particularly:
    1. Ensure the third parties you’re engaging aren’t either currently violating or intend to violate CCPA
    2. Organizations who are found to be at too high of a risk for violating CCPA should not be engaged
  3. Maintain an up-to-date list & categories of the third parties engaged by your company that to whom you’ve either sold or transferred PII
    1. This list and the categories of third parties will need to be added to your organization’s privacy policy statement.
  4. If your organization or one of your third parties receives guidance from the Attorney General of California, be sure to follow that guidance

For more detail on CCPA’s requirements and what that means for your organization, see our CCPA: Foundations article.

1CCPA’s official language uses a different term here than “entity,” but because the official term would create more confusion than is helpful for this article, we are using the term “entity.” For those interested in reading the original text, the original term is “person.”

 2Note: These requirements apply solely to third parties. There are other requirements your organization must comply with in addition to these. We cover all of the requirements in our CCPA: Foundations article.