On Tuesday, Congressional Democrats unveiled a new bill to outlaw a wide swath of targeted advertising. The Banning Surveillance Advertising Act would prohibit ad tech companies from using consumers’ personal information to target ads, with limited exceptions. It also would prohibit advertisers from using third party data, or data about a person’s membership in
In guidance released last week, the New York State Office of the Attorney General urged businesses to incorporate safeguards to detect and prevent credential-stuffing attacks in their data security programs. The guidance stemmed from the AG’s finding that 1.1 million customer accounts at “well-known” companies appeared to have been compromised in credential-stuffing attacks.
Last week, California’s Governor Gavin Newsom signed into law AB 694, which makes a few technical changes to the California Privacy Rights Act (CPRA). The relevant changes to the CPRA are summarized below.
- As defined in the CPRA, “personal information” does not include publicly available information or lawfully obtained, truthful information that is a
During last month’s California Privacy Protection Agency Board (CPPA) meeting, the only substantive agenda item, addressed in closed session, was a discussion of two key appointments: the first Executive Director and a Chief Privacy Auditor, as required by CPRA’s 1798.199.30. On October 4, 2021, the five-person CPPA board announced that they appointed…
As of September 27, 2021, the European Commission requires controllers and processors to rely on the recently updated Standard Contractual Clauses (SCCs) for any new contracts governing personal data transfers from the EEA. (Existing contracts can continue to use old SCCs until December 27, 2022.) This post provides an overview of what’s in the new…
On September 22, the California Privacy Protection Agency (CPPA) issued an invitation for public comments as part of its first “preliminary” rulemaking activities. Established by the California Privacy Rights Act (CPRA) ballot initiative last November, the CPPA has the authority to write rules that address some of the most technical and controversial topics addressed in…
The California Office of the Attorney General has published a list of recent CCPA enforcement examples on its website. Each example summarizes the AG’s allegation of noncompliance and the steps that the companies took to cure the alleged noncompliance.
Under CCPA, companies have 30 days to cure noncompliance after which the California AG may initiate a civil action for civil penalties not to exceed $2,500 for each violation or $7,500 for each intentional violation. In each example made public by the California AG, the AG stated that the target of the enforcement action cured the violation and the California AG did not assess penalties. In January 2023, however, the right to cure will sunset when the CPRA takes effect.
Last year’s voter guide to California Proposition 24, the California Privacy Rights Act (CPRA), included a stark argument against enacting the privacy ballot initiative because it did not go far enough to protect employee privacy. “Currently, employers can obtain all kinds of personal information about their workers and even job applicants,” the argument against Proposition…
Just a few months after California officials announced the nominations of the inaugural Board members of the California Privacy Protection Agency (“CalPPA”), the CalPPA released the agenda for its first board meeting on June 14, 2021. The meeting will be held remotely in accordance with California Executive Order N-29-20, but the public may still…
The California Privacy Rights Act (CPRA), effective January 1, 2023, adds “contractors” to the list of entities that a business may entrust with customer data. So what is a “contractor?” And how are “contractors” different from other entities described by California privacy law, such as “service providers” or “third parties?”
As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.
Origins of “Contractors” in CCPA
To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:
- Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the “sale” of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.
As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.
- Business to Service Provider: Second, when a business discloses personal information to a service provider, no “sale” occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.
Service providers provide technical, professional, and other business support to the business. For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.
- Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.
This third option is significant to avoid the “sale” of personal information. If the recipient is not a third party, then a sale can only occur if the recipient is a “business” under CCPA. In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.
As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a “business.” No sale occurs.
Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.
Here’s a summary of the entities that may receive personal data under the CCPA:…
Continue Reading CPRA Update: What is a “Contractor?”