When Do Vendors Count as Service Providers Under the California Consumer Privacy Act?

When Do Vendors Count as Service Providers Under the California Consumer Privacy Act?

With just a few months remaining before the California Consumer Privacy Act comes into effect, companies throughout the Golden State and beyond are scrambling to figure out how to comply with some of the CCPA’s more confusing and demanding requirements. However, another subset of companies are facing a different question: does the law even apply to us?

The question arises because the CCPA draws an important distinction between “service providers” and “third parties.” A service provider, a company that provides analysis or processing services to another company, must agree by contract to uphold certain protections of the CCPA but is left free of the most arduous requirements of the CCPA, such as fielding user requests for disclosure of data. What companies want to avoid are situations where they believe they are signing up to be service providers but unintentionally put themselves in a position to comply with the entire CCPA.

What is a Service Provider?

The CCPA defines “service provider” as a for-profit company that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract[.]”

The contract between the business and the service provider must obligate the service provider to refrain from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business,” including for a “commercial purpose other than providing the services specified in the contract with the business.”

What is a Third Party?

On the other hand, the CCPA defines “third parties” as companies that are not:

(1) The business that collects personal information from consumers under this title.

(2) A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:

(A) Prohibits the person receiving the personal information from:

(i) Selling the personal information.

(ii) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.

(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

(B) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

A person covered by paragraph (2) that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by paragraph (2) in compliance with paragraph (2) shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

In other words, a third party is any company that receives information from the initial company but does not meet the standards to be considered a service provider.

How Are Service Providers and Third Parties Treated Differently?

Importantly, the CCPA provides that a transfer of personal information between a company and a service provider is not considered a “sale” between a company and a service provider (as long as the data being transferred is necessary for the task being performed), and as a result many of the CCPA’s protections don’t kick in. Further, if the business followed all of the steps necessary in contracting with a service provider, the business will not be liable if the service provider subsequently violates the law.

On the other hand, when a company sells personal information to a third party, the company must provide notice to its customers and an opportunity to opt out. A company must also disclose the categories of third parties to which it is selling personal information if a consumer requests that information (which also means that the company must keep this information in such a way that the company can retrieve it and deliver it on command).

What Does This Mean For My Company?

Long story short, service providers serve an important function in the modern economy. Very few companies perform all of their services in-house, and service providers in given areas are much more likely to be specialists who can complete important tasks for a fraction of the money and time.

However, it is important to make sure that companies contracting with vendors take the steps necessary to ensure that they remain service providers and not third parties. This includes making sure that the vendor contracts obligate the vendor to all of the duties required for service providers under the CCPA. It also means making sure that the companies are not sharing personal information beyond what is “necessary to perform a business purpose” (and that the service provider isn’t itself gathering data beyond what is necessary for the “business purpose”).

Companies also need to remember that when they enable the consumer request infrastructure, they need to set up a system to notify the service provider as well so that the service provider will also delete the data it has on hand.

As long as companies are mindful of the vendors they retain and the services they are outsourcing, and are proactive with their vendor agreements, there is no reason why companies can’t remain compliant with the CCPA.

Stay tuned for more updates and analysis as we close in on January 1.

Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel J. Zarchy