CCPA RESOURCES CENTER › CCPA COMPLIANCE CHECKLIST
CCPA Compliance: Vendor Classification Checklist
Vendor Classification
Vendor classification is really an extension of data mapping, but it’s such a large and complicated task that it deserves its own checklist. During this process, businesses must examine each of their vendors and determine whether they qualify as a CCPA service provider. Disclosures to service providers are exempted from the CCPA’s definition of selling personal information, so they are not covered by a consumer’s request to opt out. For this reason, it is a very important step.
- Review the CCPA's definition of "service provider"
The data privacy law’s contract requirement for service providers is usually the most relevant issue.
- Create a list of all vendors to whom you disclose consumers' personal information
This information should already be in your business’s data map.
- Classify each vendor as either a service provider or a third party
Service providers are not considered third parties, so no disclosure of personal information to a service provider is a sale.
- Determine if disclosures to third parties count as selling or sharing personal information
Any sale or sharing of consumers’ personal information brings additional responsibilities under the CCPA.
- Update data map with results
This will help you make the proper disclosures to consumers and respond to requests to opt out.
- Identify where consumers' personal information is stored
This will make it much easier to respond to consumers’ privacy requests.
Steps for Classifying Individual Vendors
1. Review the written contract to see if it contains either:
- A statement that the vendor is a service provider as defined by the CCPA
or
- A statement that the vendor will not: sell or share the personal information; retain, use, or disclose the personal information for any purpose other than performing the services that are specified in the contract; or combine the personal information with personal information from other sources
If the answer is yes, classify the vendor as a service provider. If the answer no, then proceed below.
2. Contact the vendor and ask:
- Will the vendor execute a data privacy agreement (DPA)?
A DPA is an addendum to the vendor contract that meets the CCPA’s data privacy requirements.
If the answer is yes, classify the vendor as a service provider. If the answer is no, then classify the vendor as a third party and proceed below.
3. Determine if it is a sale or sharing of personal information:
- Does the vendor use the provided personal information to create a profile about consumers?
- Does the contract explicitly allow the vendor to retain, use, or disclose personal information for its own purposes?
If the answer to either of these questions is yes, the best course of action to treat the transaction as a sale of personal information. If the contract is completely silent about what the vendor can do with consumers’ personal information, it’s a gray area. The cautious approach would be to treat these disclosures as selling, even though they may not fall under the CCPA’s definition.
The Fastest Way to Classify Vendors
Classifying vendors can be slow, complicated, and frustrating. With TrueVault, our compliance experts have already spent hundreds of hours reading Terms of Services from the most commonly used vendors, and incorporated the key details into an easy-to-use automation tool. To save yourself days or even weeks of reviewing lengthy vendor agreements, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.