California is imposing tough new rules on processing the data of anyone under the age of 18, with the potential to affect businesses that don't target younger consumers.
Understanding what a service provider is within the context of the California Consumer Privacy Act (CCPA) is central to understanding a business’s responsibilities under that law. CCPA compliance imposes legal obligations on any processing of consumers’ personal information, but those obligations are enhanced when the processing is considered to be “selling” or “sharing” personal information. If they sell or share data, businesses must disclose that fact, give consumers a way to opt out, and obtain prior consent for consumers under the age of 16.
The service provider classification is important because disclosures of personal information to service providers are not considered selling or sharing. Service providers can go onto a kind of “safe” list, where you can be sure the enhanced obligations of sharing and selling do not apply.
Before jumping into the legal definition of service provider, it’s important to note that “selling” and “sharing” have specific meanings under the CCPA. Selling means making personal information available to a third party for monetary or other valuable consideration. “Other valuable consideration” could include granting access to consumers’ data in exchange for free or discounted software. Sharing means using consumer data for the purpose of cross-context behavioral advertising, i.e., interest-based advertising or retargeting.
Read more:
Is Sharing the Same as Selling Under the CCPA?
A service provider is any person or company that processes personal information on a business’s behalf pursuant to a written contract, provided that contract meets specific requirements. The contract must prohibit the service provider from using the data for its own purposes. Specifically, the service provider must be prohibited from the following:
Beyond these requirements that are specific to service providers, the CCPA also requires that any sale, share, or disclosure of personal information to another party must be pursuant to a contract that does the following:
The upshot of all these requirements is that CCPA compliance requires businesses to review all of their contracts with vendors and determine if they meet the service provider standards.
Most businesses that are reviewing the vendor contracts will encounter at least a few that don’t meet the CCPA’s requirements for service providers. This leads to some inevitable questions: What does it mean if a vendor isn’t a service provider? Is this automatically considered to be selling personal information? Do I have to stop using this vendor?
Unfortunately, the CCPA is not very clear in its answer to these questions. Outside parties that receive personal information are divided into three categories: service providers, contractors (which must meet similar requirements), and third parties. If your vendor’s contracts don’t meet all of the service provider requirements, that vendor is probably a third party.
Third parties are the most suspect category of data recipients, but a disclosure of personal information to a third party is not necessarily a sale. A sale requires the business to receive some valuable consideration in exchange for the data, so the law has created a gray area where it’s not completely clear what the business’s obligations are regarding disclosures to a third party that are not considered selling.
As a practical matter, however, relying on this is not advantageous for businesses because it puts them on the defensive. If the California Privacy Protection Agency audits your company and argues that disclosing data to one of your vendors is considered a sale because they’re not a service provider, you will be in a position where you have to demonstrate that you have received no valuable consideration from them, rather than simply showing the written contracts showing that the vendor is a service provider.
Therefore if one or more of your vendors does not have service provider language in their contracts, the better course of action is to reach out and ask them to execute a data protection addendum (DPA) that contains all of the required language. If they are not willing to sign a DPA, you may want to consider finding a different vendor.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.