Your understanding of what counts as a ‘sale’ and who qualifies as a ‘service provider’ under the California Consumer Privacy Act (CCPA), inclusive of relevant exceptions, is crucial to your company’s preparation for compliance with this law.
With the CCPA set to take effect from January 1, 2020, the Attorney General of California released the law’s draft regulations, which are meant to provide clarity to specific sections of the regulation before the enforcement date.
This article focuses on Section 999.314 of the proposed regulations, which sheds light on the exceptions of the CCPA ‘Service Provider’ and outlines how they should handle data subject requests under this law.
Who is a CCPA Service Provider?
Any entity runs for profit, which ‘processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose according to a written contract’ qualifies as a ‘service provider.
However, transferring a consumer’s data to a service provider is generally an exception to what counts as a ‘sale’ under the CCPA. Primarily, a ‘sale’ involves the trading, renting, release, transfer, disclosure, dissemination, communication, or the availing of a California resident’s ‘personal information’ for either monetary value or other valuable consideration.
Therefore, in instances where such an exception applies, specific consumer request requirements created by the CCPA are not activated. The draft regulations released by California’s Attorney General clarify that an individual or entity can be deemed as a service provider, although they may offering services to a third-party that is not considered a ‘business’ under the CCPA.
This clarification came in the wake of public concern that the CCPA, as written, would not have obliged a service provider to address consumer requests in instances where the relevant party, non-profit or government agency, would not otherwise be needed to comply.
How do Service Providers Manage Consumer Requests?
Service providers are not allowed to utilize personal information obtained from its corporate clients to provide services to another entity according to the CCPA draft regulations. This action is only permissible if the data in question is either crucial to identifying data security incidents or deter illegal activities.
The original text of the CCPA permitted the sharing of personal data that was ‘reasonably necessary and proportionate to achieve the operational purpose’ of the subject service contract. The shortcoming of this statement was the lack of clarity regarding what would be deemed as ‘reasonably necessary and proportionate.’
The CCPA draft regulations introduce new requirements on service providers that get access or deletion requests from consumers regarding the data they collect on behalf of their corporate clients. In case a service provider fails to address either of these requests, they must explain to each affected user the reasoning behind this denial. Additionally, they must inform each affected consumer that his/her request should be lodged directly to the corporate entity for whom the service provider stores the data.
Lastly, California’s Attorney General is aware that a service provider can meet the CCPA’s definition of a ‘business’ in specific circumstances. In this regard, the draft regulations make it clear that any service provider that otherwise satisfies the business definition in its direct engagements with consumers shall independently comply with CCPA and its implementing regulations in relation to any consumer data it collects, stores or sells apart from its role as a service provider.
With the deadline for CCPA compliance less than eight weeks away, service providers need to stay up-to-date with the latest amendments to the language of this data privacy law to ensure your efforts meet the updated requirements.