This document provides guidance on negotiating contracts with service providers and third parties under the California Consumer Privacy Act (CCPA). It discusses the key definitions of "business," "service provider," and "third party" under the CCPA and provides examples of business-service provider and business-third party relationships. It also includes sample contract language for defining the parties' roles and compliance obligations in business-service provider and business-third party agreements to help ensure agreements comply with the CCPA. The document aims to help organizations struggling to identify different parties and draft appropriate contractual provisions in the new legal ecosystem created by the CCPA.
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
The European Union General Data Protection Regulation (“EU-GDPR”) will come into effect on May, 25th. Your company may think it does not have to worry about this because you are located in the United States, and you may be wrong. If your company processes or holds personal data for a person residing in a European Union country, your company will have to comply.
General Data Protection Regulation & Customer IAMUbisecure
The “General Data Protection & Customer IAM” white paper outlines the legal premise of the GDPR, and then delves into the specific parts where Customer Identity and Access Management solutions can help your organisation.
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
QNet Business -QNET Policies & Procedures_Hong Kong - IR ID No HG707037EnglishOnline.edu.vn
Contact: Ngo Anh Vu - 0932571102
http://www.qnetvietnam.info
skype: vu.ngo.zy
yahoo: vinceanhngo
vinceanhngo@gmail.com
http://www.vntvg.com/
http://www.vinceanhngo.com/
Register now:
https://portal.qiportal.net/eStore4/verifyreferrer.aspx?language=en
IR ID No. of my referrer: HG707037
http://www.qnet.net/
Operational impact of gdpr finance industries in the caribbeanEquiGov Institute
A brief outline of the challenges that could be face by financial institutions with the implementation of the GDPR and recommendations to mitigate them
The European Union General Data Protection Regulation (“EU-GDPR”) will come into effect on May, 25th. Your company may think it does not have to worry about this because you are located in the United States, and you may be wrong. If your company processes or holds personal data for a person residing in a European Union country, your company will have to comply.
General Data Protection Regulation & Customer IAMUbisecure
The “General Data Protection & Customer IAM” white paper outlines the legal premise of the GDPR, and then delves into the specific parts where Customer Identity and Access Management solutions can help your organisation.
Legal & General Surveying Services have published an article in their magazine Perspective on The General Data Protection Regulation (GDPR), due April of next year, which will govern how businesses process individuals’ data across all EU member countries, eventually replacing the UK’s Data Protection Act.
QNet Business -QNET Policies & Procedures_Hong Kong - IR ID No HG707037EnglishOnline.edu.vn
Contact: Ngo Anh Vu - 0932571102
http://www.qnetvietnam.info
skype: vu.ngo.zy
yahoo: vinceanhngo
vinceanhngo@gmail.com
http://www.vntvg.com/
http://www.vinceanhngo.com/
Register now:
https://portal.qiportal.net/eStore4/verifyreferrer.aspx?language=en
IR ID No. of my referrer: HG707037
http://www.qnet.net/
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age. How does it affect small businesses?
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
In this presentation, Gowlings partner Paul Armitage provides an overview of Canada's Anti-Spam Legislation (CASL). Topics covered include:
-What qualifies as a commercial electronic message (CEM)
-Consent - express & implied
-Content & format requirements
-Third party marketing lists
-Penalties
-Transitional period
To learn more, visit Gowlings' CASL Resources page at www.gowlings.com/casl.
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
Achieving Data Truthfulness and Privacy Preservation in Data MarketsJAYAPRAKASH JPINFOTECH
Achieving Data Truthfulness and Privacy Preservation in Data Markets
To buy this project in ONLINE, Contact:
Email: jpinfotechprojects@gmail.com,
Website: https://www.jpinfotech.org
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
The main arguments used by La Quadrature du Net in their complaint against Amazon Direct Marketing, fined by the CPDP Luxembourg lead authority in close collaboration with the CNIL.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
What is CCPA? The California Consumer Privacy Act increases the transparency of the collection and selling of physical and digital data, while providing California residents with more control over what happens to their personal information that companies collect. CCPA is approaching with a compliance deadline of January 2020. With the countdown to compliance less than 6 months away it’s critical to know how this can potentially impact your business in order to avoid violation fines. Join our webinar as we unpack the key requirements and considerations to keep in mind in order to stay compliant. See how CCPA impacts all advertisers, not just Californians.
Designed to empower all EU citizens to take greater control of their data, the General
Data Protection Regulation (GDPR) will reshape the way organisations worldwide (who
process data from the EU) approach data governance, data protection and privacy.
This paper summarises a seven-step practical approach to achieving GDPR compliance
with your CRM and marketing systems.
CCPA is set to be the most comprehensive privacy law to date in the US and aims to give Californians more control over their personal information.
During my work at Criteo, I'm in charge of CCPA project from initialisation, planification to answer to the clients questions.
Furthermore, I took specific actions including training program, One pager and Q&A edition, as well as cooperation with other departments, such as marketing, law and sales teams.
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondTrustArc
The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
Key additions and amendments introduced under the CPRAVISTA InfoSec
On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.
The globalised business environment of today necessitates a strong network of global vendors that play a critical role in the business and can help bring considerable opportunities.
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Luis Alberto Montezuma provides his insight on the latest sanctions imposed by the Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) for using personal data to send direct marketing without first obtaining the consent of data subjects.
For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. This policy directive was adopted in May 2016 to make Europe fit for the digital age. How does it affect small businesses?
The GDPR brings a lot of extra work for organizations that are considered to process Personal Data. For small businesses who feel overwhelmed with all the attention and threatening articles, here is a very easy GDPR-compliance checklist you can go through.
Cognizant business consulting the impacts of gdpraudrey miguel
In May 2018, GDPR (Global Data Protection Regulation) will come into force in Europe. Conventional wisdom is that GDPR will cause significant legal changes for many organizations and result in yet another regulatory-driven upheaval in technology. But is this an accurate assessment of the likely impact?
In this presentation, Gowlings partner Paul Armitage provides an overview of Canada's Anti-Spam Legislation (CASL). Topics covered include:
-What qualifies as a commercial electronic message (CEM)
-Consent - express & implied
-Content & format requirements
-Third party marketing lists
-Penalties
-Transitional period
To learn more, visit Gowlings' CASL Resources page at www.gowlings.com/casl.
"The EU General Data Protection Regulation: GDPR" - workshop held by Beatrice Masserini (Studio Cassinis, Italy) at the TRA Annual Meeting 2018 in Athens
Achieving Data Truthfulness and Privacy Preservation in Data MarketsJAYAPRAKASH JPINFOTECH
Achieving Data Truthfulness and Privacy Preservation in Data Markets
To buy this project in ONLINE, Contact:
Email: jpinfotechprojects@gmail.com,
Website: https://www.jpinfotech.org
California Consumer Protection Act - Insight from Sia Partners Daniel Connor
This Insight article describes the requirements of the new law applicable to California residents as well as comparing it to the new European standards in GDPR.
The main arguments used by La Quadrature du Net in their complaint against Amazon Direct Marketing, fined by the CPDP Luxembourg lead authority in close collaboration with the CNIL.
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
What is CCPA? The California Consumer Privacy Act increases the transparency of the collection and selling of physical and digital data, while providing California residents with more control over what happens to their personal information that companies collect. CCPA is approaching with a compliance deadline of January 2020. With the countdown to compliance less than 6 months away it’s critical to know how this can potentially impact your business in order to avoid violation fines. Join our webinar as we unpack the key requirements and considerations to keep in mind in order to stay compliant. See how CCPA impacts all advertisers, not just Californians.
Designed to empower all EU citizens to take greater control of their data, the General
Data Protection Regulation (GDPR) will reshape the way organisations worldwide (who
process data from the EU) approach data governance, data protection and privacy.
This paper summarises a seven-step practical approach to achieving GDPR compliance
with your CRM and marketing systems.
CCPA is set to be the most comprehensive privacy law to date in the US and aims to give Californians more control over their personal information.
During my work at Criteo, I'm in charge of CCPA project from initialisation, planification to answer to the clients questions.
Furthermore, I took specific actions including training program, One pager and Q&A edition, as well as cooperation with other departments, such as marketing, law and sales teams.
Future-Proof Your Workplace Privacy Approach for CPRA and BeyondTrustArc
The California Privacy Rights Act (CPRA) is coming fast and even companies currently complying with the California Consumer Privacy Act (CCPA) will face new challenges, including the protection of human resource (HR) data, something previously exempt under the CCPA.
Before the CPRA comes into effect, HR professionals need to be prepared to understand and comply with this new legislation. While employers’ were previously obligated to provide disclosure notices, they will now be required to provide their employees with the right to access, correct, and delete data.
Explore what employers need to consider to be compliant with CPRA.
Key additions and amendments introduced under the CPRAVISTA InfoSec
On November 3rd, 2020, the California Privacy Right Act was passed as the latest version of the California Consumer Privacy Act which recently came into effect on the 1st of July, 2020. CPRA brings significant amendments and additions to the rules of Data Privacy outlined in the CCPA Compliance. Declaring its enforcement in 2023, the CPRA introduced some new concepts to Data Privacy in California. With new additions and amendments, the CPRA bridges certain potential loopholes in the previous version of CCPA, making the law stringent. Further, introducing the amendments and new additions to the provision has taken this Data Privacy law closer to the EU’s GDPR standard. Let us today through this article take a look at the new provisions introduced and understand the amendments in the Data Privacy Standard.
The globalised business environment of today necessitates a strong network of global vendors that play a critical role in the business and can help bring considerable opportunities.
What to expect from the New York Privacy ActVISTA InfoSec
In the recently proposed bill of the New York Privacy Act in the House and Senate, businesses may soon have to gear up for this new data privacy law. If enforced, the law may severely impact businesses, restricting their operations in the way how they collect, use and share consumer’s personal information throughout the State.
Ten Laws Internet Businesses Should Consider Part IRyan K. Hew
This Part 1 of a 2-part presentation surveys several five laws that may be applicable to those who transact or conduct a lot of business online. In Part 1, the Communications Decency Act, Digital Millennium Copyright Act, Children's Online Privacy Protection Act, Federal Trade Commission Act Section 5, and CAN-SPAM Act are reviewed.
Here's a short presentation on the GDPR, first presented at the Morning Advertiser MA500 event in Edinburgh on 14th September. This is an overview regulations.
Brian Miller, solicitor and partner at Stone King LLP and Lauren Mitchum, trainee solicitor, provide a useful guide to ensuring your website is compliant with the law in all aspects, including advice on domain names, website content, disability discrimination, online terms, display of mandatory information, the impact of the Consumer Contracts Regulations, privacy policies and cookies, online advertising and the processing of payments
Guidance on Verification of Individual Customers for Customer Due Diligence
Anti-Money Laundering, Countering Financing of Terrorism and Targeted Financial Sanctions for Financial Institutions
This guide is intended to provide a concise summary of the TCPA statute and related regulations, and explain the new rules and their known impacts on enterprises (the organizations making the outbound contact) and recipients (people on the receiving end of the interactions). A lack of clarity in the regulations has driven organizations with the financial means to hire legal firms to assist them in interpreting the rules. Companies without the financial resources for legal counsel are looking for guidance. No one knows whether their interpretation is correct, and the case law, which is addressed in Section 2.1 of this Guide, further confounds the market, as each case seems to involve a different facet of the regulations and how they are applied.
Common Data Protection Issues in Managing M&A DealsMatheson Law Firm
This article explores the potential application of the GDPR in running a typical Irish merger or acquisition and sets out some practical guidelines on how parties to the transaction can demonstrate compliance with the GDPR requirements.
Similar to Ccpa serviceproviders whitepaper_dec2019 (20)
Guide on the use of Artificial Intelligence-based tools by lawyers and law fi...Massimo Talia
This guide aims to provide information on how lawyers will be able to use the opportunities provided by AI tools and how such tools could help the business processes of small firms. Its objective is to provide lawyers with some background to understand what they can and cannot realistically expect from these products. This guide aims to give a reference point for small law practices in the EU
against which they can evaluate those classes of AI applications that are probably the most relevant for them.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
Matthew Professional CV experienced Government LiaisonMattGardner52
As an experienced Government Liaison, I have demonstrated expertise in Corporate Governance. My skill set includes senior-level management in Contract Management, Legal Support, and Diplomatic Relations. I have also gained proficiency as a Corporate Liaison, utilizing my strong background in accounting, finance, and legal, with a Bachelor's degree (B.A.) from California State University. My Administrative Skills further strengthen my ability to contribute to the growth and success of any organization.
Synopsis On Annual General Meeting/Extra Ordinary General Meeting With Ordinary And Special Businesses And Ordinary And Special Resolutions with Companies (Postal Ballot) Regulations, 2018
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
Defending Weapons Offence Charges: Role of Mississauga Criminal Defence LawyersHarpreetSaini48
Discover how Mississauga criminal defence lawyers defend clients facing weapon offence charges with expert legal guidance and courtroom representation.
To know more visit: https://www.saini-law.com/
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
1. International Association of Privacy Professsionals
iapp.org
1
Negotiating with Service
Providers and Third Parties
under CCPA
KEY TAKEAWAYS
• Contractual provisions that address GDPR requirements will not necessarily
cover CCPA requirements.
• Third parties are entities that are not envisioned under the GDPR.
• “Service provider” relationships require strict contractual restrictions on what
the vendor can do with the information.
• Any exchange of personal information that is not accompanied by the
contractual restrictions required to meet the definition of “service provider” —
or what is not a “third party” — is at risk of being found to be a “sale” if there is
valuable consideration involved.
• There are emerging industry proposed solutions that may help address some of
the contractual complexities raised by the CCPA.
Introduction
Many of us understand in theory what the California Consumer Privacy Act means for
consumer rights and that it creates a totally new ecosystem of relationships between
and among businesses that are covered by the law and other legal entities with whom
they do business.
Unfortunately, that new ecosystem bears little resemblance to the controller/proces-
sor structure of the EU General Data Protection Regulation and leaves much to be
desired when it comes to facilitating the privacy practitioner’s job of categorizing and
risk-ranking business partners. To make matters worse, the attorney general did not
issue draft regulations until October, and those regulations likely will not be finalized
until July of 2020.
This white paper is designed to provide a little guidance to those who are struggling to
identify different parties in the ecosystem and draft contractual provisions accordingly.
It is also intended to become a chapter in the second edition of the IAPP’s “Data Pro-
cessing Agreements” book in 2020.
Tanya Forsheit, CIPP/US, CIPT
Partner and Chair, Privacy & Data Security Group,
Frankfurt Kurnit Klein & Selz
2. International Association of Privacy Professsionals
iapp.org
2
This white paper is not legal advice. Readers should retain counsel to
advise them on privacy practices and contract negotiations/drafting.
As the CCPA evolves, moreover, please consult more recent versions
of this paper or other updated materials in the IAPP Resource Center.
Definitions of business/service provider/third party under CCPA
The definitions section of the CCPA is primarily found in Civil Code Section 1798.140. The
first key definition is “business.” What is a covered “business” for purposes of the CCPA?
Section 1798.140(c) defines a “business” as:
(1) A sole proprietorship, partnership, limited liability company, corporation,
association or other legal entity that is organized or operated for the profit or
financial benefit of its shareholders or other owners, that collects consumers’
personal information, or on the behalf of which such information is collected
and that alone, or jointly with others, determines the purposes and means of
the processing of consumers’ personal information, that does business in the
State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dol-
lars ($25,000,000), as adjusted pursuant to paragraph (5) of subdi-
vision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the busi-
ness’s commercial purposes, sells or shares for commercial purpos-
es, alone or in combination, the personal information of 50,000 or
more consumers, households or devices.
(C) Derives 50 percent or more of its annual revenues from selling
consumers’ personal information.
(2) Any entity that controls or is controlled by a business, as defined in para-
graph (1), and that shares common branding with the business. “Control” or
“controlled” means ownership of, or the power to vote, more than 50 per-
cent of the outstanding shares of any class of voting security of a business;
control in any manner over the election of a majority of the directors, or of
individuals exercising similar functions; or the power to exercise a controlling
influence over the management of a company. “Common branding” means a
shared name, servicemark or trademark.
If you meet the definition of a business, the next step is to determine what your busi-
ness partners and vendors are in the CCPA landscape. Even if you are not a “business,”
you may receive inquiries from companies that are “businesses” as to what role you
play. Accordingly, the next most relevant definition is “service provider.”
3. International Association of Privacy Professsionals
iapp.org
3
Section 1798.140 (v) defines a “[s]ervice provider” to mean:
[A] sole proprietorship, partnership, limited liability company, corporation,
association, or other legal entity that is organized or operated for the profit or
financial benefit of its shareholders or other owners, that processes informa-
tion on behalf of a business and to which the business discloses a consumer’s
personal information for a business purpose pursuant to a written contract,
provided that the contract prohibits the entity receiving the information from
retaining, using, or disclosing the personal information for any purpose other
than for the specific purpose of performing the services specified in the con-
tract for the business, or as otherwise permitted by this title, including retain-
ing, using, or disclosing the personal information for a commercial purpose
other than providing the services specified in the contract with the business.
But what if you are neither a business nor a service provider? Or what if you are doing
business with companies that are doing things with the personal information you make
available to them in ways that are not strictly for the purpose of providing services to
you? The next definition we consider is “third party.”
Section 1798.140(w) defines a “[t]hird party” by virtue of what it is not. A “third party”
means a person who is not any of the following:
(1) The business that collects personal information from consumers under
this title.
(2) (A) A person to whom the business discloses a consumer’s personal infor-
mation for a business purpose pursuant to a written contract, provided that
the contract:
(i) Prohibits the person receiving the personal information from:
(I) Selling the personal information.
(II) Retaining, using, or disclosing the personal informa-
tion for any purpose other than for the specific purpose
of performing the services specified in the contract, in-
cluding retaining, using, or disclosing the personal infor-
mation for a commercial purpose other than providing
the services specified in the contract.
(III) Retaining, using, or disclosing the information
outside of the direct business relationship between the
person and the business.
(ii) Includes a certification made by the person receiving the per-
sonal information that the person understands the restrictions in
subparagraph (A) and will comply with them.
4. International Association of Privacy Professsionals
iapp.org
4
(B) A person covered by this paragraph that violates any of the restrictions
set forth in this title shall be liable for the violations. A business that disclos-
es personal information to a person covered by this paragraph in compliance
with this paragraph shall not be liable under this title if the person receiving
the personal information uses it in violation of the restrictions set forth in
this title, provided that, at the time of disclosing the personal information,
the business does not have actual knowledge, or reason to believe, that the
person intends to commit such a violation.
If you feel like the definition of what is not a “third party” seems awfully similar but
slightly different from what is defined as a “service provider,” you are right. It is just
one example of the poor drafting of the CCPA.
Examples of business-service provider relationships
Given the poorly crafted definitions, how can a business know what to look for in de-
termining whether its partners are “service providers”? Let’s consider some examples.
The most straightforward example of a business-service provider relationship is likely
to be something like cloud hosting. If a cloud services provider is doing nothing with
the data other than hosting (e.g., infrastructure as a service), the cloud services pro-
vider is a service provider for CCPA purposes. Another example would be a customer
relationship management service that does not use the data for any purpose of than to
provide the service.
That being said, neither of these kinds of companies (or any other) can be a service
provider unless the contract includes the restrictions set forth in the section above. It
is, therefore, best to use the definition of what a “third party” is not to help design your
contract in a way that demonstrates your business partner is a service provider.
The bottom line: If you do not need your partner to use data in ways beyond providing
you with the services or if you are a vendor that just provides a service (e.g., security
services) and does nothing else with the data, draft a strong “service provider” agree-
ment and be done with it.
Sample contract language
The “service provider” is the easiest language to draft because you can follow the statu-
tory requirements in the definition of what is not a “third party” in Section 1798.140(w).
Here is one way to approach it:
[Company] is a Business and [Vendor] is a Service Provider for purposes of
the CCPA. [Vendor] shall not: (a) sell the Personal Information; (b) retain,
use or disclose the Personal Information for any purpose other than for the
specific purpose of performing the Services; (c) retain, use, or disclose the
Personal Information for a commercial purpose other than providing the
5. International Association of Privacy Professsionals
iapp.org
5
Services; or (d) retain, use, or disclose the Personal Information outside of
the direct business relationship between [Vendor] and [Company]. [Vendor]
certifies that it understands these restrictions and will comply with them.
A word of caution: Don’t try to shoehorn your vendor relationship into this model if it
is not factually accurate. That can only end badly – like with an FTC Section 5 investi-
gation.
Examples of business–third-party relationships
Now that we know what a “service provider” is, it is not difficult to determine what a
“third party” is because (as mentioned above) “third party” is defined by virtue of what
it is not — i.e., not a service provider. Any vendor doing anything with personal infor-
mation other than providing the service (e.g., using the personal information for its
own purposes) could be a “third party.” Stated another way, any entity is a “third party”
when the contractual restrictions described in the model contractual language above
are not employed.
It also likely applies in any situation when a vendor has contractual language that al-
lows it to use personal information to improve its services, engage in benchmarking, or
allow other businesses to use the personal information.
“Third party” has no analog in the GDPR model; you may find many companies taking
the position that they are “third parties” and/or independent “businesses,” similar to
the “independent controller” role under the GDPR, defining themselves as businesses
(controllers) that make decisions about the purposes and means of processing.
Sample contract language
The following sample clauses are premised on the assumption that the “third
party” will also take the position that it is an independent “business,” much
like an independent controller for GDPR purposes.
You will notice right away that the “third-party” model is much more
complicated than the “service provider” model. This is because the law itself
does not necessarily accommodate all the many business models (e.g., fraud
prevention, advertising technology) that require the vendor to build its own
databases and use its own algorithms.
For efficiency, this sample includes GDPR terminology, but users should
remove it if not relevant to the situation.
6. International Association of Privacy Professsionals
iapp.org
6
1. Sample language for parties’ roles/data ownership as to ‘business data’ and
‘vendor data’
Sample language for data license of business data to vendor (this imposes
restrictions similar to the “service provider” language discussed above,
to allow the business to take the position that, as to business data, it is a
business and the vendor is the “service provider”):
The parties acknowledge that, as between Business and Vendor, all Business
Data that is subject to the Agreement is owned by the Business. The Business
retains all right, title and interest in Business Data, and any rights not
expressly granted herein are reserved by the Business. The Business acts as a
Controller and Business of the Business Data. Vendor shall act as a Processor
and Service Provider of the Business Data it processes under the Agreement.
The Business, as a Controller/Business, determines the purposes and means
of the processing of the Business Data.
[Note: How “business data” is defined will depend in large part on the
services involved, but it should incorporate a definition of “personal data/
information.” The business data should include the personal information the
vendor only gets from the business and no one else and only uses for the
business and for no other purpose.]
The Business hereby grants to Vendor a limited, revocable, non-exclusive,
royalty-free right and license during the term of the Agreement to Process
Business Data for the sole purpose of providing the Services and for the
purposes set forth in this Agreement. Vendor does not have any right to
directly or indirectly sell, rent, lease, copy, access, use, combine, reproduce,
modify, disclose or transfer Business Data, other than as set forth in this
Agreement. Vendor shall not collect through the Business Properties any
data from Users of Business Properties or use any such data, except as may
be mutually agreed upon by the parties. Vendor shall not: (a) sell the Business
Data; (b) retain, use, or disclose the Business Data for any purpose other than
for the specific purpose of performing the Services; (c) retain, use, or disclose
the Business Data for a commercial purpose other than providing the
Services; or (d) retain, use, or disclose the Business Data outside of the direct
business relationship between Vendor and the Business. Vendor certifies that
it understands these restrictions and will comply with them.
For vendor data, consider something like the following:
Vendor owns Vendor Data that is subject to the Agreement. The parties agree
that, unless otherwise agreed between the parties, both Vendor and the
Business will be considered Controllers and Businesses of Vendor Data and
all other Personal Information, other than the Business Data, processed in
relation to the Services performed by Vendor pursuant to the Agreement.
7. International Association of Privacy Professsionals
iapp.org
7
[Note: How “vendor data” is defined will also be driven by the nature of
the services and should also incorporate a definition of personal data/
information. Vendor data should include the personal information that
vendor gets from the business that vendor incorporates into its own
database/service in order to provide the services.]
[Add GDPR language as appropriate]: Each Controller is responsible for
Processing Personal Data in accordance with an appropriate lawful basis.
Notwithstanding anything to the contrary herein, in no event will Vendor and
the Business be deemed to be jointly processing Business Data or Vendor Data.
[Note: This should be revised if it is a joint controllership for GDPR purposes.]
Third-Party Data will remain the sole and exclusive property of such third
parties and subject to their applicable license terms. [Note: This is important
if the business or the vendor are also collecting/processing personal
information from third parties.]
2. Sample provision to address consumer requests
Each party shall notify the other party of an individual within its
organization authorized to respond from time to time to inquiries regarding
the Business Data and Vendor Data including but not limited to data subject
and consumer requests for deletion, disclosure and “Do Not Sell,” and shall
deal with such inquiries promptly, without prejudice to the specific deadlines
imposed by Applicable Data Protection Law.
3. Sample language that can be used to address each party’s compliance
obligations
Each party shall only use or otherwise Process Personal Information in
accordance with the permitted purposes set forth in this Agreement and
in accordance with all Applicable Data Protection Law. Each party shall be
individually and separately responsible for complying with the obligations
under Applicable Data Protection Law that applies to it as a Controller or
Processor, as applicable, in respect of certain types of Personal Information
processed under the Agreement. Neither party shall share, transfer, disclose or
otherwise provide or permit access to the Personal Information to any person
or entity without the other party’s prior written consent, except in accordance
with this Agreement, or on the basis of a court order, subpoena, or other
governmental requirement or authority, or in case such party is otherwise
required to disclose such information by law or regulation, provided that such
disclosure is permitted by Applicable Data Protection Law (a “Compulsory
Request”). In such case, the disclosing party shall inform the other party
of that legal requirement to disclose information before processing the
Compulsory Request, unless applicable law prohibits such disclosure.
8. International Association of Privacy Professsionals
iapp.org
8
4. Sample language for security safeguards and breach response
Each party shall implement and maintain (and require its Subprocessors
to maintain) reasonable and appropriate technical, administrative and
organizational measures designed to ensure a level of confidentiality and
security appropriate to the risks represented by the processing and the
nature of the Personal Information and to prevent unauthorized or unlawful
processing of Personal Information, including but not limited to measures
against accidental loss, disclosure or destruction of, or damage to, Personal
Information. Each party agrees to notify the other party within a reasonable
period of time (and in any event within forty-eight (48) hours) where such
party becomes aware of or reasonably suspects that Personal Information
of the other Party has been or may have been lost, damaged or subject to
unauthorized internal or external access or any other unlawful processing
(a “Security Incident”) and to take reasonable steps to mitigate the impact
of any such Security Incident. To the extent a party, as Controller/Business
with respect to Personal Information subject to a Security Incident, seeks the
assistance of the other party, the other party agrees to reasonably cooperate
with such party to: (a) determine the scope and severity of any such Security
Incident; (b) provide timely information and cooperation as such party
may require to fulfill such party’s data breach reporting obligations under
Applicable Laws and contract; and (c) give notice to individuals whose Personal
Information is the subject of such Security Incident. Unless a party is obliged
to give such notice under Applicable Data Protection Law, such party shall not
give notice to individuals in respect of a Security Incident relating to Data of
the other party except with the prior written approval of the other party.
5. Sample language for deidentification. The CCPA also provides certain
exemptions for information that is deidentified, so consider the following
language if that is relevant and you believe you can meet the high bar for
deidentification
If either party receives information of the other party in Deidentified
format, such party shall: (1) implement technical safeguards that prohibit
reidentification of the data subject or consumer to whom the information
may pertain; (2) implement business processes that specifically prohibit
reidentification of the information; (3) implement business processes that
prevent inadvertent release of deidentified information; (4) not attempt to
reverse engineer the information or otherwise reidentify data subjects or
consumers to whom the Deidentified Data relates; and (5) only share the
Deidentified Data, if and to the extent such sharing is permitted by this
Agreement, in the format it received it from the other party. If a Party does
not receive Personal Information in Deidentified format, but the other party
instructs such party to only share Personal Information of the other party
in a Deidentified format, such party shall ensure it is Deidentified before it is
shared.
9. International Association of Privacy Professsionals
iapp.org
9
When might a vendor also be a ‘business’?
As noted above, most situations in which a vendor is a third party will also involve
the vendor being an independent business. This is very much like independent con-
troller relationships under the GDPR. As one potential example, if an adtech provider
refuses to restrict its use of personal information to the purposes set forth in the
definition of a service provider, it will, by definition, be a third party and potentially
also an independent business. This is what happened under the GDPR — most adtech
providers refused to be processors and took the position that they are independent
controllers. Interestingly, as we go to press, some adtech companies that took the po-
sition that they were independent controllers for GDPR purposes are now asserting
that they are merely service providers for CCPA purposes. It will be interesting to see
how they reconcile those legal positions.
A. Issues/potential contract language for the purchasing party/vendor?
The most significant consequence of a vendor refusing to be a service provider is that
the CCPA considers nearly any exchange of information between a business and anoth-
er entity other than a service provider (subject to the appropriate contractual restric-
tions described above) to be a “sale.”
Any exchange of personal information is a “sale” if the business receives “monetary or
other valuable consideration,” unless an exception applies. Section 1798.140 (t)(1) de-
fines “[s]ell,” “selling,” “sale” or “sold,” as “selling, renting, releasing, disclosing, dissem-
inating, making available, transferring, or otherwise communicating orally, in writing,
or by electronic or other means, a consumer’s personal information by the business to
another business or a third party for monetary or other valuable consideration.”
Given how easily what you thought was a “service provider” relationship could become
a “sale,” it becomes extremely important to examine the enumerated exceptions to
“sale.”
Section 1798.140(t)(2) enumerates the exceptions as follows:
For purposes of this title, a business does not sell personal information when:
(A) A consumer uses or directs the business to intentionally disclose personal
information or uses the business to intentionally interact with a third party,
provided the third party does not also sell the personal information, unless
that disclosure would be consistent with the provisions of this title. An in-
tentional interaction occurs when the consumer intends to interact with the
third party, via one or more deliberate interactions. Hovering over, muting,
pausing, or closing a given piece of content does not constitute a consumer’s
intent to interact with a third party.
10. International Association of Privacy Professsionals
iapp.org
10
This first exception appears to indicate that, in the event a consumer explicitly con-
sents (consistent with the GDPR’s consent standard) to use of the personal informa-
tion, that the disclosure at issue is not a sale. This might be a reason for businesses to
consider using a cookie consent mechanism that they use for GDPR purposes for the
CCPA, as well.
(B) The business uses or shares an identifier for a consumer who has opted
out of the sale of the consumer’s personal information for the purposes of
alerting third parties that the consumer has opted out of the sale of the con-
sumer’s personal information.
(C) The business uses or shares with a service provider personal information
of a consumer that is necessary to perform a business purpose if both of the
following conditions are met:
(i) The business has provided notice that information being used or
shared in its terms and conditions consistent with Section 1798.135.
(ii) The service provider does not further collect, sell, or use the
personal information of the consumer except as necessary to per-
form the business purpose.
This exemption in subsection Section 1798.140(t)(2)(C) is simply a reiteration of the ser-
vice provider exception discussed above. But it also requires us to look at the definition
of “business purpose.” Section 17980.140 (d) defines “business purpose” as:
The use of personal information for the business’s or a service provider’s oper-
ational purposes, or other notified purposes, provided that the use of personal
information shall be reasonably necessary and proportionate to achieve the
operational purpose for which the personal information was collected or pro-
cessed or for another operational purpose that is compatible with the context
in which the personal information was collected. Business purposes are:
(1) Auditing related to a current interaction with the consumer and
concurrent transactions, including, but not limited to, counting ad
impressions to unique visitors, verifying positioning and quality
of ad impressions, and auditing compliance with this specification
and other standards.
(2) Detecting security incidents, protecting against malicious,
deceptive, fraudulent or illegal activity, and prosecuting those re-
sponsible for that activity.
(3) Debugging to identify and repair errors that impair existing
intended functionality.
11. International Association of Privacy Professsionals
iapp.org
11
(4) Short-term, transient use, provided the personal information
that is not disclosed to another third party and is not used to build
a profile about a consumer or otherwise alter an individual con-
sumer’s experience outside the current interaction, including, but
not limited to, the contextual customization of ads shown as part
of the same interaction.
(5) Performing services on behalf of the business or service provid-
er, including maintaining or servicing accounts, providing custom-
er service, processing or fulfilling orders and transactions, verifying
customer information, processing payments, providing financing,
providing advertising or marketing services, providing analytic
services, or providing similar services on behalf of the business or
service provider.
(6) Undertaking internal research for technological development
and demonstration.
(7) Undertaking activities to verify or maintain the quality or
safety of a service or device that is owned, manufactured, manufac-
tured for, or controlled by the business, and to improve, upgrade or
enhance the service or device that is owned, manufactured, manu-
factured for, or controlled by the business.
Another important exemption from “sale” is in the event of a merger, acquisition, or
other corporate reorganization.
Section 1798.140(t)(2)(D) exempts from the definition of sale situations where:
The business transfers to a third party the personal information of a consumer
as an asset that is part of a merger, acquisition, bankruptcy, or other trans-
action in which the third party assumes control of all or part of the business,
provided that information is used or shared consistently with Sections 1798.110
and 1798.115. If a third party materially alters how it uses or shares the personal
information of a consumer in a manner that is materially inconsistent with
the promises made at the time of collection, it shall provide prior notice of
the new or changed practice to the consumer. The notice shall be sufficiently
prominent and robust to ensure that existing consumers can easily exercise
their choices consistently with Section 1798.120. This subparagraph does not
authorize a business to make material, retroactive privacy policy changes or
make other changes in their privacy policy in a manner that would violate
the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section
17200) of Part 2 of Division 7 of the Business and Professions Code).
The most important takeaway is that any relationship that does not qualify as a “ser-
vice provider” relationship because it lacks the contractual restrictions described above
could be found to be a “sale” if there is valuable consideration involved.
12. International Association of Privacy Professsionals
iapp.org
12
Potential IAB Industry Solution
On Sept. 17, 2019, the Interactive Advertising Bureau rolled out a proposed CCPA Indus-
try Framework to provide companies with a way to communicate through the digital
advertising ecosystem certain information, including when a consumer exercises his or
her right to opt-out of sale under the CCPA. The proposed IAB Framework includes an
industry-wide contract to implement the rights and obligations triggered by the opt-
out signal. This agreement would impose on the downstream participants the statutory
limitations of a service provider in connection with the transactions in which they are
involved that include the opt-out signal. These participants become “limited service
providers,” prohibited from selling personal information but still permitted to use the
personal information to, for example, supplement a bid request and engage in bid deci-
sioning to complete the transaction. The limited service provider would not, however,
be able to use the personal information to build a new behavioral profile or augment a
previously existing profile. Just prior to this paper going to press, on Nov. 18, 2019, the
IAB issued a draft Limited Service Provider Contract.
The proposed Limited Service Provider Contract would eliminate the need for individu-
al agreements among participants and solve for the issue of privity among participants
who would not otherwise contract with each other (e.g., publishers and buy-side ad
servers). An industrywide agreement also solves for the “onward sale” issue because it
designates all downstream participants as service providers of the publisher, even with-
out a direct relationship.
Organizations in the adtech ecosystem (including publishers, advertisers, agencies and
adtech companies) will need to decide, working with their own legal counsel, whether
it makes sense for them to sign on to the IAB Limited Service Provider Contract to
address personal information exchanges for interest-based advertising (and the related
consequences in the event of a “Do Not Sell” command) or, alternatively, to develop
and enter into individual contracts with each of the other relevant players in the eco-
system.
Conclusion
Characterizing business partners and vendors as “service providers” or “third parties” is
crucial to CCPA compliance. Existing contracts may need to be modified with a CCPA
addendum addressing the parties’ CCPA status and obligations. New contracts will
also need to include CCPA-related language, and vendors should begin updating their
standard forms now to capture concerns their business-to-business customers will un-
doubtedly raise and define themselves as a business provider (or third party) as appro-
priate.
Of course, the factual reality of the business relationship will ultimately determine
whether an entity is a “service provider” or “third party” under the CCPA; that being
said, the parties can assist in allocating risk and responsibility — if not determining le-
gal status — by how they characterize themselves and their duties in their agreements.