Home Data-Driven Thinking So I’m A Third Party, Not A Service Provider. Now What?

So I’m A Third Party, Not A Service Provider. Now What?

SHARE:
Zachary Klein, associate at Davis+Gilbert

Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner and co-chair of the advertising + marketing and privacy + data security practice groups, and Zachary Klein, associate in the privacy + data security and advertising + marketing practice groups, both at Davis+Gilbert.

Companies throughout the ad tech ecosystem are reckoning with the fact that, due to the revised definition of “business purpose” in the California Privacy Rights Act (CPRA), which amends the California Consumer Privacy Act (CCPA), they may no longer qualify as “service providers” under California privacy law. Instead, they might be treated as “third parties” – and possibly even as “businesses.” As a result, their compliance obligations are likely to be more challenging.

The CPRA provides that, while businesses can still disclose personal information to “service providers” for “business purposes,” those “business purposes” do not include “cross-context behavioral advertising.” Any disclosure for such advertising activities will disqualify any recipient of that information from being considered a “service provider.” 

On top of these restrictions, “service providers” will face significant limits on their ability to combine personal information received from a “business” with personal information collected from other sources. This will significantly impact ad tech vendors that conduct measurement or analytics services.

If these changes apply to your organization – such that you lose the “safe harbor” of your “service provider” designation – here is what to expect.

Contractual obligations

As an initial matter, “service providers” that are about to become third parties will need to rethink the contracts under which they receive data from a “business.” The CPRA obligates “businesses” and “third parties” to enter into written agreements with terms that, while not as restrictive as those governing “service providers,” subject “third parties” to contractual limitations and oversight by the disclosing “business.”

This essentially imposes a “Data Processing Agreement” or “DPA” requirement on third parties. Plus, it places “third parties” in the somewhat disadvantageous position of being unable to enjoy exemption from certain statutory obligations and liabilities as a “service provider,” while also not having the full range of options afforded to a “business.”

Specific obligations as a third party

Although most CCPA/CPRA requirements apply to “businesses” generally, there are a few provisions that specifically refer to “third parties.”

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Some of these provisions clarify when and how “third parties” should provide consumers with privacy disclosures. For example, the CPRA explains that a business “acting as a third party” that controls the collection of consumers’ personal information may satisfy these obligations “by providing the required information prominently and conspicuously on the homepage of its internet website.”

Additionally, unless consumers have “received explicit notice” and are given “an opportunity to exercise the right to opt out,” the CPRA prohibits a third party from selling or sharing personal information that a business has disclosed to it. This language suggests not only that “third parties” share a responsibility to provide the necessary privacy notices, but that they also may be liable for failing to do so.

Finally, the wording of the regulations suggests that “third parties” may be directly liable under the CCPA/CPRA for not having an appropriate contract in place or even for failing to honor the terms of such a contract.

Requirements for businesses

Companies that are “third parties” under the CCPA/CPRA by virtue of no longer meeting the criteria of a “service provider” may be treated as “businesses” in many cases. However, the CCPA/CPRA has threshold standards for determining whether a company is a “business.” Namely, a “business” must meet one of the following criteria:

  • Have had annual gross revenues in excess of $25 million in the preceding calendar year;
  • Annually buy, sell or share the personal information of 100,000 or more consumers or households; or
  • Derive 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Accordingly, if a company receiving personal information as a “third party” does not meet one of these three factors, it will not be treated as a “business.” Moreover, there may be circumstances where, despite meeting the above criteria, the “third party” is not a “business” because its contract with the disclosing entity prohibits it from determining “the purposes and means of the processing.”

The takeaway

Changing status from “service provider” to “third party” does not automatically subject a company to the full range of CCPA/CPRA “business” obligations. 

However, if an entity receiving personal information meets the “business” standard, it must be prepared to provide a notice at collection, facilitate consumer rights requests and satisfy other statutory requirements as a “business.”

Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

For more articles featuring Richard Eisert, click here.

Must Read

Google in the antitrust crosshairs (Law concept. Single line draw design. Full length animation illustration. High quality 4k footage)

Google And The DOJ Recap Their Cases In The Countdown To Closing Arguments

If you’re trying to read more than 1,000 pages of legal documents about the US v. Google ad tech antitrust case on Election Day, you’ve come to the right place.

NYT’s Ad And Subscription Revenue Surge As WaPo Flails

While WaPo recently lost 250,000 subscribers due to concerns over its journalistic independence, NYT added 260,000 subscriptions in Q3 thanks largely to the popularity of its non-news offerings.

Mark Proulx, global director of media quality & responsibility, Kenvue

How Kenvue Avoided $3 Million In Wasted Media Spend

Stop thinking about brand safety verification as “insurance” – a way to avoid undesirable content – and start thinking about it as an opportunity to build positive brand associations, says Kenvue’s Mark Proulx.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters
Comic: Lunch Is Searched

Based On Its Q3 Earnings, Maybe AIphabet Should Just Change Its Name To AI-phabet

Google hit some impressive revenue benchmarks in Q3. But investors seemed to only have eyes for AI.

Reddit’s Ads Biz Exploded In Q3, Albeit From A Small Base

Ad revenue grew 56% YOY even without some of Reddit’s shiny new ad products, including generative AI creative tools and in-comment ads, being fully integrated into its platform.

Freestar Is Taking The ‘Baby Carrot’ Approach To Curation

Freestar adopted a new approach to curation developed by Audigent that gives buyers a priority lane to publisher inventory with higher viewability and attention scores than most open-auction inventory.