ARTICLE
27 December 2019

CCPA QOTD: Isn't Every Vendor A "Service Provider" Under The CCPA?

M
Mintz

Contributor

Mintz logo
Mintz is a general practice, full-service Am Law 100 law firm with more than 600 attorneys. We are headquartered in Boston and have additional US offices in Los Angeles, Miami, New York City, San Diego, San Francisco, and Washington, DC, as well as an office in Toronto, Canada.
Explore Firm Details
The short answer is "no". The CCPA has a specific definition for "service provider" at Section 1798.140(v) – see our annotated version of the CCPA here
United States Privacy
Photo of Cynthia J. Larose
Authors

The short answer is "no". The CCPA has a specific definition for "service provider" at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from:

  • Retaining the personal information for "any purpose other than for the specific purpose of performing the services specified in the contract ... or as otherwise permitted by this title"
  • Using the personal information "for any purpose other than for the specific purpose of performing the services specified in the contract ... or as otherwise permitted by this title"
  • Disclosing the personal information "for any purpose ..." you get the drift. See Section 1798.140(v)

Your CCPA-covered business could be using vendors that do not qualify as "service providers" under the CCPA, particularly where the vendor is permitted to make independent decisions about the use/disclosure of the personal information. Service providers may retain/use/disclose information for its own purposes if it is aggregated or de-identified --- but note that the standards under the CCPA are not crystal clear.

The reason all of this is important under the CCPA is that extremely broad definition of "sell," (Section 1798140(t)(1)) that states that business that shares personal information with a service provider is not "selling" the personal information if the service provider is prohibited from using the personal information for its own purposes (Section 1798.140(t)(2)(C)). We are awaiting further guidance on how interpretation of the CCPA will view whether use by a vendor of personal information received from a customer to improve products or services generally would cause those transfers to be a "sale." Stay tuned.

We'll be taking a few days off for the holidays (and to continue working on CCPA projects.....), but will be back!

Happy Holidays to all and thanks for reading!

The Mintz Privacy Team

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Cynthia J. Larose
Cynthia J. Larose
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More