Service providers are an important part of the CCPA. Under the right conditions, businesses can share personal information with service providers in a way that does not count as a "sale."
However, the CCPA provides a very narrow definition of "service provider" and sets strict rules about what service providers may and may not do with the personal information they receive from businesses.
This guidance is suitable for anyone who wants to learn more about CCPA service providers, whether you're a business, a service provider, or you aren't sure which definition you meet.
Purpose of a Service Provider
A service provider is a legal entity (e.g. a company) that performs services on behalf of a business using personal information that the business provides it.
Under certain conditions, the following types of companies might qualify as service providers:
- Email marketing companies
- Customer Relationship Management (CRM) providers
- Payment processors
- Analytics service providers
A "service provider" is one of three main types of entity recognized in the CCPA, with the others being a "business" and "third party."
Working with a service provider as opposed to a "third party" has an important benefit for a business. If done properly, sharing personal information with a service provider does not count as "selling" the personal information.
The CCPA has a broad definition of "selling" personal information. A business that shares personal information with a third party in exchange for some benefit (not necessarily a monetary benefit) might be deemed to be "selling" that personal information.
The CCPA makes many demands on businesses that "sell" personal information. For example, a business that sells personal information must place a link on its homepage reading "Do Not Sell My Personal Information." The business must also allow the consumer to exercise their "right to opt out."
If a business discloses personal information to a service provider in a CCPA-compliant way, this does not qualify as "selling" the personal information. Instead, it qualifies as "disclosing personal information for a business purpose."
However, when sharing personal information for business purposes, a business does not have to offer consumers the right to opt out. Unless it also "sells" personal information, it doesn't have to create a "Do Not Sell My Personal Information" page.
Service Providers vs. Businesses
To help you understand the CCPA's concept of a "service provider," let's compare it to a "business."
The CCPA defines a "business" as any legal entity that fits the following description:
The CCPA defines a "service provider" as any legal entity that fulfills the following characteristics:
One key distinction between these two types of companies is that a business "determines the purposes and means of the processing of personal information" whereas a service provider "processes personal information on behalf of a business."
These concepts are lifted directly from the EU General Data Protection Regulation (GDPR).
The comparison below should help you determine whether your company (or a company you work with) is a business or a service provider. This analysis is grounded in EU law, and the California courts may interpret these concepts differently.
||Business: Determining the purposes and means of the processing of personal information
||Service provider: Processing personal information on behalf of a business
|Decides to process personal information
||No (only collects personal information under instruction)
|Decides the purpose or outcome of the processing
|Decides what types of personal information to process
|Decides how to process personal information
||Yes (or approves a method suggested by a service provider)
||No (may suggest methods to be approved by a business)
|Derives a direct financial benefit from processing personal information
||No (receives payment from a business)
|Has a direct relationship or contract with consumers
|Follows instructions from another company when collecting personal information
Note that "processing" personal information means doing something with it, including collecting, using, deleting or sharing it.
Here's an example in context. Say a business wants to engage the service of an email marketing company, such as Mailchimp (which fits the definition of a "service provider" under the CCPA).
The business "calls the shots" in this relationship. For example, the business:
- Decides to collect personal information (the email addresses of its customers and prospective customers)
- Decides the purpose or outcome of the collection (e.g. maintaining customer relationships)
- Decides what types of personal information to collect (email addresses)
- Decides how to collect personal information (e.g. via a web form on its website)
- Derives a direct financial benefit from collecting personal information (increased sales)
- Has a direct relationship or contract with consumers
Service Providers That Act as Businesses
A company that mainly acts as a service provider can also be a business in other contexts if it meets the CCPA's definition of a business.
A company that meets the definition of a business will qualify as a business whenever it is operating in California and "determining the purposes and means of the processing of personal information."
The company will be a service provider whenever it is "processing personal information on behalf of a business."
Consider the example of an analytics services provider that has annual gross revenues of over $25 million.
- When it stores and analyzes California consumers' personal information on behalf of its business clients, the company is acting as a service provider.
- When it collects the personal information of California consumers for its own purposes (e.g. lead generation), the company is acting as a business.
Businesses That Act as Service Providers
A company that normally acts as a business can be a service provider when it processes personal information on behalf of another business.
If a company is processing personal information on behalf of a business, and if it meets the other conditions for service providers set out in the CCPA, it will be considered a service provider.
It is not relevant that the company might also have some of the qualities of a business (e.g. it has annual gross revenues of over $25 million, etc.).
Permitted Service Provider Activities
The CCPA places strict limits on what a service provider can do with the personal information it receives from a business.
As we've seen, the CCPA sets out two main ways in which a service provider may process personal information:
- To provide services on behalf of a business, under a contract
- As "otherwise permitted" by the CCPA
There's only one other "permissible activity" mentioned in the CCPA itself. This appears at section 1798.105 (c), and allows a service provider to delete personal information following a request under the "right to delete":
Proposed Regulations Service Provider Activities
The California Attorney-General's draft amendments to the CCPA, known as the Proposed Regulations, set out several more ways in which a service provider may use personal information it has received from a business, including:
- To employ another CCPA-compliant service provider as a subcontractor
To build or improve the quality of its services, as long as it doesn't:
- Build or modify household or consumer profiles, or
- Clean or augment data it has acquired elsewhere
- To detect security incidents
- To protect against fraudulent or illegal activity
For the first four purposes set out at section 1798.145 (a) of the CCPA, namely:
- Legal compliance
- Complying with court inquires, investigations, and subpoenas
- Cooperating with law enforcement agencies regarding potentially illegal activity
- Exercising or defending legal claims
The Proposed Regulations also state that if a service provider receives a request from a consumer under the right to know or the right to delete, it may either:
- Provide or delete the requested personal information on behalf of its business client, or
- Inform the consumer that it cannot fulfill the request because it is a service provider
Note that the Proposed Regulations are not yet official. However, it seems likely that this section will pass into law, given the heavy restrictions on service providers in the original text of the CCPA.
Service Provider Subcontractors
Under the Proposed Regulations, a service provider may hire an additional service provider as a subcontractor, as long as the subcontractor complies with the CCPA and the Proposed Regulations.
It appears that the subcontractor would be the "service provider's service provider" rather than a service provider of the original business. Therefore, there must be a Service Provider Contract in place between the service provider and the subcontractor.
Service Provider CCPA Violations
Under the CCPA, the Attorney General can bring a civil legal claim against a service provider (or business) that has violated the CCPA.
- If the business is alleged to have violated the CCPA and does not correct the violation within 30 days: up to $2,500 per violation
- If the violation is intentional: an additional penalty of up to $7,500 per violation
The CCPA also includes a private right of action, meaning that a consumer can bring a civil claim against a business that violates their privacy in violation of the CCPA. However, the private right of action seems to be restricted to claims against businesses.
A business is not normally responsible for a service provider acting on its behalf. This is stated at Section 1798.145 (3) (h) of the CCPA:
The above paragraph specifies that a business will not be liable for a service provider's violation of the CCPA if the business does not have "actual knowledge or reason to believe" that the service provider intended to violate the CCPA.
CCPA Service Provider Contract
Service providers must only operate under a contract, which we're calling a "Service Provider Contract."
A CCPA Service Provider Contract can be created by a business or a service provider, but it must be agreed to by both parties before any sharing of personal information takes place.
A Service Provider Contract must contain the following mandatory information:
- A section that states the purposes for which the service provider may process the personal information it receives from the business.
- Clauses that prohibit the service provider from using, disclosing, or retaining the personal information for any purpose outside of the contract, unless otherwise permitted by the CCPA.
You may wish to include the following optional clauses in your Service Provider Contract:
- A clause that obliges the service provider to assist the business in carrying out CCPA consumer rights requests.
- A "hold harmless" clause that requires the service provider to indemnify the business in the event of a CCPA violation.
- A clause setting out the terms under which a service provider may hire subcontractors.
CCPA Service Provider Contract vs. GDPR Data Processing Agreement
A Service Provider Contract is similar to the contract between data controllers and data processors under the GDPR, known as a Data Processing Agreement.
If your company is GDPR-compliant, you may have already created or used a Data Processing Agreement. This could be a good starting point from which to create a Service Provider Contract.
A CCPA Service Provider Contract and a GDPR Data Processing Agreement share the following similarities:
- Both serve the same fundamental purpose: regulating how companies share personal information.
- Both must contain clauses that prohibit the service provider/data processor from using, disclosing, or retaining the personal information for any purpose outside of the contract.
There are some other, less obvious, similarities:
A Data Processing Agreement must contain a clause that requires the data processor to delete any personal information it has received from the controller after the contract expires.
- A Service Provider Contract has the same effect because it prohibits the service provider from retaining personal information for any purposes outside of the contract.
A Data Processing Agreement must require the data processor to assist the data controller in responding to "data subject rights" requests.
- A service provider must assist its client business with CCPA rights requests, so it makes sense to include this obligation in a Service Provider Contract.
There are many differences between a CCPA Service Provider Contract and a GDPR Data Processing Agreement. For example, the GDPR requires a Data Processing Agreement to include clauses that set out:
Although the CCPA does not require businesses to include these clauses, you can include them in a Service Provider Contract if you wish. However, you must ensure that you meet the CCPA's requirements and use the appropriate CCPA terminology.
Some service providers have adapted their Data Processing Agreement to make it suitable for use as a Service Provider Contract.
For example, Mailchimp includes a "California" annex as part of its GDPR Data Processing Agreement. First, Mailchimp redefines the term "[data] controller" to include "business," and "processor" to include "service provider":
Mailchimp also makes the following amendment to the "data subject rights" section of its Data Processing Agreement:
Mailchimp also includes the following clause regarding subcontractors:
Both businesses and service providers must be fully aware of their CCPA obligations before beginning work together.
A service provider: