This is our fifth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on the differences between data collectors, service providers, and third parties. We also discuss data brokers and their specific obligations under the CCPA. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California Consumer Privacy Act – What Insurers Need to Know.
The CCPA provides for different obligations depending on a businesses’ status as either a data collector, a service provider, a third party, or a data broker. Here is an easy guide to determine which classification applies:
- Data collectors are for-profit entities that collect personal information directly from California consumers. They also determine how that information is processed and for what purpose. Those businesses that fall under the classification of a data collector have the most obligations to consumers under the CCPA. If a business meets a criteria-requiring compliance with the CCPA, they must accept and respond to consumer requests to know, delete, opt-out, etc., and similarly comply with the obligations set forth in the CCPA, unless an exemption applies.
- Service providers are for-profit entities that process California consumers’ personal information on behalf of a business pursuant to a written contract and for a business purpose. Examples of business purposes under the CCPA include auditing, detecting security incidents, debugging, performing services on behalf of the business, internal research, and quality or safety verification. Businesses that use service providers may share personal information with those service providers without that exchange qualifying as a sale under the CCPA so long as it is necessary for the service provider to:
- Perform a business purpose
- The business has provided notice that the information is being used or shared
- The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose
When a business enters into a contract with a service provider, the contract should explicitly state that the service provider may only use, share, and/or disclose the consumer information to fulfill the service requested of them and may not otherwise use the consumer information for personal gain. Additionally, upon a verifiable consumer request for deletion, a business may direct the service provider to delete personal information of the consumer making the request.
- Third parties are essentially entities that do not otherwise qualify as either a data collector or a service provider that obtain the personal information of a consumer from a business. Some examples of third parties are advertising networks, internet service providers, and data analytics providers. The CCPA obligations prescribed to third parties seemingly only apply to those third parties who resell the information they obtain directly from a business. The CCPA requires that third parties give consumers explicit notice of the sale of their information and provide them with the ability to opt out of that sale. Notably, businesses are not obligated to direct third parties to delete consumer personal information upon receipt of a verifiable request, as they are required to do with service providers.
The CCPA became effective January 1, 2020. However, enforcement of the CCPA by the Attorney General will not begin until July 2020. It is important to analyze all of your business relationships to determine which classification your business falls under in your business arrangements to ensure that all of your CCPA obligations are met. Most notably, a business may qualify as a service provider in one instance, but a third party or data collector in another.