Third Party

Under GDPR Article 4(10), a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process under the controller or processor's direct authority. Under CCPA Section 1798.140(ai), a person or entity not covered by the business-consumer relationship, to whom the business discloses personal information for business purposes. Third parties are distinct from processors/service providers—they process data for their own purposes rather than solely on behalf of the disclosing business. Common third party scenarios include: advertising networks receiving browsing data, data brokers purchasing consumer lists, analytics providers aggregating cross-client insights, and business partners receiving customer data for joint ventures. Organizations should: clearly identify which relationships are third party versus processor arrangements, ensure appropriate disclosure and consent when sharing with third parties, implement contractual protections even for third party relationships, maintain third party lists for transparency reporting, and conduct due diligence on third parties' privacy practices.