Article originally published January 3rd, 2020 on Loyalty360.com: view it here.
CCPA went into effect on January 1st and if your IT, technology, and data security teams set up a process and flow to comply before the start of this year, you’re off to a great start. But while you may be confident that you’re prepared as a company to deal with the CCPA, some nagging questions may still remain…
What about your agencies who have collected data from consumers on your behalf?
And what about all those vendors who have had access to your customers’ personal information?
To help answer these concerns, here are three questions to ask:
1 – HOW IS YOUR PARTNER ASSISTING YOUR COMPLIANCE WITH CCPA?
Under the CCPA, California consumers have several rights with regard to the “personal information” you have collected from or regarding them, including the right to have that data deleted and the right to access all data you have about them. These requests must be responded to within 45-days of receipt. Most likely, your company has set up an internal process to handle these requests for data that your company stores. But have you established a process with your agencies and vendors about how they will assist you in fulfilling this obligation, in cases where consumer data was collected by them on your behalf? It may not be such a big task if you only have a few agencies or vendors on retainer, but this can be a daunting undertaking if your company uses multiple agencies for ad hoc projects, or individual/multiple brands within your organization use separate agencies.
Start with a thorough review of all your marketing activities and the vendors or agencies involved (who was that agency that did those customer surveys for us?). To that end, you should reach out to all of your brand partners and find out what they have done to comply with the CCPA and how they will assist you in your CCPA compliance obligations. Even better, have a direct conversation with each on these questions, or, if your roster is too big to make that practical, circulate a survey with pertinent questions. In addition, ensure that your agency and vendor agreements are all updated to include a contractual obligation stipulating that they will assist you in any consumer requests – in a timely fashion – that you forward to them. Without such language in your agreements, your agencies are under no obligation to assist you in facilitating consumer requests under the CCPA.
2 – IS YOUR AGENCY A “SERVICE PROVIDER” OR A “THIRD PARTY”?
Under the CPPA, your agencies will most likely be considered either “third parties” or “service providers”. Why is this important? If your agency is a deemed to be a third party and is processing personal information on your behalf, its services may be considered a “sale” under the CCPA, thus requiring your company to add a “Do Not Sell My Information” link on your homepage. However, if a service provider is processing personal information on your behalf, you are not required to add such a link to your homepage. Additionally, there is limited liability afforded to your company for personal information processed by service providers versus that which is processed by third parties.
In order for your agency to be considered a service provider under the CCPA, your company must have a written agreement with them that sets forth that the agency or vendor will use, retain and share all personal information only as part of the services set forth in the agreement. In other words, the agreement must set forth how the agency will – and will not – use, retain and share the personal information. Ideally, none of your agencies or vendors will be considered third parties under the CCPA. If you have not already amended your agreements to include language to make your agencies or vendors “service providers” instead of “third parties”, make that a top priority.
3- HOW WILL YOUR PARTNERS PROCESS CONSUMER REQUESTS ON YOUR BEHALF?
Once you have established that your agencies or vendors are aware of their obligations under the CCPA and have agreed to assist your company with consumer requests for personal information that the agency has processed on your behalf, ask them to provide details as to how they will handle such consumer requests. Make sure that they, too, have mapped out the data flow of personal information that they are processing or storing on your behalf. Does the agency or vendor have a singular identifiable view of each individual consumer across programs (and the personal information collected therefrom)? Or is such consumer data isolated in separate silos for each program? In other words, when a consumer makes a request under the CCPA concerning their personal information to your company, and you forward that request to your agency or vendor, can each of them do a single query to find all the personal information processed or stored by the agency on that consumer? Or will they need to query each individual program? Obviously, if they do the latter it could affect your ability to comply within the 45-day period in which you must respond to consumer inquiries. A best-case scenario would be if they have developed some sort of platform enabling it to search by the individual consumer in question and immediately provide holistic data on that consumer in response to his or her request.
The CCPA is creating new challenges for brands, agencies, and vendors alike. However, the more you can ensure that you and your partners are on the same page and understand your respective responsibilities, the easier it will be to comply.