Under the California Consumer Privacy Act (CCPA), determining whether or not a vendor qualifies as a service provider is a vital component of becoming and staying compliant. While California residents have the right to opt out of the sale of their personal information to "third parties", service providers are, by definition, not third parties. This means that transfers or disclosures of personal information to service providers are exempt from the right to opt out.
The California Privacy Rights Act (CPRA), sometimes called CCPA 2.0, makes many significant changes to the existing law, including adding a new type of outside party: the "contractor". The role of contractors in the amended CCPA is very similar to that of service providers. They are not considered third parties, so disclosures of personal information to contractors are exempted from the law's definition of a sale.
Though CCPA service providers and contractors are similar, they are not identical. Here we'll go over the differences between the two and what it means for businesses.
As amended by the CPRA, the CCPA defines a service provider as:
A person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract.
The definition of a contractor is similar:
A person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business.
A "person" in this sense isn't limited to an individual; it also includes partnerships, corporations, nonprofits, and basically any other kind of organization or group. Additionally, the written contract with a service provider or contractor must contain certain provisions limiting the use and retention of consumers' personal information (discussed in the next section).
There are a few subtle distinctions between the two definitions. The definition of a contractor seems to be broader; it is anyone to whom a business makes available consumers' personal information for a business purpose, as opposed to a service provider who must "process information" for a business. However, the contractor must receive the personal information directly from the business, whereas a service provider may receive personal information "on behalf of the business". This implies a greater deal of control by businesses over contractors, which is reinforced by the differences in contract requirements as discussed below.
When making the determination whether a vendor is a service provider, the biggest hurdle is usually the contract requirement. The CCPA states that, in order to qualify for the exemption, the vendor's contract with a business must have certain provisions restricting its use of consumers' personal information to what is necessary to provide its services. These requirements have expanded under the CPRA. In their contracts, both service providers and contractors must be prohibited from:
For contractors, however, there are two additional requirements that must be included in the contract. These are:
Both of these provisions suggest a higher level of control by businesses over contractors than exists with service providers. This is particularly evident in the permission to monitor a contractor's compliance (a service provider contract may include this permission, but it's not required). Businesses are generally not liable for CCPA violations by their service providers or contractors unless they have actual knowledge of the violation, but the ability to monitor a contractor may possibly create a legal responsibility for them to do so in some situations (for example, if the business had some reason to believe the contractor was not in compliance).
Overall, extending the service provider exemption to contractors is good news for businesses. It makes sense for businesses to be able to make information available to contractors, provided there are some safeguards. As for compliance, there are two practical implications that must be addressed by January 1, 2023, when the CPRA becomes effective.
First, for businesses that are already CCPA compliant, they must check all of their service provider contracts to verify whether they meet the additional requirements from the CPRA. If the changes are not put in writing, the vendor will not qualify as a service provider. This will essentially require a repeat of the original onboarding process.
Second, agreements with contractors must be updated to meet all of the law's requirements. Luckily, as businesses usually have more control over their contractors, this should be as simple as creating a CCPA-compliant addendum for them to sign.
Whether your business is just getting started with CCPA compliance or needs to alter its current compliance strategy to match the CPRA, it can be a complex and labor-intensive process. Law firms and consultants are expensive, and companies that do it alone can make costly mistakes while the project drags on for months.
TrueVault Polaris is an attorney-designed software solution that automates the process, so your company can reach full CCPA compliance in less time and at a much lower cost. When it comes to service providers, we've spent hundreds of hours reviewing vendor contracts so you don't have to. Learn more about TrueVault Polaris and contact our team today to get started.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.