The CCPA for the Land Title Industry: Service Providers and Sale of Data Under the CCPA

Cybersecurity and Privacy   |   Technology   |   January 22, 2020

The CCPA makes several key distinctions in how it defines service providers, covered businesses, and third parties. This podcast discusses some critical definitions in the CCPA as they apply to the land title industry, including how the CCPA applies to service providers or third parties and the definition of “sale” under the CCPA.

Part 1: Who Does the CCPA Apply To?
Part 2: Service Providers and Sale of Data Under CCPA
Part 3: CCPA Resources and Compliance Tips
Part 4: Practical Compliance With CCPA and New Privacy Laws

Originally published in American Land Title Association's Data Privacy CCPA Resources.


Jack Clabby: Welcome! It's Jack Clabby from Carlton Fields in Tampa, Florida and we are back with part two of our series with the American Land Title Association about the California Consumer Privacy Act for the land title industry. Thank you to ALTA for the opportunity to get this great team together to answer some real questions from real ALTA members.

As usual, we have with us Liz Riley, compliance and regulatory counsel with Fidelity National Financial out of Jacksonville, Florida. Got Joe Swanson here in Tampa with me. He's the practice group leader for Cyber Security and Privacy at Carlton Fields. Welcome, Joe. We've also got Steve Blikensderfer out of the Miami office of Carlton Fields. Steve is a CIPP as well as a privacy attorney representing clients of all types all across the country. And finally me, Jack Clabby. I'm a Cyber and Privacy attorney in the Tampa office of Carlton Fields, a former federal cyber prosecutor.

At the outset, I just want to give a brief disclaimer. This podcast is not legal advice. It's for educational purposes only. We don't have an attorney/client relationship with our listeners and there's a lot of things that we're probably missing even with these thoughtful and written out questions that would be important to really answering them fully. Liz Riley, while she does work for Fidelity National Financial is here on her own and speaks for herself and not for Fidelity

Alright, so again, we have some great mailbag questions from real ALTA members. Looking forward to getting into it. First, just to review, in the first part of the podcast series we gave an overview of the CCPA for the land title industry. We also talked about an important definition of what is a "business" to which the CCPA in full applies. We also talked about some different scenarios in the land title industry about where and whether the CCPA might apply.

Here in part two, we're going to again talk about some definitions that are critical. If you're not a business you're either in service provider or a third party if you get and touch California resident personal information. We're going to talk about the difference between those two and how they're different from being a business. We are also going to talk about another important definition, which is a sale under the CCPA. It doesn't quite have the meaning that we usually think of when we think of term sale. A little bit different. So, looking forward to getting this today, and again, I'll start out with question four, real questions from real ALTA members about how the CCPR may apply to them.

So, let's move on a little bit to talking about the distinction. We have businesses now as a defined term. Let's move on and talk a little bit about if you're not a business what you are. So our fourth question: If the CCPA doesn't apply to me directly are there CCPA duties passed along to me by lenders or others than that I need to comply with?

Alright, so there's a lot a ways we don't know from this when this question comes in who it would be but the answer really is the same. You know, if you get that data, that personal information of a California resident through a contract, look at that contract and just do what it says. Alright? You do what it says because that's safe under whatever you might actually be. It allows you to be defensive. Service providers, alright, is a defined term essentially in the CCPA. It's not a business. Alright? They don't determine the use or they do anything other than what they're directed to do with that data. They get the data from a business and they do just what they told the business and promise the business that they would do. There's actually certain statutory triggering language to be a service provider. Essentially the magic words are that the contract would prohibit the entity who gets the information and wants to be a service provider from "retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services rendered in the contract."

Steve, if you're not a service provider, what are you?

Steve Blickensderfer: Well, there's only one other entity that I could think of and that would be a third party, and the CCPA's very - it's interesting in how it defines what a third party is. The CCPA defines a third party in the inverse by saying what it is not. It excludes a business, which we've already gone over, and it excludes a service provider which you just went over and is separately defined. So if you're a third party you have separate obligations placed upon you by the CCPA, regardless of if you meet those criteria for a business that you and Joe discussed a moment ago. For example, you cannot - and we'll get to what the meaning of this means in a second but - sell personal information of a California consumer unless the right to opt out is given to that California consumer. And so the obligations kind of pass along with the data depending on where the data came from and who the data is about.

Jack Clabby: Thanks. And, I think, too, a quick reminder, too, for folks who are listening who are following these issues who are in the title industry. You know, there is an exemption in the CCPA for information that's covered by Gramm-Leach-Bliley's privacy rule. The force of that exemption is has yet to be really tested or determined. But, Gramm-Leach, you know, it applies for individuals who are purchasing insurance or other financial products for personal uses. And so, it's not going to cover, you know, a closing that has to do or a mortgage loan that has to do with a commercial property but it would a closing or commercial loan that has to do with a residential property. So, there's a lot of data that ALTA's members are going to be touching here that is going to be exempt from the CCPA. The companies themselves, though, are not exempt from the CCPA. Most of this sort of what GLBA exempts is going to be relevant for businesses, the defined term businesses under the CCPA rather than for third parties or service providers. I mean, if you're a service provider, the GLBA concerns you, but again you have a contract that says what you can and can't do. If you're not obeying the contract you've got potential breach of contract issues which are going to keep you sharp on these issues. So in any event, that's the sort of the beginning of that sorting out. Are you a service provider, are you a third party, or are you a covered business?

So, our fifth question is: Is it necessary or advisable for title agents to have a service provider agreement which includes that special language required by the CCPA when they're engaging a technology platform vendor to facilitate a remote online notary closing, especially one in which the tech platform vendor provides the RON notary?

So, for this question what we're talking about is, right, OK, let's say that the title agent is a business under the CCPA. They're using a technology platform vendor to help them and the technology platform vendor will be touching consumer data of California residents. Steve, what do you think about that question?

Steve Blickensderfer: Yeah, so the technology vendor in that situation is in the classic sense a service provider. Nobody would really dispute that. But, what we're trying to maintain is that that entity remains a service provider as it's anticipated under the CCPA and that does require a written contract with certain provisions. So, if it's a service provider that's either, you're giving that service provider personal information of a California resident so that they can do their services on your behalf, or they're collecting personal information from California residents on your behalf and you are a covered business, you certainly would need a written contract in order for that entity to remain a service provider.

With that comes a host of things that you get the benefit of. I'll give you one example: the right to delete. The right to delete has large exceptions to it. So if you are a business or a service provider, you could take advantage of those exceptions that those exceptions don't necessarily apply to a third party. So, if you have a service provider relationship, you don't have that written contract in place, you might not be able to take advantage of the right to delete exceptions as it applies to that particular entity.

Jack Clabby: Thanks, Steve. It's probably worth noting, too, that if you are a business and you do sell - right? - so if you're a business and you sell, you know, there are certain things you need to do that you don't need to do if you are a business that does not sell. So, we've got businesses that sell and we've got businesses that don't sell. If you're a business that sells, you need to disclose the sale. You need to also offer the right to opt out of sales as part of that disclosure of your California privacy rights. You additionally need to install on your business's homepage a Do Not Sell button, a literal Do Not Sell button. So, part of why nobody wants to be selling is because these are pretty onerous technical requirements for companies to track.

Alright. So our sixth question is: Am I responsible for buyer or seller data - this is at a closing. Am I responsible for buyer or seller data shared to me that I did not collect? So, am I responsible for buyer or seller data shared to me that I did not collect in connection with a home closing? Joe?

Joe Swanson: You would be in the general sense, but it does not mean that the CCPA applies to the entity in that situation. The entity could be (1) a service provider or a third party. And it really depends on how the contract involving you is written. If you are a service provider, just as we talked about a few minute ago, you have to be careful not to transfer it or use it other than for the business purposes for which it was collected, and that would be spelled out - at least it should be - in the contract between the business and the service provider. If there's not a written contract, if the business purpose is not spelled out, or the service provider does something with it beyond that for which it's permitted to do, it could be in breach of contract. It also could be selling as the CCPA contemplates it. So that is a big thing to keep your eye on.

I talked about business purpose there. Steve, what exactly is a business purpose under the CCPA?

Steve Blickensderfer: The definition is a use of PI for operational purposes or otherwise notified purposes where the use of the personal information is reasonably necessary and proportionate to achieve those operational purposes. And the CCPA again gives us some examples. That would be auditing; detecting security incidents; debugging; short-term transient use for purposes of providing the services; performing services, which is a big one, on behalf of the business. So, think of what a service provider typically provides, undertaking internal research. Stuff like that.

Jack Clabby: So, to some degree, being a service provider for these business purposes is like being a butler. You can hold the suit of the person you work for, or their tuxedo, but you can't really wear it and play it off as your own. Right? You've got to have this idea that you're performing a service for the person who's given you for the reasons that they gave it to you. Right? You're there to steam, press, and return the suit. It's not your suit.

Back to this question, though - right? - which is, am I responsible for this buyer/seller's data at a closing shared to me that I did not collect? I mean, if you're not a service provider - right? - you're not a business and you're not a service provider in this scenario, you're this third party. Right? You very much need to be cautious about any transfers of data. You're not in the clear here. You're probably OK to use it, you know, for your own internal purposes. And I think there's some debate about the degree of use, but it's not really stopped in the statute or the regulations. What is clear is that you cannot resell it. You cannot go on and sell this as a third party without a little more work under the CCPA. You've got to (1) contact the consumer and give him or her the direct right to opt out. Alright? Or, alternatively, you can contact the source of the information, the business from which you got the California resident's personal information and ask them for some assurance that they gave the correct resale or selling disclosures and right to opt out at the point of collection. That's pretty onerous. If you go the second route, if you go the route where you're asking the business to assure you that it's been gone on correctly, under the proposed regs you have to get a signed attestation from the business that they provided the right to opt out. We haven't seen one of these. I don't think there's been a flurry of drafting of what signed attestations need to look like or I think one of the four of us probably would have heard about it. So again, those are draft regulations, but if they're accepted in that form it's going to be pretty hard for third parties to resell the information.

Steve Blickensderfer: So the bottom line is, look at the contract through which you received the information and do what it says. And if there's not a contract that means you're probably a third party. And if you're a third party and plan on using the information, then as Jack says, you need to investigate the point of collection promises, specifically what was disclosed there vis-à-vis the use and any type of opt out or objection to any sale.

Jack Clabby: Alright, which brings us to our seventh question: Will my business affiliates or my partners need to be CCPA accountable for the data that I shared to them? OK, so that's asking this questions six, but in the converse way. Will my business or affiliates or partners need to be CCPA accountable for the data that I shared to them? Steve, what do you think about that one?

Steve Blickensderfer: Well, first you definitely have to make sure that you do the things that you're required to do as a covered business. So, that would require disclosing the categories of third parties with whom you share information. You have to put in a California privacy notice where in your online privacy notice the required terms under the CCPA that you would need to disclose about, the personal information that you collect, use, and share about consumers generally for the past 12 months. Then what you should do is consider whether you should make those affiliates or partners service providers because, Jack, as you mentioned before, if it's possible to do that then you could avoid having to place a Do Not Sell My Personal Information button or link on your homepage or on your mobile application's download page and on every page thereafter. So that would prevent the transfer of data to those affiliates from being considered selling, which comes with it a whole host of obligations. And also, it's important to - and we didn't really talk about data mapping - but to record the inflows, outflows of data that come into and leave the business. Because when you get a request for someone to ask you for specific pieces of information that you, the business, have about them it would be a great idea and it would be great to have a tool where you can go back and you can say, "OK. We generally have this about consumers and with respect to Joe Smith, I know that we have this because of the mapping we did." So, those are the things I'd think about.

Jack Clabby: Yeah, I think you mentioned too that definition of sale, which is what we have some questions upcoming now. They're going to really help us narrow down on that. Question eight: I process real property transactions. I like that. It sounds like a confession. I process real property transactions. It's OK. You're going to be OK under the CCPA. I process real property transactions in which I deal with a large variety of software service vendors to complete my transactions. Are those dealings sale of data under the CCPA if their only purpose is to fulfill the customer's transaction? I don't ever sell my customer's data to third party advertisers or data brokers or anything like that.

Yeah, that's a great question. And that gets to the heart of what I think a lot of even CCPA covered businesses are dealing with right now. They just want to keep doing what they're normally doing without getting in trouble. And they are already looking out and protecting their California residents' data. They just want to make sure now that they're checking the boxes.

So, yeah. It could be a sale. Data is being exchanged for valuable consideration. Right? You're hiring a vendor and paying the money. As part of the work they're doing, you have to give them the data. So, yes, it would be a sale. But, as we've discussed, if you have the service provider language in their contract, it ceases to be a sale and now it's something else. It's a transfer of personal information to a service provider. That's the best way to stop this from becoming a sale and that seems to be how the statute's set itself up. So, the person who's given us this question should go back and look at some of their contract language and try to make those software and other vendors service providers.

Notably - right? - the vendor has to use the personal information just for the purposes of processing the transaction. There needs to be, you probably should check up as a practical matter to make sure that's actually happening and that you're working with good vendors and reputable vendors that you trust. Some bigger vendors, routine vendors like Google - and I know a lot of folks probably listening use Google Analytics - you know, those vendors have actually published and changed their terms of service, published on their website information in step-by-step guides for how to change them from whatever they are now to service providers. Again, this concept of, you know, hiring vendors and making them service providers is only important if the business at the outset has decided that they are in fact a "business" under the CCPA.

Alright, now here we get into different territory. Question nine: If after a transaction, I market my own company's services to a title customer to get future business, is that a sale within the meaning of the CCPA? Alright, so, if after a transaction, I market my own company's services to a title customer to get future business, is that a sale within the meaning of the CCPA? Steve, what do you think?

Steve Blickensderfer: So, to keep it simple if for your internal use of information for marketing purposes, that wouldn't be a sale, if you're not relying on anyone else. Because a sale, if you recall, requires a transfer of that information to another entity. But it could be. It could make the original transfer a sale, kind of looking retroactively from the business to the company. So, if you are relying on the service provider definition and didn't allow your company to use the information for marketing purposes, that could be considered a sale. So, if you're a CCPA business for collection purposes and you collected that information about the consumer that was later used for marketing purposes, you would need to disclose that at the point of collection and the use in the privacy notices. At that point then you could use the data for marketing purposes. And if you're a service provider to a lender, for example, or the real estate agent you would need to look first and foremost at the contract that you have in place with the business to determine any restrictions on the use of personal data as it flows from the relationship. What were you contracted for, to just only provide title services or any joint marketing partnership? All that would be important and contextual. So, unless it's clear from the contract that you can market, it might make the original transfer a sale.

Jack Clabby: Yeah, and it's possible that the business that gave you the information gave it to you and then disclosed to their customer that, yeah, I'm going to disclose this to third parties and I'm going to let them sell it, unless you have a problem with that. I mean, so the original disclosure in this situation is good. If these are repeated businesses that you're getting this information from, go to them and ask them, how are we going to handle this? Right? If you used to resell it or use it for marketing purposes and you can't any more, that might change the pricing that you're comfortable with in your agreements.

So, question ten: Am I responsible if I maintain a Facebook or Instagram page for my business and Facebook sells the data of any of my customers who visit the site? So this is, you have a title agent or title insurance agent who is maintaining their own Facebook or Instagram page to kind of help drive marketing needs and Facebook then sells the data, makes a CCPA sale of that data to any of the customers who visit that site. What are the sort of consequences of that? Steve, what do you think about this one?

Steve Blickensderfer: So, we talked a lot about this one internally kind of pitching back and forth what this could be. One view is that you would be the business, covered business in this circumstance and that Facebook could be the service provider. In that instance for that to work, you'd need the service provider language and perhaps the terms of service or other contract with Facebook and have to look to see. Maybe Facebook is going to come out with addendums, California privacy addendums for its terms of services. We'll have to see about that. One example of - and the reason why this could work is because one of the business purposes is for digital marketing, targeted digital adds in particular is one of the examples listed in the statutes. So, if Facebook is not using the data for other reasons other than for purposes of the digital marketing, then this could not be selling and you just need to disclose this transfer to social network service providers or digital advertising service providers and you should be fine. But, if Facebook is using the data for other purposes, which is entirely possible, then this could be selling, which is why it's very, very important to check out these transfers to these analytics companies. So, recently we saw circulated emails and traffic from Google Analytics. Because of a setting that is on by default, it could be a sale. And if you go to your account settings and you turn it off and you're only using Google Analytics for the business purpose of analytics, you turn that setting off, then there's no selling going on. So, I suspect we might see some more of that with Facebook.

Jack Clabby: Yeah. Liz, I have a question for you about, you know, what industry trends are. I mean, for some smaller title agents, are they using the Facebook or Instagram pages as their exclusive sort of landing page for the business, or is this something that an individual sort of title agent might do to just sort of boost sales? Where are they on that? How are these sort of third party social media sites being used?

Elizabeth Riley: I'd say it's really the latter. Most have a separate website and then are using social media to boost sales. I mean, obviously it's a, you know, a mechanism that they can use. And, you know, it's beneficial if they're activity posting. They have their followers. They can kind of really sort of feature their business in different ways that may not be, you know, if they're capable of doing via a website. So, I would say it's most likely they have both and most likely, yeah, your smaller agents, your larger agents folks have social media presences in our industry.

Jack Clabby: Yeah. And that seems to make sense. And I think that's right. If they have another webpage that they go to, it might change it a little bit. There's a different theory. You think about users of, like, Etsy or users of eBay - right? - who are vendors who they themselves sell consumer products. Their only presence is on sort of these marketplace websites. That might make it more likely that's the homepage for them, even if they don't control everything that appears on it.

But, you know, back to this Facebook or Instagram page, particularly assuming it's a secondary use for a lot of these companies, I think there's a minority view at least within the lawyers on this call - I'm not going to say who holds it, although I am the one who's now talking - but I think if you're using Facebook and you have another homepage, you know, look, Facebook - the users who are visiting Facebook are agreeing to the terms of use to some degree of visiting the Facebook webpage. Right? And so Facebook is directly collecting information, to the extent it does, directly from those visitors alongside you who are also collecting information. So, I think to the degree that the title agent here is a covered business, Facebook could be a covered business and the two of you are jointly or even separately collecting information. And, you know, I think in that case what you need to disclose as the title agent is that you collect personal information on California residents from their use of third party social networking sites including their Facebook page that they may have visited. But again, we don't know how that's going to shake out and I think both interpretations are supported. Either way, just look at your privacy notice as you're putting it together. Just see if it's revealed that at least, at minimum, you are using social networking sites to collect that sort of information, Facebook and Instagram.

©2024 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications


The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.