After the General Data Protection Regulation (GDPR) was introduced in 2018, many discussions about data protection have been had. Even other laws have been made — such as the California Consumer Privacy Act of 2018 (CCPA).
But the CCPA is complex, and it's essential to understand what it means for your business. You can also learn how the GDPR compares to the CCPA. Today, let's take a look at the exceptions and obligations of a service provider under the CCPA.
Note: The successor to the CCPA, the California Privacy Rights Act (CPRA) went into effect on January 1, 2023. Learn more in our latest blog post on CPRA.
What is a service provider under CCPA?
Who is subject to the California Consumer Privacy Act? The CCPA has a specific definition of a service provider and how it compares to other businesses and anyone with whom you may conduct business.
CCPA service provider definition
If you look up the CCPA definition of a service provider, you’ll see it is any legal entity that offers and completes work in relation to a business. Any work that’s done that includes identifying data that’s shared, such as an address, a name, or anything that would identify an individual.
CCPA service provider vs. third party
The CCPA defines what is not a third party. A third party is not an entity that collects identifying data from customers. Per the CCPA, a third party service provider is also not the person the business shares personal information with for business purposes.
CCPA service provider vs. business
The California Consumer Privacy Act affects organizations that fit the description for a business (even if it's not based in California). The CCPA defines a business as:
- An entity that’s for-profit,
- Collects users' personal data,
- Has a system for managing the data,
- Has customers in the state of California,
- And has an annual revenue of more than $25 million, processes personal information for 50,000 California residents per year, or earns half of its annual revenue from selling identifying data.
Although there are specifics listed above, there are several organizations that fit that description. For example, let’s say a business in England fits CCPA's business description — it will be obligated to comply with the CCPA.
Is your vendor a CCPA service provider?
To comply with the CCPA the vendor is required to have a written contract that ensures any identifying data is only used for specific business purposes (which are outlined in the contract) and nothing else.
The CCPA may not consider a vendor a service provider if there is no written contract involved. If there is a contract, but it allows the vendor to retain, use, or disclose the identifying data, it may not be considered a service provider, under the CCPA guidelines.
CCPA Service provider exceptions: obligations, contract, and violation
To comply with the CCPA, a service provider must meet specific obligations and have certain items in the contract. If a CCPA service provider agreement doesn't meet the requirements or if the service provider doesn’t abide by the obligations, there are penalties in place.
CCPA service provider obligations
A service provider must have a written contract binding itself and the business it will be working with. The contract must have the services that will be provided, along with any identifying information that will be utilized. Any business moving forward (and any associated data) should only be what’s included in the contract.
Once the services are completed, the business should send the service provider a verified consumer request, asking it to delete the identifying data from its records. As a result, the service provider has to have a program or a service that accepts verified consumer requests.
CCPA service provider contract requirements: mandatory information and clauses
The CCPA service provider contract must specify the service provider's services for the business. The agreement also has to clearly state that the service provider cannot keep, use, or disclose personal information unless related to the services listed.
The contract must make it clear that selling personal information is prohibited. The contract will also certify that the receiver clearly understands all of the requirements and will meet them.
A business may also require the service provider to accept and complete deletion requests from consumers. Another requirement could be security practices related to the identifying data, such as redaction and encryption, network security, and physical document protection.
Violations and sanctions
If the CCPA service provider requirements aren’t met, there are sanctions in place. Violation of the CCPA can include a sanction of up to $7,500 for each intentional violation and $2,500 for each unintentional violation.
How can you avoid these sanctions? By collecting data across every touchpoint with the Didomi consent and preference management technology. CCPA compliance will no longer be a matter of guesswork. With our solutions you’ll be able to:
- Build real-time, customer-friendly interfaces to inform their users about the data collected, and allowing them to personalize their consent choices and preferences;
- Effectively collect, store, manage and provide proof of user consent across digital assets and physical data collection points;
- Prove the robustness of their data practices to users and regulators thanks to a clear data inventory that allows for CCPA consumer requests.
97% of companies have seen benefits like a competitive advantage or investor appeal from investing in privacy (Cisco 2019 Consumer Privacy Survey).
Do you feel inspired? Do you want to implement one yourself? Book a demo with one of our CCPA experts. We’ll be happy to answer any queries you may have.
{{request-a-demo}}
CCPA & Service provider FAQ
Is an independent contractor considered a service provider?
An independent contractor is considered a service provider in certain situations. Under the CCPA, a service provider is any for-profit entity that collects identifying information, which includes common titles for creators such as sole-proprietors or LLCs. Any entity (even solopreneurs or small businesses) can be considered a service provider if they fit the CCPA’s definition.
Can a service provider transfer or use anonymized identifying data?
A service provider can transfer or use anonymized identifying data. As it stands, the CCPA requires any service provider to use identifying information as it’s related to the services completed (in the contract) and nothing else.
In a situation where the service provider wants to use, keep, or work with the personal information in any way, they can convert it so it’s non-identifiable. As long as no one can identify who the data is about in any way, the CCPA has no issue against this.
However, the CCPA does require a service provider to have safeguards against reidentifying the information, along with policies or procedures that prohibit reidentification.
What is a CCPA service provider addendum?
A CCPA service provider addendum is attached to the written contract and clarifies who is the service provider. The addendum also makes clear that the service provider will only use, keep, or disclose personal data for the sake of what’s outlined in the contract, they will not sell the data, and they understand all of the restrictions and agree to comply.
The CCPA service provider addendum should also provide information related to compensation for loss, and what actions will take place if the privacy law changes while the contract is active.
Is a business responsible if its service provider violates the CCPA?
In most cases, a business is not responsible if its service provider violates the CCPA. If the business has knowledge of the data breach, then they may be held accountable.
A commercial Consent Management Platform — such as Didomi — will ensure compliance in an evolving ecosystem without sacrificing performance or data visualization.
Contact Didomi for any CCPA compliance queries or more information on our solutions. We'll ensure you achieve compliance in everything you do.
{{request-a-demo}}