One of the essential exemptions to being considered a seller of personal data under the CCPA is the ‘service provider’ exemption.
One of the essential exemptions to being considered a seller of personal data under the CCPA is the ‘service provider’ exemption.
Explore more privacy compliance insights and best practices
According to the CCPA, a business will only be exempt from being considered a seller of personal information where such an entity utilizes or shares with the service provider, consumer data under these conditions;
The CCPA identifies a service provider as a for-profit legal party that processes personal data on behalf of companies according to the terms of a written agreement for a business purpose.
Concerning service providers, the CCPA identifies the following activities as constituting a business purpose;
Primarily, the processing can only be considered to be a business purpose, if the service provider uses it in a way that is reasonably necessary and proportionate to achieving the operational objective for which it was collected or processed.
Yes.
Broadly, the CCPA defines a service provider as a ‘sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for profit or financial benefit of its shareholders or other owners.’
Characteristically, an independent contractor qualifies as a sole proprietor, although in some cases, they may choose to establish a Limited Liability Company (LLC) or an S-corporation to safeguard personal assets from liability.
Therefore, irrespective of the legal form that an independent contractor prefers, he/she can be technically be considered a service provider if they satisfy the other conditions mentioned above.
Essentially, businesses that get an authentic request from a user to delete their data are required to ask any of their service providers to delete the information in question from their database.
Similarly, the exceptions that allow a company to deny a consumer request under the right to delete personal information apply to service providers.
Can a service provider use and transfer personal information if they anonymize or aggregate it?
The CCPA makes it clear that a service provider must not retain, use, or disclose the personal information (it receives from a business) for any purpose except:
However, the CCPA also states that nothing within it limits a business’ ability to ‘collect, use, retain, sell, or disclose personal information’ that is ‘de-identified’ or ‘aggregated.’
Therefore, if a service provider intends to keep, use, or reveal the information that it receives from a client, the data must first be anonymized or aggregated to convert it from personal data to non-personal information.
Businesses that share personal information with a service provider are not responsible for the actions of the service provider unless the company has actual knowledge or justification that, at the time of disclosing personal information, the service provider plans to violate the CCPA.
Similarly, service providers are not liable for the obligations of a business under the CCPA.
The CCPA defines a business as any entity that determines the purposes and means of the processing of personal information and meets at least one the following thresholds;
The CCPA does not define when a company is considered the determinant of the means and purposes of processing personal data. However, it is conceivable that if a service provider violates the contractual restrictions against retention, use, and disclosure of consumer data, and meets the thresholds of what is considered a business under the CCPA, then they can no longer be considered a service provider.
Schedule a call with us today and get expert guidance on our solution and how we can support your CCPA compliance journey.
Schedule a call to learn more
Learn more about CCPA compliance with our comprehensive guide on how to become CCPA compliant.
Download our CCPA eBook,
