Vendor Contracting: Preparing for CCPA Changes in Effect January 1, 2023 and Other Related Issues

Masters of Advertising Law Conference attendees: Scroll down for CLE materials

Starting in January of 2023, updates to the California Consumer Privacy Act (CCPA) will go into effect, expanding the scope of the law. A panel of counselors from multiple brands and firms and a privacy expert shared information on these looming changes and discussed some of the ways that brands and their advertising lawyers can prepare.

Key Takeaways

Previously, the CCPA defined only two parties to whom a business could transfer a consumer's personal information: service providers and third parties. In 2023, the law will expand to include contractors, which are similar to service providers. The key difference between the two is that service providers process data provided by a brand to perform a service on the brand's behalf, whereas a contractor receives access to data to provide services to the brand but doesn't necessarily act on behalf of the brand. An example of a contractor would be FedEx, which is not considered a third-party brand partner but an independent business that provides a service for brands.

The difference between a contractor and a service provider is esoteric. California did provide an example of how it views service providers versus contractors. In its example, California stated, "an email marketing service provider can send emails on a business's behalf using the business's customer email list. The service provider could analyze those customers' interactions with the marketing emails to improve its service and offer improved services to everyone. But the service provider cannot use the original email list to send marketing emails on behalf of another business." A contractor, on the other hand, is not permitted to analyze customer interactions on behalf of the business.

This change in the law effectively allows brands to share data with more entities involved with their business, but it will also make templated contracts riskier for brands. Going forward, internal counsel should consider using customized contracts based on the type of relationship the brand has with the third party. In preparation for this change, the panel recommended reviewing all your brand's third-party relationships and categorizing them as service providers, contractors, or something else.

A second change taking place with the CCPA is an update that states all businesses that collect user data and sell or share that data with a third party for a business purpose must enter into an agreement with said third party. Though this change can seem burdensome, the panel agreed it is a best practice that should have already been in place for many brands. However, this requirement can become complicated when, for example, a brand hires a vendor to conduct programmatic advertising and that vendor has a relationship with another vendor that manages some aspect of the programmatic ad buy. Whether the vendor of the vendor would need a contract with the original brand in this scenario is currently a legal gray area. Brands should ensure that service providers or contractors disclose their relationships with other vendors in signed agreements — and expressly state in these agreements that the brand partner can share data with other listed vendors — to provide legal cover.

Action Steps

  • Look at internal processes: Privacy legislation like the CCPA has been around long enough now that many brands should already have safeguards in place. Having done so will ensure that brands and their legal teams won't have to start from scratch to adjust to new additions to the law. Instead, look at what your brand is already doing and simply make the appropriate updates.
  • Avoid sweeping solutions: Don't just look at California and apply its standards to everything. Look at every state where you conduct business and respond accordingly. Sometimes these states' privacy laws contradict one another, and there is no one-size-fits-all solution.

Q&A with Gary Kibel, technology and privacy at Davis+Gilbert LLP; Jesssica Lee, co-chair, privacy, security, and data innovations at Loeb & Loeb LLP

Q. What are the advantages and disadvantages of being a service provider versus a contractor and would something like a data clean room service be considered a contractor if there is no processing layer above it?

Gary Kibel: A clean room environment is not simply one activity, so it's hard to classify them as one or the other. I would look at what your clean room partner is doing and determine which they are from there.

Jessica Lee: On the service provider-contractor comparison, I don't think there's any meaningful distinction, except for instances in which I've seen companies say, "We're not a service provider. We can't fit into this very narrow definition." There has been a lot of going back and forth and trying to classify these companies that don't fit into the strict definition of service provider, but that also weren't third parties because they weren't selling. I view "contractor" as the catch-all bucket for these types of companies.

CLE Materials


"Vendor Contracting: Preparing for CCPA Changes in Effect January 1, 2023 and Other Related Issues." Wayne Matus, co-founder of and general counsel at Safeguard Privacy; Jesssica Lee, co-chair, privacy, security, and data innovations at Loeb & Loeb LLP; Gary Kibel, technology and privacy at Davis+Gilbert LLP; Sal Tripi, VP of digital operations and commerce at Publishers Clearing House. 2022 ANA Masters of Advertising Law Conference, 11/8/22.

You must be logged in to submit a comment.