CCPA QOTD: Isn’t every vendor a “service provider” under the CCPA?

The short answer is “no”. The CCPA has a specific definition for “service provider” at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from:

  • Retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Disclosing the personal information “for any purpose …” you get the drift. See Section 1798.140(v)

Your CCPA-covered business could be using vendors that do not qualify as “service providers” under the CCPA, particularly where the vendor is permitted to make independent decisions about the use/disclosure of the personal information. Service providers may retain/use/disclose information for its own purposes if it is aggregated or de-identified --- but note that the standards under the CCPA are not crystal clear.

The reason all of this is important under the CCPA is that extremely broad definition of “sell,” (Section 1798140(t)(1)) that states that business that shares personal information with a service provider is not “selling” the personal information if the service provider is prohibited from using the personal information for its own purposes (Section 1798.140(t)(2)(C)). We are awaiting further guidance on how interpretation of the CCPA will view whether use by a vendor of personal information received from a customer to improve products or services generally would cause those transfers to be a “sale.” Stay tuned.

We’ll be taking a few days off for the holidays (and to continue working on CCPA projects…..), but will be back!

Happy Holidays to all and thanks for reading!

The Mintz Privacy Team