Organizations that have gone through the grind to comply with the EU General Data Protection Regulation may have advantages over those that have not as preparations for the California Consumer Privacy Act head into the home stretch. For those who are not GDPR veterans, one area that may give them a headache is determining whether a vendor is a service provider or a third party. Mercer Chief Privacy Officer Jo Davaris, CIPP/US, and Perkins Coie Partner Dominique Shelton Leipzig discussed how organizations can discover the distinction at a workshop at the IAPP Privacy. Security. Conference. Here are some hints: They involve privacy tools, contracts and the GDPR itself. IAPP Associate Editor Ryan Chiavetta, CIPP/US, has the details.