CCPA Service Provider: The Key Qualifications


By Blog, CCPA, Data Privacy

‘Service Provider’ is one of the three main entities recognized in the CCPA apart from ‘business’ and ‘third-party.’ 

Businesses that fall under this category are required to satisfy specific provisions to ensure that their activities are in compliance with California’s data privacy law. 

Who is a CCPA Service Provider?

Under the California Consumer Privacy Act of 2018, a service provider is defined based on four primary conditions. 

You qualify as a service provider if you are a legal entity that;

  • Is for-profit 
  • Processes personal data on behalf of a business
  • Receives disclosures of personal information from a company for a business purpose
  • Acts in accordance with a written agreement that restricts it from keeping, using, or sharing personal information apart from the specific purpose of delivering the services outlined in the contract. 

What is a Business Purpose under the CCPA?

Concerning service providers, the CCPA identifies the following activities as a business purpose;

  • Quality control activities
  •  Auditing
  • Uncovering security incidents and fraud mitigation
  • Troubleshooting errors that impair required functionality
  • Short-term use granted it is not revealed to a third-party or utilized to create a profile of the consumer
  • Activities such as customer service, fulfilling orders, processing payments, advertising marketing, or analytics
  • Internal research for technological expansion

The processing can only be considered to be a business purpose if the service provider uses it in a way that is reasonably necessary and directly vital to achieving the aim for which it was collected or processed.

What is the Difference between a Business and a Service Provider? 

The CCPA describes a ‘business’ as any legal entity that meets the following requirements;

  • Its is for-profit
  • It collects and processes the personal data of California consumers, devices, and households
  • Determines the purposes and means of the processing of personal information
  • Meets one of the following criteria;
  • Generates a yearly gross revenue of more than $25 million
  • Purchases or receives for commercial reasons, sells, and shares, the personal information of at least 50, 000 California consumers, gadgets, or households for commercial reasons.
  • Obtains more than 50% of its yearly gross income from selling the personal data of users from California. 

Therefore,  a ‘business’ controls the purposes and ways of processing personal information while a ‘service provider’ processes user data on behalf of the business.  

How does the CCPA Regulate the Use of Personal Information by Service Providers?

The CCPA has specific requirements about how service providers use consumer information to be considered as being compliant with California’s data privacy regulations.

Apart from providing services on behalf of a business in line with a written agreement, service providers are permitted to; 

  • Retain and subcontract their services to another CCPA compliant entity 
  • Use the information internally to improve the quality of its services provided it does not change user profiles or clean data it has received from a different source
  • Identify security issues 
  • Protect against illegal activities 
  • Address consumer requests under the rights to know or delete if the user sends a request. 

In addressing a right to know or right to delete request, service providers can either;

  • Make the requested information available or delete it on behalf of the business in case of a right to know or right to delete request from a user. 
  • Alert the user that it cannot respond to the request due to its role in the processing of their information. 

Additionally, service providers are required to;

  • Satisfy legal compliance obligations
  • Comply with court inquiries, investigations, and subpoenas
  • Cooperate with law enforcement bodies concerning possible unlawful activities
  •  Exercise or defend legal claims

What are Penalties for CCPA Non-compliance for Service Providers

The California Attorney General can open a civil case against a service provider if; 

  • The entity is accused of violating CCPA requirements and fails to resolve the infringement within a period of 30 days with the fine for every violation set at $2500, while an intentional violation attracts an extra penalty that can go up to $7500 for every infringement 

Furthermore, the CCPA also allows California consumers to file a civil lawsuit against a business that infringes on their privacy protections under the CCPA. 

You also need to be aware that the businesses are not held accountable for the actions of a service provider acting on its behalf if the business does not have ‘actual knowledge or reason to believe’ that the service provider intends to abuse CCPA requirements. 

What is Included in a Service Provider Contract under the CCPA? 

According to the Californian Consumer Privacy Act, vendor agreements must;

  • Restrict service providers from selling the user data they receive or collect
  • Bar the vendor from holding, using, or sharing the personal data for any other reason apart from the one specified in the written agreement 
  • Limit the service provider from keeping, using, or disclosing the information for other purposes apart from the direct business relationship between the vendor and the business. 
  • Have a credential from the vendor that shows the servicer provider is aware of the prohibitions and will adhere to them. 

Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.

Alternatively, sign up for a free trial of our CCPA compliance solution.

Additional Resources;

Learn more about CCPA compliance with our comprehensive guide