The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Are all vendors considered “service providers” under the CCPA? 

No.

In order to be considered a “service provider” for the purposes of the CCPA, an entity must process personal information “on behalf of a business.”¹ In addition, the vendor must be bound by a written contract that prohibits it from

1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”²
2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”³ or
3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”⁴

As a result there are a number of situations in which a business may use a vendor that does not qualify as a “service provider” under the CCPA.  These include situations where:

• No written contract exists between a business and a vendor.
• A contract exists, but it allows the vendor to retain personal information beyond termination.
• A contract exists, but it allows the vendor to use personal information (in any form) for its own purpose.
• A contract exists, but it allows the vendor to make decisions about the disclosure of personal information.

In comparison, the European GDPR does not use the term “service provider” and, instead, refers to “processors.”  While processors within the GDPR are defined in a similar manner to “service providers within the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement.  Specifically, the GDPR requires that a controller and a processor clearly set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects involved, the obligations and the rights of the controller, and the following substantive provisions:

1. Documented Instructions.  The service provider will only process personal data consistent with the controllers documented instructions.⁵
2. Confidentiality.  The service provider must ensure that persons authorized to process personal data have committed themselves to confidentiality.⁶
3. Processor Security. The service provider must implement appropriate technical and organizational measures to secure the personal data that it will be processing.⁷
4. Subcontracting authorization.  The service provider must obtain written authorization before subcontracting, and must inform its client before it makes any changes to its subcontractors.⁸
5. Subcontracting flow down obligations.  The service provider will flow down these obligations to any sub-processors.⁹
6. Subcontracting liability.  The service provider must remain fully liable to the controller for the performance of a sub-processor’s obligations.¹⁰
7. Responding to data subjects.  The service provider will assist its client to respond to any requests by a data subject.¹¹
8. Assisting Controller In Responding to Data Breach.  The service provider will cooperate with its client in the event of a personal data breach. ¹²
9. Assisting Controller In Creating DPIA.  The service provider will cooperate with its client in the event the client initiates a data protection impact assessment.¹³
10. Delete or return data. The service provider will delete or return data at the end of the engagement.¹⁴
11. Audit Right.  The service provider will allow its client to conduct audits or inspections for compliance to these obligations.¹⁵
12. Cross-border transfers.  The service provider will not transfer data outside of the European Union without permission from its client.¹⁶

1. CCPA, Section 1798.140(v).

2. CCPA, Section 1798.140(v).

3. CCPA, Section 1798.140(v).

4. CCPA, Section 1798.140(v).

5. GDPR, Article 28(3)(a).

6. GDPR, Article 28(3)(b).

7. GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).

8. GDPR, Article 28(2), 28(3)(d).

9. GDPR, Article  28(3)(d) Art. 28(4).

10. GDPR, Article 28(3)(d).

11. GDPR, Article 28(3)(e), GDPR, Article 12-23.

12. GDPR, Article 28(3)(f); GDPR, Article 33-34.

13. GDPR, Article 28(3)(f); GDPR, Article 35 – 36.

14. GDPR, Article 28(3)(g).

15. GDPR, Article 28(3)(h).

16. GDPR, Article 28(3)(a); GDPR, Article 46

[View source.]