Certified Information Privacy Professional (CIPP): US - Data Brokers and Third-Party Data Sharing

What This Is

Data brokers are entities that collect, aggregate, and sell personal information about individuals—often without a direct relationship to the data subjects. Third?party data sharing is any transfer of personal data from a data controller (or processor) to another organization that will use the data for its own purposes. Both concepts sit at the heart of privacy compliance because regulators (GDPR, CCPA/CPRA, HIPAA, etc.) increasingly require transparency, consent, and safeguards whenever personal data moves outside the original collecting entity.

Real?world scenario: A U.S.?based marketing firm purchases a consumer?profile database from a data broker that includes email addresses, purchase history, and inferred interests. The firm then uses that data to run targeted ads on a European?focused website. The firm must determine whether the data transfer complies with GDPR (e.g., lawful basis, adequacy, or Standard Contractual Clauses) and whether the original broker’s collection practices satisfy the CCPA’s “sale” definition and consumer?right?to?opt?out requirements.

Key Terms & Provisions

• Data Broker: A business that obtains personal data from multiple sources, enriches it, and sells or licenses it to third parties. (U.S. – no single federal definition; many states have specific statutes.)
• Sale (CCPA/CPRA): Any transfer of personal information for monetary consideration. The seller must provide a “Do Not Sell My Personal Information” link.
• Sharing (CCPA/CPRA): Transfer of personal information to a service provider for a business purpose, not considered a sale if the recipient is contractually bound to use the data only as instructed.
• Targeted Advertising (GDPR Art. 4(11)): Direct marketing that uses personal data to tailor messages to identified individuals; requires a lawful basis (usually consent).
• Standard Contractual Clauses (SCCs): EU?approved model contracts that provide adequate safeguards for personal data transferred outside the EEA.
• Data Protection Impact Assessment (DPIA): Mandatory under GDPR Art. 35 when processing is likely to result in high risk (e.g., large?scale profiling by a data broker).
• Business Associate Agreement (BAA): HIPAA contract obligating a third?party to protect PHI and limiting its use to permitted functions.
• Reasonable Expectation Test (U.S. state privacy laws): Determines whether a data broker’s collection aligns with what an average consumer would anticipate.
• FIPPs (Fair Information Practice Principles): Core U.S. privacy concepts (notice, choice, access, security, accountability) that underpin many state statutes.
• Data Minimization (GDPR Art. 5(1)(c)): Collect only the data necessary for the specified purpose; data brokers often violate this principle by hoarding excess data.
• Right to Opt?Out (CCPA/CPRA): Consumers may direct a business not to sell their personal information; must be honored within 15 days of receipt.
• Cross?Border Transfer Mechanism (US?EU Privacy Shield – invalidated 2020): Former framework for EU?US data flows; now replaced by SCCs, BCRs, or other adequacy decisions.

Step?by?Step / Process Flow

1. Identify the Data Flow – Map where personal data originates, who the data broker is, and which third parties will receive the data.
2. Determine Legal Basis – For GDPR: assess consent, legitimate interest, or other Art. 6 bases; for CCPA: decide if the transfer is a “sale” or “sharing.”
3. Conduct a DPIA (if required) – If the broker’s profiling or volume of data creates high risk, complete a DPIA and document mitigation measures.
4. Implement Transfer Safeguards – Use SCCs, Binding Corporate Rules, or a BAA (for PHI) to ensure adequate protection when moving data across borders.
5. Update Notices & Consumer Rights Mechanisms – Revise privacy notices to disclose broker relationships, and provide opt?out links or request portals as required.
6. Monitor & Audit – Periodically review broker contracts, data accuracy, and compliance with deletion or correction requests; retain evidence for regulators.

Common Mistakes

• Mistake: Assuming “sharing” under CCPA automatically exempts a data broker from the “sale” definition.
  Correction: Review the contract; if the broker receives monetary consideration and the recipient can use the data for its own business purposes, it is a sale and must trigger opt?out rights.

• Mistake: Relying on the invalidated EU?US Privacy Shield as a safe harbor for EU?to?US transfers.
  Correction: Switch to SCCs or other approved mechanisms; document the post?Schrems II assessment of U.S. surveillance laws.

• Mistake: Treating a data broker as a mere “processor” and therefore not requiring a BAA under HIPAA.
  Correction: If the broker handles PHI on behalf of a Covered Entity, a BAA is mandatory regardless of the broker’s internal classification.

• Mistake: Over?collecting data to satisfy a future marketing need, violating GDPR’s data minimization principle.
  Correction: Collect only the fields needed for the current purpose; obtain separate consent for any future uses.

• Mistake: Ignoring the “reasonable expectation” test and assuming any publicly available data can be sold.
  Correction: Conduct a privacy impact assessment to confirm that the data subjects would reasonably expect their data to be aggregated and sold.

CIPP Exam Insights

1. Opt?Out vs. Opt?In: The exam loves to ask whether a CCPA “sale” requires opt?in consent. Remember: CCPA is opt?out for sales; opt?in only applies to “sensitive personal information” under the CPRA.
2. Controller vs. Processor Obligations: A data broker that determines the purpose of data use is a controller, not merely a processor. Controllers must meet GDPR Art. 24?32 duties (accountability, security, breach notification).
3. HIPAA vs. State Laws: When a data broker handles health data, the stricter of HIPAA or state privacy law applies. The exam may present a scenario where a broker is outside the U.S.; HIPAA still reaches if the data is PHI of a Covered Entity.
4. Territorial Scope Traps: GDPR Art. 3(2) extends to non?EU entities that target EU data subjects (e.g., by offering goods in a European language). The exam often tests whether “mere accessibility” is enough—answer: no, there must be an intent to engage EU residents.

Quick Check Questions

1. Question: A U.S. data broker sells a list that includes email addresses of California residents to a fintech startup. A consumer exercises their right to opt?out. What must the broker do?
   Answer: The broker must honor the opt?out within 15 days, cease selling that consumer’s data, and update its internal records.
   Explanation: CCPA/CPRA requires a “Do Not Sell My Personal Information” link and a 15?day compliance window.

2. Question: An EU?based health?tech company receives patient data from a U.S. data broker. The broker has a BAA but no SCCs. Can the transfer proceed?
   Answer: No, because GDPR still requires a valid transfer mechanism (SCCs, BCRs, or adequacy) for personal data leaving the EEA.
   Explanation: A BAA satisfies HIPAA, not GDPR’s cross?border requirements.

3. Question: A data broker aggregates publicly available social?media posts and sells the dataset to a marketing agency. Is this “sale” under CCPA?
   Answer: Yes, if the broker receives monetary consideration for the data, it is a sale regardless of the source.
   Explanation: CCPA defines “sale” by the transfer of personal information for monetary consideration, not by how the data was obtained.

Last?Minute Cram Sheet (10 One?Liners)

1. GDPR Art. 3(2) – “Targeting” EU data subjects triggers extraterritorial scope; mere website accessibility is insufficient.
2. CCPA “sale” = any transfer of personal info for monetary consideration; “sharing” = non?sale transfer to a service provider.
3. SCCs are the primary post?Schrems?II mechanism for EU?US data flows; each clause must be signed by both parties.
4. HIPAA BAA is required whenever a third party handles PHI on behalf of a Covered Entity, regardless of state law.
5. DPIA trigger threshold – profiling >?300,000 EU residents or systematic monitoring of a public area.
6. FIPPs = Notice, Choice, Access, Security, Accountability – the backbone of most U.S. state privacy statutes.
7. CCPA/CPRA opt?out deadline = 15?days from receipt of the consumer request; failure = statutory penalty up to $2,500 per violation.
8. GDPR Art. 5(1)(c) – Data minimization: collect only what is necessary for the declared purpose.
9. California’s “Right to Delete” (CCPA) does not apply if the data is needed to comply with a legal obligation (e.g., tax records).
10. U.S. data?broker statutes (e.g., Virginia CDPA, Colorado CPA) often require a “reasonable expectation” analysis and a public register of data?broker activities.