With the EU General Data Protection Regulation being in force for quite a while and its "controller" and "processor" concepts for yet much longer, there seems to be a well-established practice for identifying third parties and where they fit into that picture. However, there are still situations in which this remains a significant challenge, both to organizations concerned and to the data protection authorities.
The California Consumer Privacy Act, on the other hand, is a completely new legal act without such history, and in neither the U.S. broadly nor in California itself are concepts of personal data controllers and processors formally recognized (albeit, some attempts have been made in various drafts to use such terms).
Despite that, a lot has been said about similarities between the GDPR and CCPA and still more about significant differences. Understanding third parties and related requirements is where practical input will be much needed and helpful. For global companies operating under both the GDPR and CCPA, it will contribute to more clarity when drafting notices and related communication when data subject and consumer rights are at play, as well as for contractual obligations and how they would be enforced.
Who are third parties under GDPR and CCPA?
As per the GDPR, "third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. Other important points include that the third party would be considered a recipient once personal data is disclosed to it, and legitimate interests of third parties can also be used as a legal basis and to justify processing of personal data by the controller where relevant.
What is very important to keep in mind, contrary to how business people might use such terms on a daily basis, is that processors and third parties are different animals altogether. This distinction has a very significant meaning but remains oftentimes blurred in various privacy notices. The other thing to remember is that there would be also persons who act under the direct responsibility of controller or processor, which includes — but is not limited to — employees. Such persons, even though considered still recipients of personal data (which is also the case for processors) would be neither processors nor third parties.
With some different wording it will also be important, under the CCPA, to wisely navigate across different roles both when drafting notices, policies and contracts, as well as when applying those in practice.
Under the CCPA, "third party" is similarly defined by what it isn't rather than what it is. First of all, third party is not the business that collects personal information from consumers itself under the CCPA, which seems quite obvious but will have some less obvious consequences — like when some of the data is transferred to a third party and some of the data it collects directly for related business purposes (multiple roles for the same entity should be possible, similarly as with the GDPR).
Secondly, it would not be the person (this term includes companies, entities, organizations, etcetera) to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract meets some minimum requirements. Such requirements include an explicit prohibition to sell the personal information, as well as to retain, use or disclose the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract. Retaining, using or disclosing the information outside of the direct business relationship between the person and business would also be forbidden. The recipient of data, under such contract, would have to certify that it understands these restrictions and will comply with them.
Looking at these requirements and the GDPR requirements under Article 28 of the GDPR, there seems to be both similarities and differences. The same is also true for how service providers are defined by the CCPA and what would be the contractual role of the GDPR processors. In addition to that, business purposes, which provide justification for sharing data with such entities under the CCPA, have their own definition within the CCPA. However, it is sufficiently broad to cover almost anything that is relevant to business, as long as it is reasonably necessary and proportionate (which has some resemblance to the GDPR principles of purpose limitation and data minimization).
The main difference lies with the GDPR requirement for processors to act only on documented instructions from the controller, whereas under the CCPA, there is no such obligation. Instead, the focus is on using the data only for the purpose of delivering services defined by the contract. It is not fully clear whether and under what circumstances a service provider might still meet the definition of a third party under the CCPA, and these are separate definitions to be analyzed and applied. Until now, however, most would say that service providers, as defined by the CCPA, would not be third parties under the CCPA.
Considering the above, it can be cautiously concluded that while the GDPR processor would most certainly not fall under the definition of a third party under the CCPA, there could be situations in which a person or organization, and especially service provider, who is not a third party under the CCPA would still be a third party under the GDPR, depending on what would be its level of independence and discretion when processing personal data to deliver services subject to the contract. One important example would be with payment gateway providers that are commonly considered to be independent controllers and third parties under the GDPR but could be defined as service providers and not be third parties under the CCPA, provided that the necessary contractual provisions are in place.
What are the practical consequences?
Simplicity and standardization are important for each business, and building bridges between CCPA and GDPR terms and requirements will save money, efforts and prevent business opportunities from being lost, not to mention more clarity and support for data subjects and consumers. This is why we might expect privacy notices, terms of service and agreements to accommodate gradually both GDPR and CCPA wording and merge them into more or less reader-friendly communication. In practice, many GDPR data-processing agreements already define controller instructions in such a way that is similar to the CCPA wording around using the data as needed for specific services only.
Even though there are still some disclosure requirements and other important duties and rights when processors or service providers are involved, there is a common understanding that sharing consumer data with third parties has much more significant — and sometimes unexpected — consequences, which results in higher privacy risk.
Having that in mind: Both privacy notices and terms of service need to be very clear on whether the data are shared with service providers or with other types of recipients, what the types of services involved are and how these services are relevant for consumers.
Next, there should be an explanation on whether these are independent providers — and thus third parties and independent controllers under the GDPR — or providers subject to specific instructions from the controllers and therefore processors. The same distinction would need to be applied when drafting contracts governing sharing of personal data, whether these are master service agreements or data-processing and data-transfer-specific agreements.
Finally, people acting under the direct responsibility of controllers, processors and service providers would need to be subject to employment and non-employment contractual provisions, as relevant. They would also need to be subject to internal policies and procedures specifying that they must follow the decisions and instructions of the business management when personal data is involved to make sure they would not be third-party recipients and that the data is sufficiently protected.
With many questions still unanswered, there is room and a growing business demand for standardization and unified, simplified wording for privacy notices, consumer rights, contractual requirements and even for internal procedures in handling the data, which are necessary for practical implementation. Regarding the language around third parties under the GDPR and CCPA, it is possible to build on those similarities, but it requires some effort.
Photo by mauro mora on Unsplash