By now, we all know an organization can be a “business,” “service provider” or “third party” under the California Consumer Privacy Act. However, the questions of what a “third party” is and whether it is a mutually exclusive classification from “business” (or, to a lesser extent, “service provider”) still elicits widely divergent responses. And even if the California Privacy Rights Act passes Nov. 3, these questions will remain relevant.
We seek to demystify this classification conundrum by explaining that your organization is a “third party” whenever it receives personal information from another organization (unless your organization is receiving it in a “service provider” or similar capacity, as discussed below).
Plus, after receiving this PI as a “third party,” your organization must also protect the information as a “business” if it otherwise meets the “business” definition (i.e., more than $25 million in revenue, etcetera). In this case, your organization would be a “third-party business.”
Breaking down the 'third party' definition
The CCPA provides that an organization is a “third party” unless (1) it is the “business” that collects PI from consumers, or (2) it enters into a contract with a “business” that requires such organization to follow “service provider”–type restrictions.
The latter carve-out is relatively straightforward in the context of the law; if your organization receives PI as a “service provider” or with similar contractual restrictions as contemplated above, you cannot also be a “third party” in the context of that transaction. In the CPRA, this latter carve-out was moved to the defined term “contractor” and slightly clarified therein.
The former carve-out is often misinterpreted to mean the “business” classification is mutually exclusive from “third party.” However, as discussed further below, this carve-out stands only for the notion that a “business” that collects PI directly from the consumer cannot be a “third party” in the context of that collection only. Even so, the business can still be a “third party” when receiving PI from another organization.
Any other interpretation would have the unintended result of undermining the CCPA of the very protections it seeks to provide.
Yes, the definition of 'sale' has a drafting error
The definition of “sale” is often cited to support the proposition that a “business” and “third party” are mutually exclusive classifications. A “sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available […] a consumer’s (PI) by the business to another business or a third party for monetary or other valuable consideration.”
Indeed, the reference to a “business or a third party” seems to suggest they are mutually exclusive classifications, such that an organization can never be a “third-party business.” However, this is a drafting error or, at best, duplicative. If it is true that a “business” can “sell” to another “business” or separately to a “third party,” then the “sale” exceptions are impractically narrow (putting aside the “service provider” exception). Namely, they would only apply to disclosures to “third parties” but not to any “businesses” (e.g., the merger exception, sharing of identifiers for opt-out purposes).
Further, the “right to opt-out of sales” obligation only mentions sales to “third parties” — specifically, that “[a] consumer shall have the right, at any time, to direct a business that sells (PI) about the consumer to third parties not to sell the consumer’s (PI).”
Is the CCPA suggesting a “business” that “sells” to another “business” need not provide an opt-out? If so, for a law that seems to be born out of a concern for sales, it has carved out the need to provide a “Do Not Sell My Personal Information” link when “selling” to the biggest companies around, rendering the obligation near meaningless.
A hypothetical but realistic example in the context of the advertising technology ecosystem illustrates this point:
An adtech company, Alpha, takes the position that it is (1) a “business” for all PI that it collects from consumers directly and (2) a “third party” for all PI that it receives from other organizations. Alpha concludes it does not need to fulfill any “business” obligations (e.g., access/deletion rights, “Do Not Sell My Personal Information” link) whenever it receives PI as a “third party” because it believes that these are mutually exclusive categories and, thus, have entirely separate obligations.
This conclusion is flawed and does not comport with the natural reading or structure of the law:
- First, a “business” can “collect” PI from other organizations (the definition of “collect” includes “… obtaining, receiving, or accessing … (PI) … by any means”) so it is arbitrary to state that “business” obligations cannot apply to PI received from other organizations.
- Second, if we assume Alpha’s conclusion is correct, the adverse outcomes are clear: Even the largest adtech companies would only need to satisfy “business” obligations for PI that they collect directly from the consumer even though, in many cases, these companies do not collect information in this way; rather, they typically receive information from other organizations (e.g., by receiving PI made available by publishers through a pixel or mobile software development kit integration on those publishers’ digital properties). As a result, these adtech companies would never need to provide consumer rights or register as a “data broker” with respect to any of the information they receive from other organizations since these are all “business” obligations.
The Calif. attorney general reveals the 'third-party business' classification
Section 1798.115(d) of the CCPA and its corresponding explanation in the California attorney general’s Final Statement of Reasons drive home the point that a “business” can also be a “third party” and vice versa.
Section 1798.115(d) states “[a] third party shall not sell (PI) about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out …”
To clarify this section, the FSOR states “… Civil Code Section 1798.115, Subdivision (d), prohibits third-party businesses from selling consumers’ (PI) unless the consumers were given explicit notice and an opportunity to opt-out of the sale of their information.”
Here, the FSOR expressly substitutes the reference to “third party” in Section 1798.115(d) with “third-party business.” In other words, it is stating a “third party” and “business” can be one and the same organization.
The FSOR goes on to say that, as a way to satisfy its 1798.115(d) obligations, “… the business can comply with Subsection (e) [of the CCPA regulations],” which states that “a data broker registered with the attorney general … does not need to provide a notice at collection ...”
Why would the FSOR state a “business” can comply with 1798.115(d) when that very section only references “third parties”? And if an organization is a “third party,” why would it need to provide the “opt-out of sale” right if this is only a “business” obligation? Because, again, the FSOR is reinforcing the fact that the “business” and “third party” classifications overlap.
That is, the term “third party” is a transactional designation assigned to an organization that receives PI from another organization (unless received as a “service provider” or similar capacity, as discussed above). This organization may also be a “business” with respect to the information it received as a “third party,” provided it otherwise meets the “business” definition; hence, a “third-party business” as stated by the FSOR.
Such interpretation is consistent with the California attorney general’s apparent goal of ensuring that key CCPA protections, such as the provision of consumer rights and “data broker” registration, still apply to organizations that typically do not have direct relationships with consumers, such as adtech companies. Furthermore, this interpretation would continue to apply under the CPRA, as the same analysis would apply to the analogous provisions therein.
If an organization receives PI as a “third party,” it may also be a “business” with respect to such information, provided it otherwise meets the definition. As such, this organization would be a “third-party business,” as stated by the California attorney general’s guidelines.
This “third-party business” concept applies to both the CCPA and, if passed, the CPRA, and seeks to ensure organizations that lack direct relationships with consumers still provide the laws’ fundamental privacy protections (e.g., consumer rights, “data broker” registration).
Photo by Jakob Owens on Unsplash