What Is A Service Provider Under Ccpa

If you own a business organization, you likely piece of work with a variety of entities pursuant to delivering products and services to your customers. These partnerships may take identify in a variety of contexts. For example, perchance you employ an exterior visitor to assistance create and manage your website. For customer relations and marketing, your business may agree to a contract with an outside firm with a reputation for effective consumer outreach.

In order for your business organization to thrive in a competitive market place, collaboration with other companies may be a necessity. Pursuant to those ends, your business organisation may take to exchange meaning amounts of client information with outside vendors. These exchanges of information may be governed by written agreements outlining the parameters of how the vendor may employ the data, how the data must be protected, and when the data must be destroyed. Depending on the size of your business, you lot may have a variety of contractual relationships with outside vendors. The odds are high that these vendors crave significant amounts of information to perform the services agreed upon, whether in the context of advertising, website development, or customer outreach.

The CCPA: California Consumer Privacy Act imposes a number of requirements on sure businesses. These requirements include providing consumers with a "Do Not Sell My Personal Information" link and installing a "Do Non Sell My Personal Information" page. These requirements allow consumers to effectively halt the "sale" of their personally identifiable information ("PII") to third parties as divers past the CCPA.

Simply what if the business in question is not a "tertiary party" under the CCPA merely is instead a "service provider?" Provided that certain requirements under the law are met, businesses otherwise prohibited from transferring PII to tertiary parties due to an opt-out request may be permitted to exercise so if the exterior entity is defined as a service provider. This distinction may also bear on what disclosures you must brand within your online Privacy Policy. Every bit such, distinguishing between third parties and service providers is critical to understanding your obligations nether the CCPA.

The following two topics will be discussed:

The definition of a service provider under the CCPA
Compliance requirements for service providers nether the CCPA

The definition of a service provider under the CCPA

In society for an entity to exist classified as a service provider, it must be:

A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity;
That processes information on behalf of a concern and receives a consumer'due south personal data for a business purpose pursuant to a written contract; and
The contract must prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business organisation.

The CCPA draft regulations have provided some additional clarifications regarding the definition of a service provider. Those regulations state that entities that provide services to those that are not "businesses" under the CCPA, such every bit non-profits or regime entities, but otherwise run into the definition of a service provider under the police force, are accounted service providers for purposes of the CCPA and the regulations. This means that, at least with respect to the typhoon regulations, determining who is a service provider is not predicated on whether the service provider is dealing with a covered business under the constabulary. If the in a higher place requirements are met, the entity is classified past the State Attorney General every bit a service provider.

Compliance requirements for service providers under the CCPA

In the context of sales of PII between businesses and third parties, consumers have the ability to opt-out of those exchanges. Moreover, businesses must make specific disclosures in their Privacy Policies pertaining to the categories of PII sold likewise every bit categories of third parties that have received the PII.

In the context of exchanges of PII between businesses and service providers, the presence of a service provider means that the CCPA's requirements pertaining to sales may not apply to those transactions (but as discussed below, the regulations make articulate that service providers may non appoint in sales of PII themselves in one case a consumer exercises the right to opt-out). This additionally means that a business's Privacy Policy will need to accurately distinguish betwixt tertiary parties and service providers when making required disclosures.

Bold that a service provider is identified in the transaction, the CCPA provides that three requirements must exist met for a transaction to fall outside the definition of a "sale" under the law:

The concern uses or shares with a service provider personal data of a consumer that is necessary to perform a business purpose;
The business has provided find of the transfer of PII, including within its Privacy Policy; and
The service provider does not collect, sell, or use the PII except as necessary to perform the business purpose.

Focusing on the obligations of service providers in this context, these entities generally must limit their handling of PII as necessary to perform the "business purpose" of the transaction. A "business purpose" is defined by the CCPA as the "use of personal information for the business organisation' or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected . . . ." Examples of concern purposes include the following:

Monitoring for security incidents
Counting ad impressions to unique website visitors
Identifying and repairing errors related to functionality
Utilise of the data for internal research for technological purposes
Activities to maintain the quality or condom of a device or service owned or controlled by the business concern or activities to upgrade those devices or services

The draft regulations provide additional requirements for service providers to follow:

A service provider is prohibited from retaining, using, or disclosing PII obtained while providing services except:
- To process or maintain PII on behalf of the business that provided the PII or directed the service provider to direct collect the PII, provided the contract between the two entities is CCPA compliant;
- To retain and employ another service provider every bit a subcontractor, provided that this entity meets the definition of a service provider under the CCPA;
- For the service provider to improve the quality of its own service, provided that this does not entail changing household or consumer profiles pursuant to providing services to another business, or correcting or augmenting data acquired from another source; or
- To notice security incidents or protect against fraud or illegal activity.
A service provider must not sell the PII on behalf of the business concern when a consumer has opted-out of sales of PII
When receiving a request for disclosures or deletion, the service provider must either inform the consumer they are a service provider and cannot perform the request or act on behalf of the business organisation in responding to the request

Ultimately, determining what entities constitute service providers under the CCPA requires extensive review. This article has provided a general overview of how to first identify an entity as a service provider and subsequently assess how interactions with service providers may impact the compliance obligations of a particular entity. Pursuant to those ends, information technology is critical for businesses to create data inventories to categorize the PII that has been collected and where it has been transferred and stored. This methodology volition ultimately assistance in accurately identifying what outside entities have access to the PII, including distinguishing between third parties and service providers. The cease result is a clearer picture of the compliance obligations of everyone involved in the lifecycle of the data.

Moreover, contractual relationships volition need to exist reviewed in order to place if whatsoever service providers are involved. If your business organisation is discipline to contractual relationships that limit the use and disclosure of PII, there is a good take chances that your concern may be a service provider nether the CCPA, subject to all applicable requirements and obligations.

For your website's Privacy Policy, it is disquisitional that accurate disclosures are made pertaining to the third parties and service providers that y'all practise business organisation with. To that end, consider Termageddon's Privacy Policy Generator, which provides up-to-engagement Privacy Policies that help ensure your business remains compliant with the CCPA and other privacy laws.

Tyler is a third year police force student attending Seton Hall University Schoolhouse of Police. He is a Certified Information Privacy Professional (CIPP/U.Due south.) also as the Founder and President of the Cybersecurity and Privacy Lodge of his law school, a student system dedicated to exploring major legal bug in all things technology, from information privacy to Artificial Intelligence. The organization is also dedicated to helping police force students find career opportunities in the growing fields of cybersecurity and privacy.