09 March 2020
Service providers are an important part of the CCPA. Under the right conditions, businesses can share personal information with service providers in a way that does not count as a "sale."
However, the CCPA provides a very narrow definition of "service provider" and sets strict rules about what service providers may and may not do with the personal information they receive from businesses.
This guidance is suitable for anyone who wants to learn more about CCPA service providers, whether you're a business, a service provider, or you aren't sure which definition you meet.
A service provider is a legal entity (e.g. a company) that performs services on behalf of a business using personal information that the business provides it.
Under certain conditions, the following types of companies might qualify as service providers:
A "service provider" is one of three main types of entity recognized in the CCPA, with the others being a "business" and "third party."
Working with a service provider as opposed to a "third party" has an important benefit for a business. If done properly, sharing personal information with a service provider does not count as "selling" the personal information.
The CCPA has a broad definition of "selling" personal information. A business that shares personal information with a third party in exchange for some benefit (not necessarily a monetary benefit) might be deemed to be "selling" that personal information.
The CCPA makes many demands on businesses that "sell" personal information. For example, a business that sells personal information must place a link on its homepage reading "Do Not Sell My Personal Information." The business must also allow the consumer to exercise their "right to opt out."
If a business discloses personal information to a service provider in a CCPA-compliant way, this does not qualify as "selling" the personal information. Instead, it qualifies as "disclosing personal information for a business purpose."
However, when sharing personal information for business purposes, a business does not have to offer consumers the right to opt out. Unless it also "sells" personal information, it doesn't have to create a "Do Not Sell My Personal Information" page.
To help you understand the CCPA's concept of a "service provider," let's compare it to a "business."
The CCPA defines a "business" as any legal entity that fits the following description:
It fulfills one or more of the following characteristics:
The CCPA defines a "service provider" as any legal entity that fulfills the following characteristics:
It processes that personal information under a contract that prohibits the retention, use, or disclosure of the personal information for any purpose other than:
One key distinction between these two types of companies is that a business "determines the purposes and means of the processing of personal information" whereas a service provider "processes personal information on behalf of a business."
These concepts are lifted directly from the EU General Data Protection Regulation (GDPR).
The comparison below should help you determine whether your company (or a company you work with) is a business or a service provider. This analysis is grounded in EU law, and the California courts may interpret these concepts differently.
|Business: Determining the purposes and means of the processing of personal information||Service provider: Processing personal information on behalf of a business|
|Decides to process personal information||Yes||No (only collects personal information under instruction)|
|Decides the purpose or outcome of the processing||Yes||No|
|Decides what types of personal information to process||Yes||No|
|Decides how to process personal information||Yes (or approves a method suggested by a service provider)||No (may suggest methods to be approved by a business)|
|Derives a direct financial benefit from processing personal information||Yes||No (receives payment from a business)|
|Has a direct relationship or contract with consumers||Yes||No|
|Follows instructions from another company when collecting personal information||No||Yes|
Note that "processing" personal information means doing something with it, including collecting, using, deleting or sharing it.
Here's an example in context. Say a business wants to engage the service of an email marketing company, such as Mailchimp (which fits the definition of a "service provider" under the CCPA).
The business "calls the shots" in this relationship. For example, the business:
A company that mainly acts as a service provider can also be a business in other contexts if it meets the CCPA's definition of a business.
A company that meets the definition of a business will qualify as a business whenever it is operating in California and "determining the purposes and means of the processing of personal information."
The company will be a service provider whenever it is "processing personal information on behalf of a business."
Consider the example of an analytics services provider that has annual gross revenues of over $25 million.
A company that normally acts as a business can be a service provider when it processes personal information on behalf of another business.
If a company is processing personal information on behalf of a business, and if it meets the other conditions for service providers set out in the CCPA, it will be considered a service provider.
It is not relevant that the company might also have some of the qualities of a business (e.g. it has annual gross revenues of over $25 million, etc.).
The CCPA places strict limits on what a service provider can do with the personal information it receives from a business.
As we've seen, the CCPA sets out two main ways in which a service provider may process personal information:
There's only one other "permissible activity" mentioned in the CCPA itself. This appears at section 1798.105 (c), and allows a service provider to delete personal information following a request under the "right to delete":
The California Attorney-General's draft amendments to the CCPA, known as the Proposed Regulations, set out several more ways in which a service provider may use personal information it has received from a business, including:
To build or improve the quality of its services, as long as it doesn't:
For the first four purposes set out at section 1798.145 (a) of the CCPA, namely:
The Proposed Regulations also state that if a service provider receives a request from a consumer under the right to know or the right to delete, it may either:
Note that the Proposed Regulations are not yet official. However, it seems likely that this section will pass into law, given the heavy restrictions on service providers in the original text of the CCPA.
Under the Proposed Regulations, a service provider may hire an additional service provider as a subcontractor, as long as the subcontractor complies with the CCPA and the Proposed Regulations.
It appears that the subcontractor would be the "service provider's service provider" rather than a service provider of the original business. Therefore, there must be a Service Provider Contract in place between the service provider and the subcontractor.
Under the CCPA, the Attorney General can bring a civil legal claim against a service provider (or business) that has violated the CCPA.
The CCPA also includes a private right of action, meaning that a consumer can bring a civil claim against a business that violates their privacy in violation of the CCPA. However, the private right of action seems to be restricted to claims against businesses.
A business is not normally responsible for a service provider acting on its behalf. This is stated at Section 1798.145 (3) (h) of the CCPA:
The above paragraph specifies that a business will not be liable for a service provider's violation of the CCPA if the business does not have "actual knowledge or reason to believe" that the service provider intended to violate the CCPA.
Service providers must only operate under a contract, which we're calling a "Service Provider Contract."
A CCPA Service Provider Contract can be created by a business or a service provider, but it must be agreed to by both parties before any sharing of personal information takes place.
A Service Provider Contract must contain the following mandatory information:
You may wish to include the following optional clauses in your Service Provider Contract:
A Service Provider Contract is similar to the contract between data controllers and data processors under the GDPR, known as a Data Processing Agreement.
If your company is GDPR-compliant, you may have already created or used a Data Processing Agreement. This could be a good starting point from which to create a Service Provider Contract.
A CCPA Service Provider Contract and a GDPR Data Processing Agreement share the following similarities:
There are some other, less obvious, similarities:
A Data Processing Agreement must contain a clause that requires the data processor to delete any personal information it has received from the controller after the contract expires.
A Data Processing Agreement must require the data processor to assist the data controller in responding to "data subject rights" requests.
There are many differences between a CCPA Service Provider Contract and a GDPR Data Processing Agreement. For example, the GDPR requires a Data Processing Agreement to include clauses that set out:
The data processors obligations, including:
Although the CCPA does not require businesses to include these clauses, you can include them in a Service Provider Contract if you wish. However, you must ensure that you meet the CCPA's requirements and use the appropriate CCPA terminology.
Some service providers have adapted their Data Processing Agreement to make it suitable for use as a Service Provider Contract.
For example, Mailchimp includes a "California" annex as part of its GDPR Data Processing Agreement. First, Mailchimp redefines the term "[data] controller" to include "business," and "processor" to include "service provider":
Mailchimp also makes the following amendment to the "data subject rights" section of its Data Processing Agreement:
Mailchimp also includes the following clause regarding subcontractors:
Both businesses and service providers must be fully aware of their CCPA obligations before beginning work together.
A service provider:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.