It’s unclear.

A vendor must be bound by a written contract that prohibits it from:

1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”^[1]
2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”^[2] or
3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”^[3]

While an argument could be made that a payment processor contains the retention, use, and disclosure restrictions mandated by the CCPA because they receive information from merchants for the purpose of processing credit card payments for the benefit of the merchant, it is possible that a California court could determine that their purpose in processing the information goes beyond simply providing service for their merchant client.  For example, in addition to using a credit card number transmitted from a merchant to process a credit card transaction, a payment processor may use that information to look for suspicious activity that could indicate a data breach, or identity theft of a cardholder.  They may also have obligations to third parties (e.g., Visa and MasterCard) to retain cardholder information even after they have completed the transaction requested by the merchant.  A court might view these types of activities as going beyond the “specific purpose of performing the services” specified in a contract with a merchant. 

To the extent that a court were to determine that a payment processor or an acquiring bank does not fall under the statutory definition of “service provider,” a merchant would have to disclose to consumers that their credit card information was “sold” to these companies unless the information transfer fell under one of the exceptions to a “sale” under the CCPA.  It is possible that a business could argue that by providing their credit card, the consumer implicitly or explicitly “direct[ed] the business to intentionally disclose personal information or use[d] the business to intentionally interact with a third party.”^[4]  Put differently, a reasonable consumer would understand that in order for a business to process a credit card transaction, the consumer’s credit card would need to be provided to a variety of third parties ranging from a payment processor, payment gateway, payment authentication service, acquiring bank, and payment card network.  The act of providing the credit card and requesting that it be used for payment must, by its nature, be a request that the business disclose the consumer’s information to these entities. 

For more information and resources about the CCPA visit http://www.CCPA-info.com. 

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.140(v).

2. CCPA, Section 1798.140(v).

3. CCPA, Section 1798.140(v).

4. CCPA, Section 1798.140(t)(2)(A).

[View source.]