Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.
Businesses are collecting more data than ever and using it in increasingly complicated ways, and a great deal of this data processing is performed by outside vendors. This is especially true in the world of eCommerce. A simple online purchase may result in the customer’s personal data being sent to a payment processor, a shipping service, a CRM, an email marketing service, an ad network, and more.
Many consumers just think about disclosing their data to the business they have a direct relationship with, and they are unaware of this expansive ecosystem. Making people more aware of how their personal information is actually used and disclosed is one of the primary aims of modern privacy laws.
When so much data is processed externally, however, it presents a challenge for businesses to understand where their responsibility begins and ends.
As a general rule, your business is responsible for any personal data that is collected and/or processed on its behalf. We’ll explain why that is and what it means in practice.
While the California Consumer Privacy Act (CCPA) uses the generic term “business” to describe the entity that is primarily responsible for how personal information is collected and used, the EU’s General Data Protection Regulation (GDPR) uses a more descriptive and helpful term to describe the same entity: data controller.
A data controller is the party that “determines the purposes and means” of the processing. That means it chooses the how, what, and why; the processing wouldn’t be happening if it weren’t for the controller’s decisions. For this reason, a data controller is responsible for all of its data processing even when that processing is done by outside vendors.
To understand how that concept plays out in real life, consider the very common example of an eCommerce business that processes credit card payments through a third-party vendor. The business has no ability to process the payments on its own; all it did was add the vendor’s code to its website, and the vendor takes care of the rest.
So, in its privacy notice, does the business have to say that it collects and uses personal data for the purpose of processing payments? Yes!
It doesn’t matter that the business is not doing the actual processing. What matters is that the business wanted to accept credit card payments, and then hired an outside vendor to do that processing on its behalf. The business is in control of the situation, and the consumer would rightly expect to find information about it on the business’s website.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.