Under the California Consumer Privacy Act (CCPA), determining whether or not a vendor qualifies as a service provider is a vital component of becoming and staying compliant. While California residents have the right to opt out of the sale of their personal information to "third parties", service providers are, by definition, not third parties. This means that transfers or disclosures of personal information to service providers are exempt from the right to opt out.

This is important because the data privacy law imposes several additional responsibilities on business that sell personal information. They must disclose the sale to consumers in their privacy policy, give consumers a way to opt out, and post a "Do Not Sell My Personal Information" link on their homepage. Because the CCPA's definition of selling personal information is somewhat vague, having a bright line that exempts disclosures to service providers is a big benefit for businesses.

The California Privacy Rights Act (CPRA), sometimes called CCPA 2.0, makes many significant changes to the existing law, including adding a new type of outside party: the "contractor." The role of contractors in the amended CCPA is very similar to that of service providers. They are not considered third parties, so disclosures of personal information to contractors are exempted from the law's definition of a sale.

Though CCPA service providers and contractors are similar, they are not identical. Here we'll go over the differences between the two and what it means for businesses.

Service Providers and Contractors Defined

As amended by the CPRA, the CCPA defines a service provider as:

A person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer's personal information for a business purpose pursuant to a written contract.

The definition of a contractor is similar:

A person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract with the business.

A "person" in this sense isn't limited to an individual; it also includes partnerships, corporations, nonprofits, and basically any other kind of organization or group. Additionally, the written contract with a service provider or contractor must contain certain provisions limiting the use and retention of consumers' personal information (discussed in the next section).

There are a few subtle distinctions between the two definitions. The definition of a contractor seems to be broader; it is anyone to whom a business makes available consumers' personal information for a business purpose, as opposed to a service provider who must "process information" for a business. However, the contractor must receive the personal information directly from the business, whereas a service provider may receive personal information "on behalf of the business". This implies a greater deal of control by businesses over contractors, which is reinforced by the differences in contract requirements as discussed below.

Contractual Differences

When making the determination whether a vendor is a service provider, the biggest hurdle is usually the contract requirement. The CCPA states that, in order to qualify for the exemption, the vendor's contract with a business must have certain provisions restricting its use of consumers' personal information to what is necessary to provide its services. These requirements have expanded under the CPRA. In their contracts, both service providers and contractors must be prohibited from:

• Selling or sharing the personal information
• Retaining, using, or disclosing personal information for any purpose other than the business purpose specified in the contract
• Retaining, using, or disclosing personal information outside of the direct relationship between the service provider/contractor and the business
• Combining personal information received from the business with personal information received from other sources

For contractors, however, there are two additional requirements that must be included in the contract. These are:

• A certification by the contractor stating that they understand these restrictions
• Permission for the business to monitor the contractor's compliance with the contract

Both of these provisions suggest a higher level of control by businesses over contractors than exists with service providers. This is particularly evident in the permission to monitor a contractor's compliance (a service provider contract may include this permission, but it's not required). Businesses are generally not liable for CCPA violations by their service providers or contractors unless they have actual knowledge of the violation, but the ability to monitor a contractor may possibly create a legal responsibility for them to do so in some situations (for example, if the business had some reason to believe the contractor was not in compliance).

What Does This Mean for Businesses?

Overall, extending the service provider exemption to contractors is good news for businesses. It makes sense for businesses to be able to make information available to contractors, provided there are some safeguards. As for compliance, there are two practical implications.

First, for businesses that are already CCPA compliant, they must check all of their service provider contracts to verify whether they meet the additional requirements from the CPRA. If the changes are not put in writing, the vendor will not qualify as a service provider. This will essentially require a repeat of the original onboarding process.

Second, agreements with contractors must be updated to meet all of the law's requirements. Luckily, as businesses usually have more control over their contractors, this should be as simple as creating a CCPA-compliant addendum for them to sign.

‍