03 July 2020
Two of the main players in the California Consumer Privacy Act (CCPA) are the "business" the "service provider."
The CCPA applies very different definitions to these two types of companies, and they each have very different roles and responsibilities.
Want to understand if your company is a business or a service provider under the CCPA? Let's take a detailed look at the differences between these terms, and why those differences matter.
Businesses are the main subject of the CCPA. The law exists to regulate how businesses treat consumers' (California residents') personal information.
The CCPA defines a "business" as any legal entity that:
Virtually any type of company can be a business: not only social media or big tech companies.
It is not necessary to have any physical presence in California, or even the United States, in order to be considered a business.
To qualify as a business, a company must meet at least ONE of the CCPA's "three thresholds," which are that the company:
There is no clear answer on whether using third-party cookies constitutes the "sale" of personal information.
However, legal commentators make the following observations:
On balance, therefore, it appears that the CCPA does consider using third-party cookies to be a type of "sale."
If correct, this interpretation would bring many, many companies within the CCPA's definition of a "business."
Any for-profit company could be a business if both the following conditions are met:
For more information, see our article CCPA: What Constitutes a "Sale" of Personal Information?
While the CCPA defines "consumer" to mean a California resident, it is understood that the definition of "consumer" is not confined to California residents for the purposes of threshold "C."
This means that if your business derives 50 percent or more of its gross annual revenues from the selling of personal information, it would fall under threshold "C" (and thus sit the definition of a "business"), regardless of where that personal information originated.
The CCPA defines a "service provider" as any legal entity that operates under a service provider contract (we'll look at this below) and fulfills the following characteristics:
Examples of service providers include email marketing companies, analytics providers, and Customer Relationship Management (CRM) services.
For a comprehensive look at service providers under the CCPA, read our Complete Guide to CCPA Service Providers.
A service provider must operate under a contract with the business from which it receives personal information.
The personal information received by the service provider from the business may not be retained, used, or disclosed except for the purposes of the contract or any other purposes permitted under the CCPA.
Operating under a service provider contract means that a service provider is strictly limited in its functions, and only exists to provide specified services, to specified businesses, with specified sets of personal information.
The service provider contract is a means by which the CCPA ensures consumers can still exercise their rights over the personal information that has been collected by a business, even after it has been disclosed to another company.
A service provider contract is somewhat like the Data Processing Agreement that must exist between data controllers and data processors in EU law, except that the CCPA service provider contract requires far fewer mandatory provisions.
In fact, some service providers have simply adapted their existing Data Processing Agreements to accommodate businesses covered by the CCPA.
Here's an example from Mailchimp's Data Processing Agreement:
Note the specific mention of the CCPA here to inform readers where the definitions of the terms have been taken from.
Anyone who's even remotely familiar with the General Data Protection Regulation (GDPR), the main privacy law in the European Union (EU), will know that the CCPA is significantly influenced by EU law.
The CCPA's "business" and "service provider" concepts are substantially similar to the GDPR's concepts of "data controller" and "data processor."
Just as with the GDPR's controllers and processors, crucial distinction between a business and a service provider is this:
The CCPA doesn't explain these terms. For an understanding of this distinction, we can turn to EU law, where these concepts originate.
The chart below will help you understand if your company "determines the processes and means of the processing of personal information," or "processes personal information on behalf of a business."
However, remember that California is not the EU. The Californian courts may interpret these concepts differently.
Consider the following questions in relation to processing personal information for a specific project or business activity, for example, an advertising or lead generation campaign.
|The answers in this column are relevant to determining the purposes and means of the processing of personal information.||The answers in this column are relevant to processing personal information on behalf of a business.|
|Did you decide to process personal information?||Yes||No. We were instructed or to do so by a business|
|Did you decide on the reason or goal of the processing?||Yes||No. The processing is for a business's own purposes|
|Did you decide what types of personal information to process||Yes||No. The business decided|
|Did you decide how to carry out the processing||Yes
No. The other company decided, but we approved its decision
Yes, but the business must approve of these methods
|Will you gain direct benefit from the personal information?||Yes||No, except for the payment we receive for it.|
|Do you have a direct relationship with the consumers whose personal information you are processing?||Yes||No, we only communicate with the business about the processing|
|If the other company told you to stop this project, would you comply?||No. We would find another company to process the personal information of the same consumers||Yes, we would have to find a new client and process different consumers' personal information|
"Processing" is another term from EU law, and refers to any operation performed on personal information.
It is perfectly possible to be both a business and a service provider, but for the purposes of the CCPA, you cannot be both types of company at the same time, and in respect of the same set of personal information.
For example, an email marketing company that has gross annual revenues in excess of $25 million dollars:
It is important to understand and differentiate between your obligations as a business and as a service provider.
Service providers normally receive personal information directly from a business. However, it is also possible for a service provider to receive personal information from another service provider.
When disclosing personal information to another service provider, a service provider is bound by the same conditions as a business.
This means that, In such a scenario, the first service provider must put in a place a service provider contract that prevents the second service provider from using, retaining, or disclosing the personal information for any purposes other than those specified in the contract.
Under the CCPA, the responsibilities of a subcontracting service provider are identical to those of a "regular" service provider.
A business is any legal entity that:
A service provider is any legal entity that:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.