The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does the CCPA impart the same requirements on businesses and service providers?

Sometimes.

The CCPA only imparts obligations directly upon a “business” – a term that is defined as a for-profit legal entity that collects personal information about California residents, “determines the purpose and means of the processing” of that information, does business in California, and hits one of the three threshold volume triggers set forth under the Act (i.e., $25 million gross revenue, data about 50,000 Californians, or generates 50% of its revenue from selling personal information).¹  If an entity is a “business” then all of the obligations of the CCPA kick-in such as the obligation to post a privacy notice, respond to consumer access requests, respond to consumer deletion requests, disclose the sale of consumer information, and offer consumers the ability to opt-out of such sales. 

The CCPA defines the term “service provider” as a for-profit legal entity that “processes information on behalf of a business, and is contractually prohibited from retaining, using, or disclosing that information for any purpose other than to provide service.”²  Unlike “businesses,” the CCPA imposes no direct privacy obligations on service providers (although indirectly the service provider would be subject to the contractual retention, use, and disclosure restrictions).³

The net result is that if a company falls under the definition of a “service provider,” but does not fall under the definition of a “business,” the CCPA imposes no statutory obligations upon it.  That, of course, begs the question of whether a company might be both a “service provider” and a “business.”  Theoretically, nothing within the CCPA precludes a dual designation, and, as the terms are currently defined, they do not appear to be mutually exclusive.  To understand why, consider a hypothetical company (e.g., an accounting firm) that collects personal information on behalf of its client (e.g., while conducting an audit) has gross revenue of over $25 million, but is contractually bound not to use, share, or disclose that information other than to provide service.  The company would satisfy the definition of a “service provider.”  The company would also satisfy every element of the definition of a “business” with the possible exception that it may not be intuitively clear whether the company “determines the purpose and means” of the processing.   

In order to understand whether the hypothetical company could both be a “service provider” and determine the “purpose and means” of the processing, it is important to understand that the phrase “determines the purpose and means of the processing” was borrowed directly from the definition of a “controller” within the European GDPR.⁴   In the context of the GDPR, European regulators examined whether a service provider that is generally bound to retention, use, and disclosure restrictions might also retain sufficient autonomy concerning the purpose and means of processing as to be classified under the GDPR as a “controller.”  The regulators ultimately identified a non-exhaustive list of service providers that fit such a description including the following:

• Accountants,⁵
• Attorneys,⁶
• Mail delivery services (when providing tracking functionality),⁷
• Market research companies,⁸
• Payment processors,⁹
• Social network service providers that provide online communications platforms.¹⁰

While there remains a great deal of uncertainty whether California courts will look to European regulators for guidance when interpreting the CCPA, plaintiff’s attorneys are likely to argue that because European regulators have determined that various classes of service providers retain sufficient control over the purpose and means of processing to be considered “service providers” and “controllers,” California courts should similarly find that such companies are “service providers” and “businesses” under the CCPA.  If the argument succeeds, service providers may find themselves with the same regulatory obligations as their clients.

1.  CCPA, Section 1798.140(c). 

2. CCPA, Section 1798.140(v).

3. In comparison, the European GDPR imposes direct regulatory requirements on both “controllers” and “processors.”  Some of the obligations imposed by the GDPR apply equally to both groups, such as the obligation to take steps to secure data.  Other obligations imposed by the GDPR apply only to one group or the other.

4. Compare CCPA, Section 1798.140(C) to GDPR, Article 4(7).

5. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 13.

6. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 12.

7. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 12.

8. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 10.

9. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 11.

10. WP 169 at 21.

[View source.]