Part 5: A Game of “Who’s Who” Under the CCPA

This is our fifth blog post in a multi-part series addressing what insurers need to know about the California Consumer Privacy Act (CCPA). This post focuses on the differences between data collectors, service providers, and third parties. We also discuss data brokers and their specific obligations under the CCPA. While this post does not require any background on the CCPA, if you would like the benefit of our preliminary discussions before diving into this post we invite you to start with Part 1: The California Consumer Privacy Act – What Insurers Need to Know.

The CCPA provides for different obligations depending on a businesses’ status as either a data collector, a service provider, a third party, or a data broker. Here is an easy guide to determine which classification applies:

  1. Data collectors are for-profit entities that collect personal information directly from California consumers. They also determine how that information is processed and for what purpose. Those businesses that fall under the classification of a data collector have the most obligations to consumers under the CCPA. If a business meets a criteria-requiring compliance with the CCPA, they must accept and respond to consumer requests to know, delete, opt-out, etc., and similarly comply with the obligations set forth in the CCPA, unless an exemption applies.
  • Service providers are for-profit entities that process California consumers’ personal information on behalf of a business pursuant to a written contract and for a business purpose. Examples of business purposes under the CCPA include auditing, detecting security incidents, debugging, performing services on behalf of the business, internal research, and quality or safety verification. Businesses that use service providers may share personal information with those service providers without that exchange qualifying as a sale under the CCPA so long as it is necessary for the service provider to:
  1. Perform a business purpose
  • The business has provided notice that the information is being used or shared
  • The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose

When a business enters into a contract with a service provider, the contract should explicitly state that the service provider may only use, share, and/or disclose the consumer information to fulfill the service requested of them and may not otherwise use the consumer information for personal gain. Additionally, upon a verifiable consumer request for deletion, a business may direct the service provider to delete personal information of the consumer making the request.

  • Third parties are essentially entities that do not otherwise qualify as either a data collector or a service provider that obtain the personal information of a consumer from a business. Some examples of third parties are advertising networks, internet service providers, and data analytics providers. The CCPA obligations prescribed to third parties seemingly only apply to those third parties who resell the information they obtain directly from a business. The CCPA requires that third parties give consumers explicit notice of the sale of their information and provide them with the ability to opt out of that sale. Notably, businesses are not obligated to direct third parties to delete consumer personal information upon receipt of a verifiable request, as they are required to do with service providers, other apps and accessories such as the most expensive gaming mouse by technomono.
  • Data brokers are businesses that knowingly collect and sell the personal information of California consumers with whom they do not have a direct relationship. This definition does not come from the CCPA, but rather comes from another California law commonly referred to as California’s data broker law codified at Cal. Civ. Code section 1798.99. Under the data broker law, entities that qualify as data brokers must register with the California Attorney General on or before January 31 of each year, providing names and contact information as well as any additional information they wish to provide regarding their data collection. A list of registered data brokers is available on the California Attorney General’s website. The proposed Attorney General Guidelines reference the data broker law in its discussion regarding “notice at collection,” providing that, if a business is registered with the Attorney General as a data broker pursuant to the data broker law, it does not need to provide a notice at collection to the consumer if it has included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt out. The failure of an entity to register as a data broker can subject the entity to a fine of $100 per day.

The CCPA became effective January 1, 2020. However, enforcement of the CCPA by the Attorney General will not begin until July 2020. It is important to analyze all of your business relationships to determine which classification your business falls under in your business arrangements to ensure that all of your CCPA obligations are met. Most notably, a business may qualify as a service provider in one instance, but a third party or data collector in another.