Service providers are an important part of the CCPA, as amended by the CPRA. Under the right conditions, businesses can share personal information with service providers in a way that does not count as a "sale."
However, the CCPA (CPRA) provides a very narrow definition of "service provider" and sets strict rules about what service providers may and may not do with the personal information they receive from businesses.
This guidance is suitable for anyone who wants to learn more about CCPA (CPRA) service providers, whether you're a business, a service provider, or you aren't sure which definition you meet.
- 1. Purpose of a Service Provider
- 2. Service Providers vs. Businesses
- 2.1. Service Providers That Act as Businesses
- 2.2. Businesses That Act as Service Providers
- 3. Permitted Service Provider Activities
- 3.1. Service Provider Subcontractors
- 4. Service Provider CCPA (CPRA) Violations
- 5. CCPA (CPRA) Service Provider Contract
- 5.1. CCPA (CPRA) Service Provider Contract vs. GDPR Data Processing Agreement
- 6. Summary
Purpose of a Service Provider
A service provider is a legal entity (e.g. a company) that performs services on behalf of a business using personal information that the business provides it.
Under certain conditions, the following types of companies might qualify as service providers:
- Email marketing companies
- Customer Relationship Management (CRM) providers
- Payment processors
- Analytics service providers
A "service provider" is one of three main types of entity recognized in the CCPA (CPRA), with the others being a "business" and "third party."
Working with a service provider as opposed to a "third party" has an important benefit for a business. If done properly, sharing personal information with a service provider does not count as "selling" the personal information.
The CCPA (CPRA) has a broad definition of "selling" personal information. A business that shares personal information with a third party in exchange for some benefit (not necessarily a monetary benefit) might be deemed to be "selling" that personal information.
The CCPA (CPRA) makes many demands on businesses that "sell" personal information. For example, a business that sells personal information must place a link on its homepage reading "Do Not Sell My Personal Information." The business must also allow the consumer to exercise their "right to opt out."
If a business discloses personal information to a service provider in a CCPA/CPRA-compliant way, this does not qualify as "selling" the personal information. Instead, it qualifies as "disclosing personal information for a business purpose."
However, when sharing personal information for business purposes, a business does not have to offer consumers the right to opt out. Unless it also "sells" personal information, it doesn't have to create a "Do Not Sell My Personal Information" page.
Service Providers vs. Businesses
To help you understand the CCPA/CPRA's concept of a "service provider," let's compare it to a "business."
The CCPA defines a "business" as any legal entity that fits the following description:
- It operates for profit,
- It operates in California,
- It determines the purposes and means of the processing of personal information, AND
It fulfills one or more of the following characteristics:
- It has annual gross revenues in excess of $25 million,
- It annually buys, receives for the commercial purposes, sells, and/or shares for commercial purposes, the personal information of at least 100,000 consumers and/or households, OR
- It derives more than 50 percent of its annual gross revenues from processing selling or sharing consumers' personal information.
The CCPA (CPRA) defines a "service provider" as any legal entity that fulfills the following characteristics:
- It operates for profit,
- It processes personal information on behalf of a business, AND
- It receives personal information from a business
It processes that personal information under a contract that prohibits the retention, use, or disclosure of the personal information for any purpose other than:
- The purposes specified in the contract, or
- Any other purposes permitted under the CCPA (CPRA)
One key distinction between these two types of companies is that a business "determines the purposes and means of the processing of personal information" whereas a service provider "processes personal information on behalf of a business."
These concepts are lifted directly from the EU General Data Protection Regulation (GDPR).
The comparison below should help you determine whether your company (or a company you work with) is a business or a service provider. This analysis is grounded in EU law, and the California courts may interpret these concepts differently.
|Business: Determining the purposes and means of the processing of personal information||Service provider: Processing personal information on behalf of a business|
|Decides to process personal information||Yes||No (only collects personal information under instruction)|
|Decides the purpose or outcome of the processing||Yes||No|
|Decides what types of personal information to process||Yes||No|
|Decides how to process personal information||Yes (or approves a method suggested by a service provider)||No (may suggest methods to be approved by a business)|
|Derives a direct financial benefit from processing personal information||Yes||No (receives payment from a business)|
|Has a direct relationship or contract with consumers||Yes||No|
|Follows instructions from another company when collecting personal information||No||Yes|
Note that "processing" personal information means doing something with it, including collecting, using, deleting or sharing it.
Here's an example in context. Say a business wants to engage the service of an email marketing company, such as Mailchimp (which fits the definition of a "service provider" under the CCPA (CPRA)).
The business "calls the shots" in this relationship. For example, the business:
- Decides to collect personal information (the email addresses of its customers and prospective customers)
- Decides the purpose or outcome of the collection (e.g. maintaining customer relationships)
- Decides what types of personal information to collect (email addresses)
- Decides how to collect personal information (e.g. via a web form on its website)
- Derives a direct financial benefit from collecting personal information (increased sales)
- Has a direct relationship or contract with consumers
Service Providers That Act as Businesses
A company that mainly acts as a service provider can also be a business in other contexts if it meets the CCPA/CPRA's definition of a business.
A company that meets the definition of a business will qualify as a business whenever it is operating in California and "determining the purposes and means of the processing of personal information."
The company will be a service provider whenever it is "processing personal information on behalf of a business."
Consider the example of an analytics services provider that has annual gross revenues of over $25 million.
- When it stores and analyzes California consumers' personal information on behalf of its business clients, the company is acting as a service provider.
- When it collects the personal information of California consumers for its own purposes (e.g. lead generation), the company is acting as a business.
Businesses That Act as Service Providers
A company that normally acts as a business can be a service provider when it processes personal information on behalf of another business.
If a company is processing personal information on behalf of a business, and if it meets the other conditions for service providers set out in the CCPA (CPRA), it will be considered a service provider.
It is not relevant that the company might also have some of the qualities of a business (e.g. it has annual gross revenues of over $25 million, etc.).
Permitted Service Provider Activities
The CCPA (CPRA) places strict limits on what a service provider can do with the personal information it receives from a business.
As we've seen, the CCPA (CPRA) sets out two main ways in which a service provider may process personal information:
- To provide services on behalf of a business, under a contract
- As "otherwise permitted" by the CCPA (CPRA)
Section 1798.105 (c) of the CCPA (CPRA) allows a service provider to delete personal information following a request under the "right to delete":
A service provider may also se personal information it has received from a business to:
- Employ another CCPA/CPRA-compliant service provider as a subcontractor
Build or improve the quality of its services, as long as it doesn't:
- Build or modify household or consumer profiles, or
- Clean or augment data it has acquired elsewhere
- Detect security incidents
- Protect against fraudulent or illegal activity
For the first four purposes set out at section 1798.145 (a) of the CCPA, namely:
- Legal compliance
- Complying with court inquires, investigations, and subpoenas
- Cooperating with law enforcement agencies regarding potentially illegal activity
- Exercising or defending legal claims
If a service provider receives a request from a consumer under the right to know or the right to delete, it may either:
- Provide or delete the requested personal information on behalf of its business client, or
- Inform the consumer that it cannot fulfill the request because it is a service provider
Service Provider Subcontractors
A service provider may hire an additional service provider as a subcontractor, as long as the subcontractor complies with the CCPA (CPRA).
It appears that the subcontractor would be the "service provider's service provider" rather than a service provider of the original business. Therefore, there must be a Service Provider Contract in place between the service provider and the subcontractor.
Service Provider CCPA (CPRA) Violations
Under the CCPA (CPRA), the Attorney General can bring a civil legal claim against a service provider (or business) that has violated the CCPA (CPRA).
- If the business is alleged to have violated the CCPA (CPRA) and does not correct the violation within 30 days: up to $2,500 per violation
- If the violation is intentional: an additional penalty of up to $7,500 per violation
The CCPA (CPRA) also includes a private right of action, meaning that a consumer can bring a civil claim against a business that violates their privacy in violation of the CCPA (CPRA). However, the private right of action seems to be restricted to claims against businesses.
A business is not normally responsible for a service provider acting on its behalf. This is stated at Section 1798.145 (3) (h) of the CCPA (CPRA):
The above paragraph specifies that a business will not be liable for a service provider's violation of the CCPA if the business does not have "actual knowledge or reason to believe" that the service provider intended to violate the CCPA (CPRA).
CCPA (CPRA) Service Provider Contract
Service providers must only operate under a contract, which we're calling a "Service Provider Contract."
A CCPA (CPRA) Service Provider Contract can be created by a business or a service provider, but it must be agreed to by both parties before any sharing of personal information takes place.
A Service Provider Contract must contain the following mandatory information:
- A section that states the purposes for which the service provider may process the personal information it receives from the business.
- Clauses that prohibit the service provider from using, disclosing, or retaining the personal information for any purpose outside of the contract, unless otherwise permitted by the CCPA (CPRA).
You may wish to include the following optional clauses in your Service Provider Contract:
- A clause that obliges the service provider to assist the business in carrying out CCPA (CPRA) consumer rights requests.
- A "hold harmless" clause that requires the service provider to indemnify the business in the event of a CCPA (CPRA) violation.
- A clause setting out the terms under which a service provider may hire subcontractors.
CCPA (CPRA) Service Provider Contract vs. GDPR Data Processing Agreement
A Service Provider Contract is similar to the contract between data controllers and data processors under the GDPR, known as a Data Processing Agreement.
If your company is GDPR-compliant, you may have already created or used a Data Processing Agreement. This could be a good starting point from which to create a Service Provider Contract.
A CCPA (CPRA) Service Provider Contract and a GDPR Data Processing Agreement share the following similarities:
- Both serve the same fundamental purpose: regulating how companies share personal information.
- Both must contain clauses that prohibit the service provider/data processor from using, disclosing, or retaining the personal information for any purpose outside of the contract.
There are some other, less obvious, similarities:
A Data Processing Agreement must contain a clause that requires the data processor to delete any personal information it has received from the controller after the contract expires.
- A Service Provider Contract has the same effect because it prohibits the service provider from retaining personal information for any purposes outside of the contract.
A Data Processing Agreement must require the data processor to assist the data controller in responding to "data subject rights" requests.
- A service provider must assist its client business with CCPA (CPRA) rights requests, so it makes sense to include this obligation in a Service Provider Contract.
There are many differences between a CCPA (CPRA) Service Provider Contract and a GDPR Data Processing Agreement. For example, the GDPR requires a Data Processing Agreement to include clauses that set out:
- The data controller's obligations
- The nature, purpose, and scope of the processing
- The categories of personal information and data subjects (consumers) covered by the agreement
- The conditions under which a data processor may use "subprocessors"
The data processors obligations, including:
- Only acting on the written instructions of the data controller
- Keeping personal information confidential and secure
- Allowing the data controller to conduct audits
Although the CCPA (CPRA) does not require businesses to include these clauses, you can include them in a Service Provider Contract if you wish. However, you must ensure that you meet the CCPA/CPRA's requirements and use the appropriate CCPA (CPRA) terminology.
Some service providers have adapted their Data Processing Agreement to make it suitable for use as a Service Provider Contract.
For example, Mailchimp includes a "California" annex as part of its GDPR Data Processing Agreement. First, Mailchimp redefines the term "[data] controller" to include "business," and "processor" to include "service provider":
Mailchimp also makes the following amendment to the "data subject rights" section of its Data Processing Agreement:
Mailchimp also includes the following clause regarding subcontractors:
Both businesses and service providers must be fully aware of their CCPA (CPRA) obligations before beginning work together.
A service provider: