Service provider checklist

November 2, 2022

Service provider guide to CPRA & CCPA: definitions, requirements, and vendor contract agreements


Under the CCPA, businesses must allow Californians to opt out of data sharing with third parties, but not with service providers. This enables businesses to continue using service providers to handle essential business activities like payment processing, hosting, and fulfillment without disruption.

However, the law has strict requirements for service provider contracts and relationships — particularly since the CPRA strengthened the CCPA. Whether you’re a service provider, a business that depends on service providers, or both, here’s how to ensure you’re in compliance with the law.

Businesses, service providers, and third parties

The CPRA applies to three types of entities: businesses, service providers, and third-parties.

A business is a for-profit entity that:

  • Does business in California or with Californians, and either
    • Has an annual gross revenue of over $25 million
    • Buys, sells, receives, or shares the personal data of at least 50,000 consumers or households, or;
    • Earns at least half its annual revenue from selling personal information

A CCPA service provider is a for-profit entity that processes personal information for a business under a strict contract that limits what they can do with that information. A service provider must only use the personal information for fulfilling the business purpose defined in the contract (with a few exceptions.) They can’t share the data, use it for their own purposes, or hold onto it longer than necessary to complete the job.

A third party is an entity that receives data from a business, but isn’t a service provider. For example, if a business sells personal data to an advertiser, that advertiser is a third party.

CCPA service provider data sharing exceptions

Data subject access requests are the most important exception to service provider data sharing restrictions. Under the CCPA, Californians can request to know what personal information a business has about them, obtain a copy of their information, correct inaccuracies in their data, or have the business delete their personal information. The business must authenticate the request and pass it on to any service providers with the information. For example, if a data subject requests that their data be deleted, both the business and their service providers must delete all data about the subject.

The California Attorney General’s draft amendment to the CCPA outlines a number of other ways service providers can use personal data, including:

  • Subcontracting the work to another service provider, using a written contract
  • Improving services, as long as the service provider doesn’t add to or alter the data, or build consumer profiles
  • Detecting or protect against security incidents or fraud
  • Complying with legal obligations, such as court subpoenas or law enforcement investigations
  • Defending against legal claims

While the draft amendment hasn’t yet been adopted, it’s very likely that these exceptions will be included in the law.

What must a business do to work with a service provider?

Enter into a written contract

A written contract protects both the business and the service provider by ensuring that the relationship meets the CCPA definition of a service provider relationship. CCPA service provider contract requirements are very strict. The contract must include:

  • An exhaustive list of the data processing activities the service provider will carry out on behalf of the business
  • What type of personal information the business will share with the service provider
  • How the service provider should carry out the activities

Equally importantly, the contract should spell out prohibitions. The service provider can’t sell the data, disclose it outside the business relationship, retain it any longer than necessary to do the job, or do anything else with the data outside the business relationship.

Finally, the contract must include a certificate saying that the service provider understands their obligations and agrees to follow all the requirements of the contract and the CCPA.

While not mandatory, it’s a good idea for the service provider contract to include additional controls to ensure the provider is adequately protecting the data. The vendor may wish to require audits or security practices, such as encryption, or regulate how the provider vets subcontractors.

The business should also consider spelling out the service provider’s DSAR obligations. This will ensure both parties have everything in place to respond to any requests from data subjects.

Tell consumers how the business will use their information

Under the CCPA, businesses must tell Californians how their personal information will be used before they agree to hand over the data using a document called a “notice at collection.” This notice should include:

  • The categories of personal information collected (e.g. name, email address, or geolocation data)
  • What the business intends to do with each category of information
  • A disclosure if the business intends to sell the information, along with a Do Not Sell button
  • A link to the business' privacy policy

The privacy policy should go into more depth, explaining how the business collects, uses, shares, and sells consumer information. This should explain consumer rights under the CCPA, and give other relevant information, such as the categories of third parties the business shares information with.

What are a CCPA service provider’s obligations?

Have a written contract covering their services

Like businesses, service providers require a written contract under the CCPA. Service providers should make sure the contract describes everything they need to do with data to satisfy the business purpose. This should include anonymized data as well; even without identifying information, a service provider should not use a business’ personal information in any way not described in the contract or allowed under CCPA exceptions.

Receive personal information from the vendor

The service provider cannot collect data from the consumer directly. They must obtain all personal information from the vendor.

Only use personal information to fulfill the contract

A service provider essentially works as a unit within the business employing its services. The provider receives personal information, performs some well-defined activity, and deletes that data once the task is complete. The PI should not be combined with personal information provided by other clients, or collected by the service provider independently.

Keep in mind that “service provider” is a role in a business relationship, not a type of company. A company working as a service provider for a business may also operate as a business retaining its own service providers, or a third party. However, in its role as a service provider, its activities are strictly limited — it can only use the data to fulfill the terms of their service provider contract.

For example, let’s say a company is contracted to provide order fulfillment and given a list of names, addresses, and orders to fill. The provider can only use that personal information to fulfill those consumers orders, and cannot use it for its own marketing efforts. However, it can collect personal information independently, and use that information for marketing purposes.

Control data access and deletion

Service providers need to carefully control data access, both internally and across their vendor ecosystem. They should restrict data sharing as much as possible, providing the minimum access required to do the job. Once the job is done, the service provider should delete the data, except as required to meet legal obligations.

Fulfill DSARs

As mentioned earlier, a CCPA service provider needs a mechanism in place to receive and fulfill authenticated data requests from the business. The business must forward DSARs to the service provider, who must then honor those requests. That means deleting data, correcting errors, or returning relevant information to the business, depending on the request.

Employing subcontractors adds another level of obligation. Businesses will need to be able to forward data requests to the right subcontractor, chase down the requested information if necessary, and forward that information to the relevant business.

Secure data

A service provider must carefully protect personal data from cyberattacks, fraud, corruption, or inadvertent deletion. The business may also require the service provider to undergo audits or impose other security measures to prevent data compromise.

Service provider examples

Ensuring that an entity remains a service provider under California law can be a complex undertaking. Companies may broadly fit the CCPA service provider definition but still have data practices or obligations that pose challenges. A CCPA compliance solution can help you identify potential problems, resolve ambiguities, and ensure both companies are in compliance with the law.

Website hosting

A hosting provider could be a service provider depending on their data use policies. For example, if the business collects personal information on the site, the host must not use that information for their own purposes. Additionally, the host must not receive any form of payment from third-party advertisers for placing cookies or other tracking technologies to track users of the business’ website.

Customer databases

A company providing a CRM, CDP, or similar sales or marketing platform could be a service provider. However, the contract must be structured carefully to account for their market analysis practices.

CRM providers often anonymize and combine data across multiple clients to conduct market analysis and forecasting. While this practice doesn’t threaten privacy, it can potentially undermine a company’s CCPA service provider status. The provider is benefitting from the business’ data outside of the business relationship, which under the CCPA could make them a third party.

Platform providers can mitigate the issue by defining their analytics reporting as a business purpose in their contracts. If the service provider is contracted with each client to deidentify data and use it to provide market analysis, then they’re not profiting from the business data outside their service provider relationship.

Payment processor

A payment processor will generally be a third party under the CCPA. Payment processors receive personal information from merchants, and use that information for the sole business purpose of processing payments. While they may also use that information to detect fraud, that is a legitimate use under the CCPA.

However, a merchant-processor business contract should account for the payment processor’s data retention policies, and any obligations they have to credit card companies and other financial services providers. By using this information to structure the contract and disclosing it in the business’ privacy policy, both parties can protect the processor’s third party status.

Third party status and liability

Dividing liability

A solid third party contract protects both the business and the third party vendor. A business is not liable for the actions of their service provider provided they have no reason to believe that the service provider intends to violate the law. The service provider is likewise not liable for any violation the business commits.

CCPA penalties

Penalties under the CCPA seem quite moderate compared to GDPR fines, but they may be much more serious than they appear. If the California Attorney General believes a business or service provider is in violation of the CCPA, they can bring a legal claim. The offender then has 30 days to correct the violation, or face a fine of up to $2,500. For an intentional violation, the attorney general can add an additional $7,500 penalty.

$2,500 might sound like a slap on the wrist. The problem is, this is a per-violation penalty, and it’s unclear what counts as a single violation. For example, if you have a customer database that you share without the customer’s consent, how many violations is that? will you be charged with a single violation for the database, or is each customer record a violation? We don’t know for sure — the answer will depend on how the attorney general, regulators, and courts interpret the law. Make sure your business isn’t the test case.

Controlling your data

While the CCPA doesn’t explicitly require a privacy platform, it’s extremely difficult to comply without one. A service provider needs to know where each piece of personal information comes from, and attach a set of rules governing how to use, retain, and delete it. They need to be able to handle redundant or overlapping personal information from different clients without combining it into one record or profile.

Similarly, a business needs to be able to keep track of where they send their personal information, ensure each provider is correctly categorized, and stay on top of the latest developments in the CCPA to enforce compliance across their vendor ecosystem.

Both partners need to be able to quickly locate, audit, delete, or modify data on any given subject to full DSARs. And on top of this, everyone needs a way to track and verify their compliance records, in case they face an audit or legal action.

TerraTrue can help you achieve and maintain full compliance. We provide built-in rules for the CCPA and other major compliance laws, along with a sophisticated risk flagging engine, data mapping, and tools for every stage of the compliance process.

Contact us today for a free demo, and learn how much easier CCPA compliance can be.