Kaufman Dolowich Voluck’s Katherine Catlos and Katherine Alphonso analyze the privacy roles of various organizations and their obligations under the California Consumer Privacy Act (CCPA) and GDPR.
with co-author Katherine Alphonso
Allow us to paint a picture: Your Company (“YC”), as part of its employment package, offers health care benefits to all full-time employees. For the most part, the employees engage the health insurance company directly, providing the necessary personal data needed to obtain its services. The only part of this process that YC even involves itself in is footing the bill.
To be invoiced, however, YC transfers its employees’ contact information and date of birth, which were all collected at hire, to the health insurance company for employee verification. It’s not uncommon to see a situation such as this. Employers are more and more willing to provide fringe benefits on top of a competitive salary as an incentive for their employees to stay (or take the job). Understandably, many companies are now unsure of their responsibilities regarding data privacy protection given the current landscape.
Obligations Under the CCPA
Under the CCPA, which became effective on January 1, 2020, YC must first determine if its business is governed by the law. The CCPA applies to entities that collect personal information, do business in California and satisfy one or more of the following thresholds:
- has annual gross revenues in excess of $25 million;
- alone or in combination, annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.[1]
A recent amendment, AB 25, carved out a one-year moratorium for certain “HR data” that employers collect from applicants, employees, independent contractors and corporate officers and directors in an employment-context.[2] In other words, personal information collected by an employer for employment-related reasons (for example, an applicant’s driver’s license information for the I-9 form) is exempt information.
Here, YC is not collecting information strictly as an incident of employment. It is collecting information it will also provide to an outside organization (the health insurance company) to verify employee enrollment in health care benefits and cover the bill.
Once YC determines it is a company covered under CCPA and the collected information does not fall within the “HR data” exception, it must determine and specify whether the health insurance company is a “third party” or a “service provider.” It is important to distinguish between the two, because YC’s obligations vary depending on the above-established relationship.[3]
The law defines “third parties” in the negative, stating it is not any of the following:
- the business that collects personal information (in this case, YC); and
- a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.[4]
Separately, it defines “service providers” as legal entities that “process information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.”[5] Here, the health insurance company is likely a service provider, because it does not have authority to use the employee’s information (provided by YC) for any other purpose;[6] it may only use the information to verify with YC that the employee did in fact enroll in health care benefits, and to bill for that enrollment. With that said, YC must have a written agreement with the health care insurance provider.
YC’s written agreement must state the health care insurance company will not retain, use or disclose personal information for any purpose other than what’s specifically spelled out in the agreement, including for a commercial purpose other than providing the services to YC.[7] The agreement must further limit the collection, sale or use of the disclosed personal information, except as necessary to perform the “business purpose” for which the service provider was retained.[8] Again, in the case of this hypothetical, the health insurance company is limited to using YC’s information sharing to verify an employee’s enrollment in health care benefits and to invoice for enrollment. Lastly, the service provider must represent it has read and understood its obligations under the CCPA’s requirements.[9]
The GDPR by Contrast
Under the GDPR, YC should first investigate which role each company would play: controller or processor. Once the roles are determined, the legal obligations and liabilities are a little more straightforward. Unfortunately, determining the roles isn’t always easy.
Since a controller “determines the purposes and means of the processing,”[10] and a processor acts “on behalf of the controller,”[11] YC must look at the processing activity actually taking place. Here, YC is collecting the information directly from the data subject (its employee). It determines the purpose of that collection by using it to pay for the employees’ health insurance. It also determines the means of processing by limiting the health insurance company’s use to verification and billing purposes only. It is likely that YC is a controller.
When the health insurance company engages the employee directly, collecting information such as age, weight, social security number and driver’s license information, it is to provide health insurance for that employee. That processing activity is different from the processing activity YC engages in since the latter’s purpose is for using an employee’s contact information and date of birth to verify that employee’s enrollment in health care benefits and to bill for the enrollment. In this scenario, it is more likely that the insurance company is YC’s personal processor.[12]
A controller-processor relationship then triggers Article 28, requiring YC to be under contract with only those processors who are compliant with the legislation.[13]
The above hypothetical barely scratches the surface for understanding and implementing either the California Consumer Privacy Act or the EU’s General Data Protection Regulation. As both laws continue to change and develop, an important first step is to really examine an organization’s data inventory/mapping. Only with this understanding can an organization begin to tackle the issues around compliance, including processes and contracts around vendor management.
[1] Cal. Civ. Code § 1798.140(c)(1).
[2] Cal. Civ. Code § 1798.145(g).
[3] Cal. Civ. Code §1798(d) (if a business sells personal information to a third party, not only must it provide notice of the sale to the consumer, it must also provide an opportunity for the consumer to opt out of that sale).
[4] Cal. Civ. Code § 1798.140(w).
[5] Cal. Civ. Code § 1798.140(v).
[6] Please note that YC may also analyze whether an outside organization is a “third party” or “service provider” by looking at the Act’s definition of “sell, selling, sale or sold.” See Cal. Civ. Code § 1798.140(t).
[7] Cal. Civ. Code § 1798.140(v).
[8] Cal. Civ. Code § 1798.140(w)(2).
[9] Id.
[10] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1, Article 4.
[11] Id.
[12] How to determine whether you are a controller or processor? Information Commissioner’s Office (as of Nov. 7, 2019). It is important to note that a single entity may be both a controller and a processor for different processing activities.
[13] GDPR, at Article 28.
Katherine Catlos Esq., CIPP/US, CIPM is a partner in the San Francisco office of 
