Collection Purposes: How You and Your Vendors Work Together
Businesses are collecting more data than ever and using it in increasingly complicated ways, and a great deal of this data processing is performed by outside vendors. This is especially true in the world of eCommerce. A simple online purchase may result in the customer’s personal data being sent to a payment processor, a shipping service, a CRM, an email marketing service, an ad network, and more.
Many consumers just think about disclosing their data to the business they have a direct relationship with, and they are unaware of this expansive ecosystem. Making people more aware of how their personal information is actually used and disclosed is one of the primary aims of modern privacy laws.
When so much data is processed externally, however, it presents a challenge for businesses to understand where their responsibility begins and ends.
As a general rule, your business is responsible for any personal data that is collected and/or processed on its behalf. We’ll explain why that is and what it means in practice.
Controlling Data
California Consumer Privacy Act (CCPA) uses the generic term “business” to describe the entity that is primarily responsible for how personal information is collected and used, the EU’s General Data Protection Regulation (GDPR) uses a more descriptive and helpful term to describe the same entity: data controller.
A data controller is the party that “determines the purposes and means” of the processing. That means it chooses the how, what, and why; the processing wouldn’t be happening if it weren’t for the controller’s decisions. For this reason, a data controller is responsible for all of its data processing even when that processing is done by outside vendors.
To understand how that concept plays out in real life, consider the very common example of an eCommerce business that processes credit card payments through a third-party vendor. The business has no ability to process the payments on its own; all it did was add the vendor’s code to its website, and the vendor takes care of the rest.
So, in its privacy notice, does the business have to say that it collects and uses personal data for the purpose of processing payments? Yes!
It doesn’t matter that the business is not doing the actual processing. What matters is that the business wanted to accept credit card payments, and then hired an outside vendor to do that processing on its behalf. The business is in control of the situation, and the consumer would rightly expect to find information about it on the business’s website.