Home Data-Driven Thinking So I’m A Third Party, Not A Service Provider. Now What?

So I’m A Third Party, Not A Service Provider. Now What?

SHARE:
Zachary Klein, associate in the privacy, technology + data security and advertising + marketing practice groups, Davis+Gilbert

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner and co-chair of the advertising + marketing and privacy + data security practice groups, and Zachary Klein, associate in the privacy + data security and advertising + marketing practice groups, both at Davis+Gilbert.

Companies throughout the ad tech ecosystem are reckoning with the fact that, due to the revised definition of “business purpose” in the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), they may no longer qualify as “service providers” under California privacy law. Instead, they might be treated as “third parties” – and possibly even as “businesses.” As a result, their compliance obligations are likely to be more challenging.

The CPRA provides that, while businesses can still disclose personal information to “service providers” for “business purposes,” those “business purposes” do not include “cross-context behavioral advertising.” Any disclosure for such advertising activities will disqualify any recipient of that information from being considered a “service provider.” 

On top of these restrictions, “service providers” will face significant limits on their ability to combine personal information received from a “business” with personal information collected from other sources. This will significantly impact ad tech vendors that conduct measurement or analytics services.

If these changes apply to your organization – such that you lose the “safe harbor” of your “service provider” designation – here is what to expect.

Contractual obligations

As an initial matter, “service providers” that are about to become third parties will need to rethink the contracts under which they receive data from a “business.” The CPRA obligates “businesses” and “third parties” to enter into written agreements with terms that, while not as restrictive as those governing “service providers,” subject “third parties” to contractual limitations and oversight by the disclosing “business.”

This essentially imposes a “Data Processing Agreement” or “DPA” requirement on third parties. Plus, it places “third parties” in the somewhat disadvantageous position of being unable to enjoy exemption from certain statutory obligations and liabilities as a “service provider,” while also not having the full range of options afforded to a “business.”

Specific obligations as a third party

Although most CCPA/CPRA requirements apply to “businesses” generally, there are a few provisions that specifically refer to “third parties.”

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Some of these provisions clarify when and how “third parties” should provide consumers with privacy disclosures. For example, the CPRA explains that a business “acting as a third party” that controls the collection of consumers’ personal information may satisfy these obligations “by providing the required information prominently and conspicuously on the homepage of its internet website.”

Additionally, unless consumers have “received explicit notice” and are given “an opportunity to exercise the right to opt out,” the CPRA prohibits a third party from selling or sharing personal information that a business has disclosed to it. This language suggests not only that “third parties” share a responsibility to provide the necessary privacy notices, but that they also may be liable for failing to do so.

Finally, the wording of the regulations suggests that “third parties” may be directly liable under the CCPA/CPRA for not having an appropriate contract in place or even for failing to honor the terms of such a contract.

Requirements for businesses

Companies that are “third parties” under the CCPA/CPRA by virtue of no longer meeting the criteria of a “service provider” may be treated as “businesses” in many cases. However, the CCPA/CPRA has threshold standards for determining whether a company is a “business.” Namely, a “business” must meet one of the following criteria:

  • Have had annual gross revenues in excess of $25 million in the preceding calendar year;
  • Annually buy, sell or share the personal information of 100,000 or more consumers or households; or
  • Derive 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Accordingly, if a company receiving personal information as a “third party” does not meet one of these three factors, it will not be treated as a “business.” Moreover, there may be circumstances where, despite meeting the above criteria, the “third party” is not a “business” because its contract with the disclosing entity prohibits it from determining “the purposes and means of the processing.”

The takeaway

Changing status from “service provider” to “third party” does not automatically subject a company to the full range of CCPA/CPRA “business” obligations. 

However, if an entity receiving personal information meets the “business” standard, it must be prepared to provide a notice at collection, facilitate consumer rights requests and satisfy other statutory requirements as a “business.”

Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

For more articles featuring Richard Eisert, click here.

Must Read

Wall Street Turned Against Ad Tech – But May Learn To Love It Again

What can pureplay ad tech companies do to clean up their rep on the Street?

Glenniss Richards, senior director of digital media, Bayer

How Bayer Wrote Its Prescription For Programmatic

Bringing media buying in-house is “chaotic and disruptive” – but totally worth it, according to Glenniss Richards, Bayer’s senior director of digital media.

AppsFlyer and Roku’s New SRN Integration Will Shed Light On CTV Campaign Impact

Roku and AppsFlyer announced the launch of a new self-reporting network (SRN) integration between both companies, which will allow mobile app advertisers to more effectively measure their streaming video campaigns

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.