The Statute

One area where the CCPA diverges from the GDPR is in the treatment of service providers (called “data processers” by the GDPR). The former cites relatively few mandates to service providers, while the latter devotes much of Chapter IV to regulation of processors, especially Article 28. The CCPA statute defines a service provider as “[a]n entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a
written contract.” 1 While any transfer of consumer personal information to another party in exchange for anything of value will almost certainly constitute a sale, the CCPA provides an exception for putative service providers if they meet certain criteria: 2

(i) The business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135 [i.e., a link to a Do Not Sell My Personal Information web page and a description of a consumer’s rights listed in §1798.120, such as the right to opt-out of a sale of his/her personal information].

(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

The Regulations

The CCPA Regulations add some context to the relationship between businesses and service providers and, while not regulating service providers to the same extend the GDPR regulates data processers, do add some considerations when businesses engage such entities:

  • Businesses that provide services to non-profits or government agencies will be deemed service providers if they otherwise meet the definition: “A business that provides services to a person or organization that is not a business, and that would otherwise meet the requirements and obligations of a “service provider” under the CCPA and these regulations, shall be deemed a service provider for purposes of the CCPA and these regulations.” 3
  • A business that is contracted by another business to gather personal information shall be deemed a service provider if it otherwise meets the definition of one: “ To the extent that a business directs a second business to collect personal information directly from a consumer, or about a consumer, on the first business’s behalf, and the second business would otherwise meet the requirements and obligations of a “service provider” under the CCPA and these regulations the second business shall be deemed a service provider of the first business for purposes of the CCPA and these regulations.” 4
  • Service providers are proscribed from retaining, using, or disclosing personal information obtained in the course of their providing services to a business. Five exceptions apply: 5

1. Cal. Civ. Code §1798.140(v).
2. Cal. Civ. Code §1798.140(t)(2)(C).
3. The CCPA Regulations §999.314(a).
4. The CCPA Regulations §999.314(b).
5. The CCPA Regulations §999.314(c).