Understanding what a service provider is within the context of the California Consumer Privacy Act (CCPA) is central to understanding a business’s responsibilities under that law. CCPA compliance imposes legal obligations on any processing of consumers’ personal information, but those obligations are enhanced when the processing is considered to be “selling” or “sharing” personal information. If they sell or share data, businesses must disclose that fact, give consumers a way to opt out, and obtain prior consent for consumers under the age of 16.

The service provider classification is important because disclosures of personal information to service providers are not considered selling or sharing. Service providers can go onto a kind of “safe” list, where you can be sure the enhanced obligations of sharing and selling do not apply.

Before jumping into the legal definition of service provider, it’s important to note that “selling” and “sharing” have specific meanings under the CCPA. Selling means making personal information available to a third party for monetary or other valuable consideration. “Other valuable consideration” could include granting access to consumers’ data in exchange for free or discounted software. Sharing means using consumer data for the purpose of cross-context behavioral advertising, i.e., interest-based advertising or retargeting.

Read more:
Is Sharing the Same as Selling Under the CCPA?

CCPA Definition of Service Provider

A service provider is any person or company that processes personal information on a business’s behalf pursuant to a written contract, provided that contract meets specific requirements. The contract must prohibit the service provider from using the data for its own purposes. Specifically, the service provider must be prohibited from the following:

• Selling or sharing the personal information
• Retaining, using, or disclosing the personal information for any purpose other than for the purposes specified in the contract
• Retaining, using, or disclosing the personal information outside of the direct relationship between the business and service provider
• Combining the personal information it receives from the business with personal information from other sources.

Beyond these requirements that are specific to service providers, the CCPA also requires that any sale, share, or disclosure of personal information to another party must be pursuant to a contract that does the following:

• Specifies that the personal information is sold, shared, or disclosed only for limited and specified purposes
• Obligates the other party provider to comply with the CCPA and provide the same level of protection as is required by that law
• Grants the business the right to take reasonable and appropriate steps to ensure the personal information is being used in a manner consistent with the business’s CCPA obligations
• Requires the other party to notify the business if it determines it can no longer meet its CCPA obligations
• Grants the business the right to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information

The upshot of all these requirements is that CCPA compliance requires businesses to review all of their contracts with vendors and determine if they meet the service provider standards.

What If a Vendor Isn’t a Service Provider?

Most businesses that are reviewing the vendor contracts will encounter at least a few that don’t meet the CCPA’s requirements for service providers. This leads to some inevitable questions: What does it mean if a vendor isn’t a service provider? Is this automatically considered to be selling personal information? Do I have to stop using this vendor?

Unfortunately, the CCPA is not very clear in its answer to these questions. Outside parties that receive personal information are divided into three categories: service providers, contractors (which must meet similar requirements), and third parties. If your vendor’s contracts don’t meet all of the service provider requirements, that vendor is probably a third party.

Third parties are the most suspect category of data recipients, but a disclosure of personal information to a third party is not necessarily a sale. A sale requires the business to receive some valuable consideration in exchange for the data, so the law has created a gray area where it’s not completely clear what the business’s obligations are regarding disclosures to a third party that are not considered selling.

As a practical matter, however, relying on this is not advantageous for businesses because it puts them on the defensive. If the California Privacy Protection Agency audits your company and argues that disclosing data to one of your vendors is considered a sale because they’re not a service provider, you will be in a position where you have to demonstrate that you have received no valuable consideration from them, rather than simply showing the written contracts showing that the vendor is a service provider.

Therefore if one or more of your vendors does not have service provider language in their contracts, the better course of action is to reach out and ask them to execute a data protection addendum (DPA) that contains all of the required language. If they are not willing to sign a DPA, you may want to consider finding a different vendor.