Throughout 2020, companies have been negotiating with their business partners the issue of “selling” under CCPA. Is the partner a service provider? A third party? Is there an exchange of consideration? These issues will not likely go away in 2021, especially as we turn to addressing the CCPA modification, CPRA.
The final CCPA regulations passed in August did not provide the type of clarity that companies were hoping to receive, and that confusion may not disappear in 2021. Indeed, how companies can address disclosures about their possible sale of information is back on the regulatory table, with new proposed modifications to the CCPA regulation. As we wrote, the new proposed change (to the regulations, not CCPA itself), brings back the concept of a website “button.”
Companies that have business relationships internationally have needed to think not just about CCPA, but GDPR as well, which requires specific language when sharing personal information with third parties. The EU sought comments this year on standard language for sharing between controllers and processors of information, signaling that new language will be on the horizon in 2021.
Putting It Into Practice: Companies sharing information with third parties will have much on their plates in 2021, as they think about requirements under laws like CCPA and GDPR. This is a good time to evaluate which relationships are priorities for contractual review, such as those entities with whom significant amounts of information, or sensitive information, is being exchanged.