March 9, 2020

CCPA Service Provider Exception: FAQs and Answers

One of the essential exemptions to being considered a seller of personal data under the CCPA is the ‘service provider’ exemption. 

One of the essential exemptions to being considered a seller of personal data under the CCPA is the ‘service provider’ exemption. 

According to the CCPA, a business will only be exempt from being considered a seller of personal information where such an entity utilizes or shares with the service provider, consumer data under these conditions;

  • It is vital for the performance of a business purpose
  • The service provider does not further collect, sell, or use  personal information
  • The business has provided a notification that information is being used or shared in its privacy policy

Who is a Service Provider?

The CCPA identifies a service provider as a for-profit legal party that processes personal data on behalf of companies according to the terms of a written agreement for a business purpose. 

What is a Business Purpose under the CCPA?

Concerning service providers, the CCPA identifies the following activities as constituting a business purpose;

  • Quality control activities
  •  Auditing
  • Uncovering security incidents and fraud mitigation
  • Troubleshooting errors that impair required functionality
  • Short-term use granted it is not revealed to a third-party or utilized to create a profile of the consumer
  • Activities such as customer service, fulfilling orders, processing payments, advertising marketing, or analytics
  • Internal research for technological expansion

Primarily, the processing can only be considered to be a business purpose, if the service provider uses it in a way that is reasonably necessary and proportionate to achieving the operational objective for which it was collected or processed.

Can an Independent Contractor be Considered a Service Provider under the CCPA?

Yes.

Broadly, the CCPA defines a service provider as a ‘sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners.

Characteristically, an independent contractor qualifies as a sole proprietor, although in some cases, they may choose to establish a Limited Liability Company (LLC) or an S-corporation to safeguard personal assets from liability. 

Therefore, irrespective of the legal form that an independent contractor prefers, he/she can be technically be considered a service provider if they satisfy the other conditions mentioned above.

What is the Effect of the CCPA’s Right to Deletion on Service Providers?

Essentially, businesses that get an authentic request from a user to delete their data are required to ask any of their service providers to delete the information in question from their database. 

Similarly, the exceptions that allow a company to deny a consumer request under the right to delete personal information apply to service providers.

Can a Service Provider Use and Transfer Personal Information if they Anonymize or Aggregate It?

Can a service provider use and transfer personal information if they anonymize or aggregate it?

The CCPA makes it clear that a service provider must not retain, use, or disclose the personal information (it receives from a business) for any purpose except:

  • For processing personal information on behalf of a business according to a contract
  • For working with a subcontractor who is compliant under the CCPA
  • For internal use for improving the quality of services
  • To detect incidents or fraudulent activity and
  • To comply with any applicable laws.

However, the CCPA also states that nothing within it limits a business’ ability to ‘collect, use, retain, sell, or disclose personal information’ that is ‘de-identified’ or ‘aggregated.’

Therefore, if a service provider intends to keep, use, or reveal the information that it receives from a client, the data must first be anonymized or aggregated to convert it from personal data to non-personal information.

Are Businesses Liable for the Actions of the Service Provider and Vice Versa?

Businesses that share personal information with a service provider are not responsible for the actions of the service provider unless the company has actual knowledge or justification that, at the time of disclosing personal information, the service provider plans to violate the CCPA. 

Similarly, service providers are not liable for the obligations of a business under the CCPA.

When Would a Service Provider be Considered a Business for the Purposes of the CCPA?

The CCPA defines a business as any entity that determines the purposes and means of the processing of personal information and meets at least one the following thresholds;

  • Has an annual gross revenue of more than $25 million
  • Processes personal information of at least 50,000 residents of California
  • Obtains at least 50% of its revenue from the sale of personal information

The CCPA does not define when a company is considered the determinant of the means and purposes of processing personal data. However, it is conceivable that if a service provider violates the contractual restrictions against retention, use, and disclosure of consumer data, and meets the thresholds of what is considered a business under the CCPA, then they can no longer be considered a service provider.

Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.

Additional Resources;

Learn more about CCPA compliance with our comprehensive guide on how to become CCPA compliant.

Download our CCPA eBook,