A vexing issue under the California Consumer Privacy Act is how to interpret the definition of "sale" and how to know if exceptions — like that for a "service provider" — apply.
When asked, most companies state honestly they do not "sell" customer data, but the CCPA defines the term in a surprisingly broad way that sweeps in any arrangement involving an exchange of value ("consideration") between the business and a third party or another business for the personal information. The definition of sale may expansively apply to disclosures to vendors that process data for their own analytics or other secondary purposes.
In general, the CCPA imposes strict requirements on the "sale" of personal information (e.g., "Do Not Sell My Personal Information" button on homepages, rights to opt out, and the like). Businesses should, therefore, conduct due diligence on a case-by-case basis as to whether to seek shelter from the definition of "sale" under the CCPA for disclosures to a "service provider." The due diligence should involve a review under the existing contractual terms and may require modifications to the underlying agreement and obligations of the parties.
What qualifies as a 'service provider'?
The CCPA distinguishes between service providers and third parties by describing a third party in the negative and the requirements for a written contract that governs a data transfer between parties. Under the law’s construction, a "service provider" is:
(1) A legal entity organized for profit.
(2) That processes personal information on behalf of a business.
(3) To which the business discloses a consumer's personal information for a business purpose.
(4) Pursuant to a written contract that prohibits the legal entity from retaining, using, or disclosing the personal information for any purpose (including a commercial purpose) other than performing the services specified in the contract.
Businesses must also:
(5) Provide proper notice to consumers about personal information sharing practices.
(6) Obligate the service provider from further collecting, selling or using the personal information except as necessary to perform the business purpose.
In addition, if the service provider agrees to additional contractual terms to assure that it does not qualify as a "third party," the business will benefit from certain liability protection. In particular, the business would need to include a provision in the written contract that
(7) Prohibits the recipient from:
- (a) Selling the personal information.
- (b) Retaining, using or disclosing the personal information for any purpose other than performing the services.
- (c) Retaining, using or disclosing the personal information outside of the direct business relationship between the recipient and the business.
The business would also need to:
(8) Obtain a certification that the recipient understands these restrictions and will comply with them.
In practice, the provisions required under elements (7) and (8) largely overlap with those of elements (1) through (6), but they are treated separately here to help understand how they may be applied to actual scenarios.
How does the service-provider exception play out in practice?
Website-hosting provider
A website-hosting provider would be a logical vendor to consider as a service provider, depending on the specifics of the arrangement. For example, does the provider assert broad rights to use personal information collected on the site for its own purposes? Does the provider exchange any consideration with third-party advertising agencies with respect to cookies and other tags placed on users of the site?
These factors would suggest that the vendor might not meet element (6) and might be reluctant to enter into a written contract that significantly cuts back on these rights. Also, what about element (3), which suggests that the business must physically disclose the data to the vendor and the vendor cannot directly collect the data from the consumer? It seems unlikely that a vendor should be disqualified from the service-provider exception on this basis alone, as there is no strong public policy reason why an agent cannot be hired to collect data on behalf of a business, but because there is no official guidance on this point, it will be important to track this issue carefully.
Customer relationship management provider
A CRM provider would also seem to be a good candidate for the service-provider exception, again depending on the specifics. For example, what if the CRM provider uses personal information of multiple customers to perform broad market analysis and forecasting of trends and provide that data back to each of its business customers as a service?
Although the data is not shared in identifiable form across the different business customers, the underlying analysis would use the personal information and would benefit multiple customers. This appears to raise an issue under element (6) and a potential concern for the contractual obligations under elements (4), (7) and (8). The extent of the concern, however, could potentially be reduced by further contractual terms. For example, if the "business purpose" as defined in the services contract included an obligation for the provider to deidentify data and to use the data for analytics in order to provide the market and trending analysis back to the business customer, this could bring these activities closer to a use on behalf of the business and the definition of "service provider."
Independent auditor
Unlike the prior two examples, an independent auditor is an example that might be at odds with the core definition of a service provider and omitted from the exception. The federal securities laws generally require publicly held companies to engage an independent auditor to report on the accuracy of financial reports that the company files with the U.S. Securities and Exchange Commission. By definition, the auditor is not collecting and analyzing information "on behalf of" the company when it analyses data, including personal information, as an independent assessor of the company's financial statements. As such, an independent auditor likely does not meet element (2) where it does not act "on behalf of" the business.
What are the other options?
If the vendor is not a "service provider," does that mean the disclosure is always a "sale"? No.
The business should examine whether there are other grounds to show that the disclosure is not a sale. For example, regarding the independent auditor, the business could say that there is no valuable consideration exchanged for the personal information obtained in the audit given that an auditor does not in any meaningful sense pay for the data. The business could also assert the independent auditor is not a "third party" that triggers the "sale" provision if the business imposes a written contract that includes elements (7) and (8). Note that these elements do not include the "on behalf of" requirement that applies to service providers, so it might fit for an independent auditor.
Ultimately, in preparation for the CCPA, each business should conduct a due diligence process across its personal information sharing arrangements to determine whether disclosures that do not appear to meet the exceptions described above are subject to other exceptions to sale, such as sharing at the direction of the consumer. A thoughtful assessment is needed given the newness of the rules and the complexity of arrangements in the digital age.