• Contractual provisions that address GDPR requirements will not necessarily cover CCPA requirements.
  • Third parties are entities that are not envisioned under the GDPR.
  • "Service provider" relationships require strict contractual restrictions on what the vendor can do with the information.
  • Any exchange of personal information that is not accompanied by the contractual restrictions required to meet the definition of "service provider" — or what is not a "third party" — is at risk of being found to be a "sale" if there is valuable consideration involved.
  • There are emerging industry proposed solutions that may help address some of the contractual complexities raised by the CCPA.


Many of us understand in theory what the California Consumer Privacy Act means for consumer rights and that it creates a totally new ecosystem of relationships between and among businesses that are covered by the law and other legal entities with whom they do business.

Unfortunately, that new ecosystem bears little resemblance to the controller/processor structure of the EU General Data Protection Regulation and leaves much to be desired when it comes to facilitating the privacy practitioner's job of categorizing and risk-ranking business partners. To make matters worse, the attorney general did not issue draft regulations until October, and those regulations likely will not be finalized until July of 2020.

This white paper is designed to provide a little guidance to those who are struggling to identify different parties in the ecosystem and draft contractual provisions accordingly. It is also intended to become a chapter in the second edition of the IAPP's "Data Processing Agreements" book in 2020.

This white paper is not legal advice. Readers should retain counsel to advise them on privacy practices and contract negotiations/drafting. As the CCPA evolves, moreover, please consult more recent versions of this paper or other updated materials in the IAPP Resource Center.

Definitions of business/service provider/third party under CCPA

The definitions section of the CCPA is primarily found in Civil Code Section 1798.140. The first key definition is "business." What is a covered "business" for purposes of the CCPA?

Section 1798.140(c) defines a "business" as:

(1) A sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers' personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business's commercial purposes, sells or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers' personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark or trademark.

If you meet the definition of a business, the next step is to determine what your business partners and vendors are in the CCPA landscape. Even if you are not a "business," you may receive inquiries from companies that are "businesses" as to what role you play. Accordingly, the next most relevant definition is "service provider."

To view the full article, please click here.

Originally Published by Tanya Forsheit

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.