Understanding the meaning of “service provider” in the CCPA is central to determining a business’s legal obligations under the law. The CCPA imposes numerous obligations on businesses regarding information they collect from consumers. Businesses that sell personal information to third parties have unique additional obligations under the CCPA in comparison to businesses that do not sell personal information. Whether or not a business “sells” personal information depends, in large part, on whether the third parties with whom they share information are considered “service providers” under the CCPA.
The CCPA broadly defines what it means to “sell” personal information. A “sale” of personal information includes any transfer of a consumer’s personal information – including name, email address, IP address, browsing history and many other pieces of information – to a third party if the business receives anything of value in return. That means a business may be selling personal information if it shares that information with a third party and receives a service, or anything of any value, in return. However, a key exception to the sale of personal information is when a business shares personal information with service providers.
While the term “service provider” is expressly defined in the CCPA, the definition requires a close analysis. Under the CCPA, a service provider is a for-profit legal entity (such as a corporation, partnership or LLC) that:
processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business
The definition of service provider has two parts:
First, a familiar description of what a service provider is – i.e., a company that provides services to a business. This part of the definition includes the additional concept of information disclosure because the CCPA regulates the sharing of personal information. If a business uses a vendor for services but the business does not share any personal information with that vendor, the service relationship is outside the scope of the CCPA. It is only when personal information is shared in the course of a service relationship that the CCPA applies.
Second, the definition of service provider includes a contractual requirement. It not only requires that services be provided pursuant to a contract, but the contract must prohibit the service provider from retaining, using or disclosing the personal information for any purpose other than providing services to the business. It is not enough that the business believes the vendor is not using the personal information for other purposes – the CCPA is clear that the service contract must expressly prohibit any other uses.
An important exception to the limitation on a service provider’s use of personal information exclusively for providing services to the business is that a service provider can use the information for internal purposes, such as building and improving the quality of its services, or to detect data security incidents. A service provider cannot, however, use the information to build a profile on a consumer that it then uses in providing services to other businesses.
Importantly, service providers who violate the restrictions in the CCPA (by, for example, engaging in impermissible uses of personal data, such as building profiles that it uses in providing services to other businesses) are liable under the law for any violations. In contrast, the CCPA does not impose any obligations on third parties regarding their use of personal information, which means the consumer and the government may turn to the business itself to pursue legal claims for any impermissible uses by third parties.
A business will protect itself against CCPA-related liabilities by ensuring that the vendors it uses are operating pursuant to an agreement whereby the vendor cannot use any personal information shared by the business for any purpose other than providing services, or for other approved internal purposes.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.