Contact us Today!

CCPA Service Provider Exception: Obligations, Vendor Contract Agreements and more

Disclosures to service providers are not prohibited when a consumer exercises the right to opt out under the California Consumer Privacy Act (CCPA). Businesses may proceed to disclose personal information to these third-parties so long as they fulfill the conditions to qualify for this exception.

Service Provider Definition:

The California Consumer Privacy Act defines a service provider as a for-profit legal entity that processes personal information on behalf of a business pursuant to a written contract for a business purpose. Businesses may use service providers and share personal information with them. It is not considered a sale of personal information under the law if the sharing of personal information is necessary to perform a business purpose, the business has provided notice that the information is being used or shared, and the service provider does not further collect, sell or use the personal information of the consumer except as necessary to perform the business purpose.

What is a business purpose under the CCPA?

Business purposes are defined generally by the law to include:

– auditing
– detecting security incidents and protecting against fraud
– debugging errors that impair intended functionality
– short term use provided it is not disclosed to a third-party or used to build a profile of the consumer
– performing services such as customer service, order fulfillment, payment processing, advertising or marketing, analytics and similar services
– internal research for technological development
– quality control activities

For the processing to be considered a business purpose, the use of the personal information by a service provider must be reasonably necessary and proportionate to achieve the operational purpose for which the information was collected, processed, or a compatible purpose.

How does the right to delete impact service providers?

Businesses that receive a verifiable request from a consumer to delete personal information must also direct any service providers to delete the data from their records. The exceptions which permit a business to deny a consumer request under the right to delete personal information also apply to service providers.

How is liability distributed between the business and the service provider?

Businesses that disclose information to a service provider are not liable for the acts of the service provider unless the business has actual knowledge or reason to believe, at the time of disclosing the personal information, that the service provider intends to commit a violation of the CA privacy law. Service providers are similarly not liable for the obligations of a business under the law.

Service Provider Obligations

Under the CCPA, a service provider must be prepared to:

– Enter into a written contract with a business concerning the services to be provided and the personal information to be disclosed.

The contract language should specify the services to be provided to the business.

The contract language must prohibit the entity receiving a consumer’s personal information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the service specified in the contract for the business or as otherwise permitted by the CCPA. It also must contain a prohibition on selling the personal information.

In order to avoid becoming a “third party” under the law, the contract must also contain a certification that the person receiving the information understands the requirements and will comply with them.

Other measures that a business may wish to include in such a contract include:

A requirement to honor deletion requests.

Reasonable security practices to meet any obligations around vendor management under the CCPA private right of action.

– Limit its collection, sale or use of the consumer’s personal information to that which is necessary to perform the business purpose.

The definition of “sale” lists this standard as part of what is necessary to qualify for the exception to the sale of personal information. If a service provider does not limit such activities to what is necessary, then the transfer will be considered a sale of personal information and subject to the right to opt-out when a consumer submits such a request.

– Receive a verified consumer request from a business

Section 1798.105 calls on a business to direct any service providers to delete a consumer’s personal information from their records following a verifiable consumer request. A service provider needs a mechanism to receive such requests from a business that it is receiving consumer personal information from.

– Delete the personal information of a customer of a business

Service providers may need to be prepared to independently assess whether they are required to delete the personal information of a California resident after a consumer submits a right to delete request to a business. It is possible that a service provider may need to delete a consumer’s personal information because no exemption to the deletion right applies, whereas the business that originally collected the information is able to maintain the records under one of the exemptions. The language of the CCPA when speaking about the deletion requirement uses “OR” when speaking of the business and the service provider. If the legislature had wanted them to treat the request the same, it may have used “AND” instead. The CCPA does not expressly resolve this question however, and service providers may wish to consult with the business to determine how it would like them to handle these requests.


A business engaging service providers must:

– Enter into a written contract for a business purpose authorized by the CCPA.

– Provide notice to consumers in its terms and conditions consistent with Section 1798.135

– Stop disclosing personal information to the service provider if the business has actual knowledge, or reason to believe, that the service provider intends to commit a violation of the CCPA.

If a business has the above indicated notice, it may be liable under the CCPA if the service provider receives personal information from the business and uses it in violation of the CCPA.

Related Content

Vendor Risk Management Software
GDPR Vendor Management & Third Party Privacy Risk Assessment
Risk and Control Self Assessment Framework for Privacy
Vendor Audit Process
GDPR Data Processing Agreement under Article 28
What is a Data Processor under GDPR?
Differences between a GDPR Data Controller vs. Data Processor