The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Are all vendors considered “service providers” under the CCPA?
In order to be considered a “service provider” for the purposes of the CCPA, an entity must process personal information “on behalf of a business.”1 In addition, the vendor must be bound by a written contract that prohibits it from
As a result there are a number of situations in which a business may use a vendor that does not qualify as a “service provider” under the CCPA. These include situations where:
In comparison, the European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to “service providers within the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires that a controller and a processor clearly set forth the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data involved, the categories of data subjects involved, the obligations and the rights of the controller, and the following substantive provisions:
1. CCPA, Section 1798.140(v).
2. CCPA, Section 1798.140(v).
3. CCPA, Section 1798.140(v).
4. CCPA, Section 1798.140(v).
5. GDPR, Article 28(3)(a).
6. GDPR, Article 28(3)(b).
7. GDPR, Article 28(1), (3)(c); GDPR, Article 32(1).
8. GDPR, Article 28(2), 28(3)(d).
9. GDPR, Article 28(3)(d) Art. 28(4).
10. GDPR, Article 28(3)(d).
11. GDPR, Article 28(3)(e), GDPR, Article 12-23.
12. GDPR, Article 28(3)(f); GDPR, Article 33-34.
13. GDPR, Article 28(3)(f); GDPR, Article 35 – 36.
14. GDPR, Article 28(3)(g).
15. GDPR, Article 28(3)(h).
16. GDPR, Article 28(3)(a); GDPR, Article 46