Is CCPA compliance required for service providers?

If you own a business, you likely work with a variety of entities pursuant to delivering products and services to your customers. These partnerships may take place in a variety of contexts. For example, perhaps you employ an outside company to help create and manage your website. For customer relations and marketing, your business may agree to a contract with an outside firm with a reputation for effective consumer outreach. 

In order for your business to thrive in a competitive marketplace, collaboration with other companies may be a necessity. Pursuant to those ends, your business may have to exchange significant amounts of customer data with outside vendors. These exchanges of information may be governed by written agreements outlining the parameters of how the vendor may use the information, how the information must be protected, and when the information must be destroyed. Depending on the size of your business, you may have a variety of contractual relationships with outside vendors. The odds are high that these vendors require significant amounts of data to perform the services agreed upon, whether in the context of advertising, website development, or customer outreach. 

The CCPA: California Consumer Privacy Act imposes a number of requirements on certain businesses. These requirements include providing consumers with a “Do Not Sell My Personal Information” link and installing a “Do Not Sell My Personal Information” page. These requirements allow consumers to effectively halt the “sale” of their personally identifiable information (“PII”) to third parties as defined by the CCPA.  

But what if the business in question is not a “third party” under the CCPA but is instead a “service provider?” Provided that certain requirements under the law are met, businesses otherwise prohibited from transferring PII to third parties due to an opt-out request may be permitted to do so if the outside entity is defined as a service provider. This distinction may also impact what disclosures you must make within your online Privacy Policy. As such, distinguishing between third parties and service providers is critical to understanding your obligations under the CCPA.

The following two topics will be discussed: 

  • The definition of a service provider under the CCPA 
  • Compliance requirements for service providers under the CCPA 

The definition of a service provider under the CCPA 

In order for an entity to be classified as a service provider, it must be: 

  • A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity;
  • That processes information on behalf of a business and receives a consumer’s personal information for a business purpose pursuant to a written contract; and 
  • The contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business. 

The CCPA draft regulations have provided some additional clarifications regarding the definition of a service provider. Those regulations state that entities that provide services to those that are not “businesses” under the CCPA, such as non-profits or government entities, but otherwise meet the definition of a service provider under the law, are deemed service providers for purposes of the CCPA and the regulations. This means that, at least with respect to the draft regulations, determining who is a service provider is not predicated on whether the service provider is dealing with a covered business under the law. If the above requirements are met, the entity is classified by the State Attorney General as a service provider. 

Compliance requirements for service providers under the CCPA 

In the context of sales of PII between businesses and third parties, consumers have the ability to opt-out of those exchanges. Moreover, businesses must make specific disclosures in their Privacy Policies pertaining to the categories of PII sold as well as categories of third parties that have received the PII. 

In the context of exchanges of PII between businesses and service providers, the presence of a service provider means that the CCPA’s requirements pertaining to sales may not apply to those transactions (but as discussed below, the regulations make clear that service providers may not engage in sales of PII themselves once a consumer exercises the right to opt-out). This additionally means that a business’s Privacy Policy will need to accurately distinguish between third parties and service providers when making required disclosures. 

Assuming that a service provider is identified in the transaction, the CCPA provides that three requirements must be met for a transaction to fall outside the definition of a “sale” under the law:

  • The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose; 
  • The business has provided notice of the transfer of PII, including within its Privacy Policy; and 
  • The service provider does not collect, sell, or use the PII except as necessary to perform the business purpose. 

Focusing on the obligations of service providers in this context, these entities generally must limit their handling of PII as necessary to perform the “business purpose” of the transaction. A “business purpose” is defined by the CCPA as the “use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected . . . .” Examples of business purposes include the following: 

  • Monitoring for security incidents 
  • Counting ad impressions to unique website visitors 
  • Identifying and repairing errors related to functionality 
  • Use of the data for internal research for technological purposes 
  • Activities to maintain the quality or safety of a device or service owned or controlled by the business or activities to upgrade those devices or services 

The draft regulations provide additional requirements for service providers to follow: 

  • A service provider is prohibited from retaining, using, or disclosing PII obtained while providing services except:
    • To process or maintain PII on behalf of the business that provided the PII or directed the service provider to directly collect the PII, provided the contract between the two entities is CCPA compliant;
    • To retain and employ another service provider as a subcontractor, provided that this entity meets the definition of a service provider under the CCPA;
    • For the service provider to improve the quality of its own service, provided that this does not entail changing household or consumer profiles pursuant to providing services to another business, or correcting or augmenting data acquired from another source; or 
    • To detect security incidents or protect against fraud or illegal activity. 
  • A service provider must not sell the PII on behalf of the business when a consumer has opted-out of sales of PII
  • When receiving a request for disclosures or deletion, the service provider must either inform the consumer they are a service provider and cannot perform the request or act on behalf of the business in responding to the request 

Ultimately, determining what entities constitute service providers under the CCPA requires extensive review. This article has provided a general overview of how to first identify an entity as a service provider and subsequently assess how interactions with service providers may impact the compliance obligations of a particular entity. Pursuant to those ends, it is critical for businesses to create data inventories to categorize the PII that has been collected and where it has been transferred and stored. This methodology will ultimately aid in accurately identifying what outside entities have access to the PII, including distinguishing between third parties and  service providers. The end result is a clearer picture of the compliance obligations of everyone involved in the lifecycle of the data. 

Moreover, contractual relationships will need to be reviewed in order to identify if any service providers are involved. If your business is subject to contractual relationships that limit the use and disclosure of PII, there is a good chance that your business may be a service provider under the CCPA, subject to all applicable requirements and obligations. 

For your website’s Privacy Policy, it is critical that accurate disclosures are made pertaining to the third parties and service providers that you do business with. To that end, consider Termageddon’s Privacy Policy Generator, which provides up-to-date Privacy Policies that help ensure your business remains compliant with the CCPA and other privacy laws.