What Is a Service Provider?

processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business

The definition of service provider has two parts:

First, a familiar description of what a service provider is – i.e., a company that provides services to a business. This part of the definition includes the additional concept of information disclosure because the CCPA regulates the sharing of personal information. If a business uses a vendor for services but the business does not share any personal information with that vendor, the service relationship is outside the scope of the CCPA. It is only when personal information is shared in the course of a service relationship that the CCPA applies.

Second, the definition of service provider includes a contractual requirement. It not only requires that services be provided pursuant to a contract, but the contract must prohibit the service provider from retaining, using or disclosing the personal information for any purpose other than providing services to the business. It is not enough that the business believes the vendor is not using the personal information for other purposes – the CCPA is clear that the service contract must expressly prohibit any other uses.

An important exception to the limitation on a service provider’s use of personal information exclusively for providing services to the business is that a service provider can use the information for internal purposes, such as building and improving the quality of its services, or to detect data security incidents. A service provider cannot, however, use the information to build a profile on a consumer that it then uses in providing services to other businesses.

Importantly, service providers who violate the restrictions in the CCPA (by, for example, engaging in impermissible uses of personal data, such as building profiles that it uses in providing services to other businesses) are liable under the law for any violations. In contrast, the CCPA does not impose any obligations on third parties regarding their use of personal information, which means the consumer and the government may turn to the business itself to pursue legal claims for any impermissible uses by third parties.

A business will protect itself against CCPA-related liabilities by ensuring that the vendors it uses are operating pursuant to an agreement whereby the vendor cannot use any personal information shared by the business for any purpose other than providing services, or for other approved internal purposes.