Understanding what a service provider is within the context of the California Consumer Privacy Act (CCPA) is central to understanding a business’s responsibilities under that law. CCPA compliance imposes legal obligations on any processing of consumers’ personal information, but those obligations are enhanced when the processing is considered to be “selling” or “sharing” personal information. If they sell or share data, businesses must disclose that fact, give consumers a way to opt out, and obtain prior consent for consumers under the age of 16.
The service provider classification is important because disclosures of personal information to service providers are not considered selling or sharing. Service providers can go onto a kind of “safe” list, where you can be sure the enhanced obligations of sharing and selling do not apply.
Before jumping into the legal definition of service provider, it’s important to note that “selling” and “sharing” have specific meanings under the CCPA. Selling means making personal information available to a third party for monetary or other valuable consideration. “Other valuable consideration” could include granting access to consumers’ data in exchange for free or discounted software. Sharing means using consumer data for the purpose of cross-context behavioral advertising, i.e., interest-based advertising or retargeting.
Read more:
Is Sharing the Same as Selling Under the CCPA?
A service provider is any person or company that processes personal information on a business’s behalf pursuant to a written contract, provided that contract meets specific requirements. The contract must prohibit the service provider from using the data for its own purposes. Specifically, the service provider must be prohibited from the following:
Beyond these requirements that are specific to service providers, the CCPA also requires that any sale, share, or disclosure of personal information to another party must be pursuant to a contract that does the following:
The upshot of all these requirements is that CCPA compliance requires businesses to review all of their contracts with vendors and determine if they meet the service provider standards.
Most businesses that are reviewing the vendor contracts will encounter at least a few that don’t meet the CCPA’s requirements for service providers. This leads to some inevitable questions: What does it mean if a vendor isn’t a service provider? Is this automatically considered to be selling personal information? Do I have to stop using this vendor?
Unfortunately, the CCPA is not very clear in its answer to these questions. Outside parties that receive personal information are divided into three categories: service providers, contractors (which must meet similar requirements), and third parties. If your vendor’s contracts don’t meet all of the service provider requirements, that vendor is probably a third party.
Third parties are the most suspect category of data recipients, but a disclosure of personal information to a third party is not necessarily a sale. A sale requires the business to receive some valuable consideration in exchange for the data, so the law has created a gray area where it’s not completely clear what the business’s obligations are regarding disclosures to a third party that are not considered selling.
As a practical matter, however, relying on this is not advantageous for businesses because it puts them on the defensive. If the California Privacy Protection Agency audits your company and argues that disclosing data to one of your vendors is considered a sale because they’re not a service provider, you will be in a position where you have to demonstrate that you have received no valuable consideration from them, rather than simply showing the written contracts showing that the vendor is a service provider.
Therefore if one or more of your vendors does not have service provider language in their contracts, the better course of action is to reach out and ask them to execute a data protection addendum (DPA) that contains all of the required language. If they are not willing to sign a DPA, you may want to consider finding a different vendor.
If spending dozens of hours reviewing vendor contracts doesn’t sound appealing, you’ll be happy to know there is a better way. TrueVault’s Vendor Database has over 18,000 data points on over 2,000 vendors. Our privacy experts have spent hundreds of hours reading the contracts and DPAs of popular vendors so you don’t have to! Type in the name of your vendor and there’s a good chance we’ve already made a recommendation about whether they are a CCPA service provider.
Access to our Vendor Database is just one of the ways that TrueVault brings privacy compliance within reach of small and medium-sized businesses. Through TrueVault’s guided software experience, you can get your business compliant with the CCPA and other privacy laws on your own, in as little as a few hours.
Contact our team to learn more and schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2022 © All Rights Reserved. Privacy Policy | Terms of Use | California Privacy Notice