Can I share personal information about my customers with third parties in California? What are the requirements?

Yes, you can share personal information about your customers with third parties in California, but there are certain requirements that must be met.

Requirements for Sharing Personal Information with Third Parties in California

1. Prior Written Authorization: For nonpublic personal medical record information, you must obtain the customer’s prior written authorization ^[1.4].
2. Contract Requirements: A business that sells or shares a consumer’s personal information with a third party shall enter into an agreement with the third party that identifies the limited and specified purpose(s) for which the personal information is made available to the third party, specifies that the business is making the personal information available to the third party only for the limited and specified purpose(s) set forth within the contract, and requires the third party to use it only for that limited and specified purpose(s). The contract also requires the third party to comply with all applicable sections of the CCPA and these regulations, including providing the same level of privacy protection as required of businesses by the CCPA and these regulations ^[2.1].
3. Restrictions on Collection and Use of Personal Information: A business’s collection, use, retention, and/or sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed. The purpose(s) for which the personal information was collected or processed shall be consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed ^[3.1].
4. Disclosure of Information: Nonpublic personal information shall not be disclosed in a manner not permitted by California law or these regulations ^[1.2].
5. Privacy Notices: The initial, annual and revised privacy notices that a licensee provides shall, at a minimum, include each of the following that applies to the licensee and to the consumers to whom the licensee sends its privacy notice: (1) The categories of nonpublic personal information that the licensee collects; (2) The categories of nonpublic personal information that the licensee discloses; (3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information, and the general types of businesses in which the third parties engage if the information is disclosed pursuant to California Insurance Code Section 791.13(k); (4) The categories of nonpublic personal information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information about the licensee’s former customers, if the information is disclosed pursuant to California Insurance Code Section 791.13(k); (5) If a licensee wishes to disclose or reserve the right to disclose nonpublic personal financial information to an affiliate for marketing purposes without affirmative authorization or the right to opt out of that disclosure, a statement explaining that the licensee may disclose nonpublic personal financial information to affiliates for marketing purposes without obtaining prior authorization and the law does not allow customers to restrict that disclosure. (6) An explanation of the consumer’s right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time; (7) Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) regarding the ability to opt out of disclosures of information among affiliates; (8) The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information, including a general description as to who is authorized to have access to the information; (9) If applicable, a statement that the consumer has the right to access and request correction of recorded nonpublic personal information and a brief description of the manner in which those rights may be exercised; and (10) The categories of disclosures that the licensee makes under California Insurance Code Section 791.13. (11) If applicable, the statement required by California Insurance Code Section 791.04(b)(5). (12) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer ^[1.3].
6. Conditions of Disclosure: An agency shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains unless the information is disclosed in certain ways, such as to the individual to whom the information pertains, with the prior written voluntary consent of the individual to whom the information pertains, or to those officers, employees, attorneys, agents, or volunteers of the agency that have custody of the information if the disclosure is relevant and necessary in the ordinary course of the performance of their official duties and is related to the purpose for which the information was acquired ^[4.1].

Conclusion

In summary, you can share personal information about your customers with third parties in California, but you must obtain the customer’s prior written authorization for nonpublic personal medical record information. Additionally, you must enter into a contract with the third party that identifies the limited and specified purpose(s) for which the personal information is made available, specifies that the third party must use it only for that purpose, and requires the third party to comply with all applicable sections of the CCPA and these regulations. Finally, your collection, use, retention, and/or sharing of a consumer’s personal information must be reasonably necessary and proportionate to achieve the purpose(s) for which the personal information was collected or processed, and consistent with the reasonable expectations of the consumer(s) whose personal information is collected or processed.

Source(s):

• [1.2] Disclosure of Information.
• [1.3] Information to be Included in Privacy Notices.
• [1.4] Disclosure of Medical Record Information.
• [2.1] Contract Requirements for Third Parties.
• [3.1] Restrictions on the Collection and Use of Personal Information.
• [4.1] Section 1798.24 - Conditions of Disclosure

Jurisdiction

California

• Privacy