Who is responsible for CCPA compliance?
The CCPA applies to three types of entities: (1) “businesses,” (2) “service providers,” and (3) “third parties.” Each term is defined within the CCPA and discussed below.
Businesses have the vast majority of obligations under the CCPA.
- That has annual gross revenues of over twenty-five million dollars ($25,000,000).
- Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in conjunction, the personal information of 50,000 or more consumers, households, or devices.
- Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
You may think you don’t “sell” any personal information.
However, “sell,” “selling,” “sale,” or “sold” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
So, it’s very broadly worded! For example, if your website uses retargeting or other advertising cookies or pixel tags on California consumers, this is likely considered a “sale” under the CCPA.
Finally, if you satisfy the above definition of “business,” the entities that you control (or control you) are also considered businesses, provided that they share common branding with you (i.e., shared name, servicemark, or trademark).
2. Service providers
The CCPA also applies to “service providers.” Put another way, even if you don’t fit the definition of “business,” the CCPA applies to you if you are a vendor that provides services to businesses.
A “service provider” is any entity, wherever located, that processes personal information on behalf of a business for a “business purpose.”
Like with the GDPR, a written contract must be entered into between businesses and service providers. This contract must expressly state that the service provider:
- Processes the personal information for a “business purpose”;
- Will not retain, use, or disclose the personal data for any purpose other than for the specific purpose of performing the services specified in the contract;
- Will only use the personal information within the “direct business relationship” with the business;
- Will not “sell” the personal data; and
- “Certifies” that it understands its contractual restrictions and will comply with them.
So, whether you’re considered a “business” or “service provider” under the CCPA, you should make sure the data processing addendums you created for the GDPR are updated accordingly. If you weren’t subject to the GDPR, you should put together appropriate amendments in your Master Services Agreement or Terms of Service that account for the CCPA.
3. Third party
A “third party” is any entity, wherever located, that is not:
- A business that collects personal information from consumers;
- A service provider; or
- Any other recipient of personal information that has contractual restrictions similar to those between businesses and service providers.
The definition of “third party” is unclear in practice and adds more complexity to an already demanding statute.
However, a “third party” has a special restriction: it cannot “sell” personal information that was sold to it by a business unless the consumer has received an explicit notice and a chance to opt out of a sale (more on this below).