California Consumer Privacy Act: Service Providers

Jeffrey Glassman
Ervin Cohen & Jessup LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ervin Cohen & Jessup LLPPart three of this CCPA client alert series focuses on the obligations for service providers pursuant to the CCPA.

The California Consumer Privacy Act of 2018 (the “CCPA”) and the related proposed Attorney General Regulations (the “Regulations”) provide California consumers with increased privacy rights and protections with respect to their personal information. Businesses that are subject to the CCPA must comply with various notice obligations and requirements related to the collection, deletion and sale of personal information. The California Attorney General intends to begin enforcing the CCPA and the Regulations on July 1, 2020.

A “service provider” is an entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract. The CCPA and the Regulations set forth certain obligations for service providers, including the following:

  • A service provider must not retain, use or disclose personal information obtained in the course of providing services except for the specific purpose of performing its services under the contract and in certain circumstances set forth in the Regulations, which circumstances may include processing or maintaining personal information on behalf of the business in compliance with the written contract for services, detecting data security incidents, and protecting against fraudulent or illegal activity.
  • A service provider cannot sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.
  • If a service provider receives a request to know personal information or a request to delete personal information from a consumer, it must either act on behalf of the business in responding or inform the consumer that the request cannot be acted upon because it was sent to a service provider of the primary business.
  • If a business receives a request to delete personal information from a consumer, it must direct any service provider to also delete such information from their records.

A service provider that is itself considered a business subject to the CCPA must also comply with the CCPA and the Regulations with respect to any personal information it collects, maintains or sells outside of its role as a service provider.

This client alert provides a summary of certain requirements related to service providers pursuant to the CCPA and the Regulations.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ervin Cohen & Jessup LLP | Attorney Advertising

Written by:

Ervin Cohen & Jessup LLP
Ervin Cohen & Jessup LLP
Contact
more
less

Ervin Cohen & Jessup LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide