Vendor Classification

Vendor classification is really an extension of data mapping, but it’s such a large and complicated task that it deserves its own checklist. During this process, businesses must examine each of their vendors and determine whether they qualify as a CCPA service provider. Disclosures to service providers are exempted from the CCPA’s definition of selling personal information, so they are not covered by a consumer’s request to opt out. For this reason, it is a very important step.

• Review the CCPA's definition of "service provider" The data privacy law’s contract requirement for service providers is usually the most relevant issue.
• Create a list of all vendors to whom you disclose consumers' personal information This information should already be in your business’s data map.
• Classify each vendor as either a service provider or a third party Service providers are not considered third parties, so no disclosure of personal information to a service provider is a sale.
• Determine if disclosures to third parties count as selling or sharing personal information Any sale or sharing of consumers’ personal information brings additional responsibilities under the CCPA.
• Update data map with results This will help you make the proper disclosures to consumers and respond to requests to opt out.
• Identify where consumers' personal information is stored This will make it much easier to respond to consumers’ privacy requests.

Steps for Classifying Individual Vendors

1. Review the written contract to see if it contains either:

• A statement that the vendor is a service provider as defined by the CCPA or
• A statement that the vendor will not: sell or share the personal information; retain, use, or disclose the personal information for any purpose other than performing the services that are specified in the contract; or combine the personal information with personal information from other sources If the answer is yes, classify the vendor as a service provider. If the answer no, then proceed below.

2. Contact the vendor and ask:

• Will the vendor execute a data privacy agreement (DPA)? A DPA is an addendum to the vendor contract that meets the CCPA’s data privacy requirements.
• If the answer is yes, classify the vendor as a service provider. If the answer is no, then classify the vendor as a third party and proceed below.

3. Determine if it is a sale or sharing of personal information:

• Does the vendor use the provided personal information to create a profile about consumers?
• Does the contract explicitly allow the vendor to retain, use, or disclose personal information for its own purposes? If the answer to either of these questions is yes, the best course of action to treat the transaction as a sale of personal information. If the contract is completely silent about what the vendor can do with consumers’ personal information, it’s a gray area. The cautious approach would be to treat these disclosures as selling, even though they may not fall under the CCPA’s definition.