Vendor classification is really an extension of data mapping, but it’s such a large and complicated task that it deserves its own checklist. During this process, businesses must examine each of their vendors and determine whether they qualify as a CCPA service provider. Disclosures to service providers are exempted from the CCPA’s definition of selling personal information, so they are not covered by a consumer’s request to opt out. For this reason, it is a very important step.
The data privacy law’s contract requirement for service providers is usually the most relevant issue.
This information should already be in your business’s data map.
Service providers are not considered third parties, so no disclosure of personal information to a service provider is a sale.
Any sale or sharing of consumers’ personal information brings additional responsibilities under the CCPA.
This will help you make the proper disclosures to consumers and respond to requests to opt out.
This will make it much easier to respond to consumers’ privacy requests.
1. Review the written contract to see if it contains either:
If the answer is yes, classify the vendor as a service provider. If the answer no, then proceed below.
2. Contact the vendor and ask:
A DPA is an addendum to the vendor contract that meets the CCPA’s data privacy requirements.
If the answer is yes, classify the vendor as a service provider. If the answer is no, then classify the vendor as a third party and proceed below.
3. Determine if it is a sale or sharing of personal information:
If the answer to either of these questions is yes, the best course of action to treat the transaction as a sale of personal information. If the contract is completely silent about what the vendor can do with consumers’ personal information, it’s a gray area. The cautious approach would be to treat these disclosures as selling, even though they may not fall under the CCPA’s definition.
Classifying vendors can be slow, complicated, and frustrating. With TrueVault, our compliance experts have already spent hundreds of hours reading Terms of Services from the most commonly used vendors, and incorporated the key details into an easy-to-use automation tool. To save yourself days or even weeks of reviewing lengthy vendor agreements, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.