The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Does a United States service provider have to comply with the CCPA, even if its client is not subject to the Act?

No.

The CCPA imposes obligations only upon “businesses” and not upon “service providers.”  Indeed, the only impact that the CCPA has upon service providers is indirect insofar as the Act requires a business that falls under its jurisdiction to impose certain contractual provisions upon its service providers (e.g., prohibitions on the use, retention, or disclosure of personal data).  If a business does not, itself, fall under the jurisdiction of the CCPA any data that it sends to a service provider within California should not be impacted by the Act.  For example, if a French company sends data about French nationals to a service provider located in California, neither the French company, nor the California service provider, should be governed by the CCPA.

In comparison, the European GDPR applies to companies that process data “in the context of the activities of an establishment . . . in the Union.”¹  To the extent that a service provider processes data in the context of its establishment in the European Union it is, therefore, subject to the GDPR regardless of whether its client (i.e., the data controller) is itself subject to the GDPR.  So, for example, if an American company that is not subject to the GDPR transmits data to a service provider in Europe, the European service provider is independently “required to comply with the obligations imposed on processors by the GDPR.”²

The net result is that data sent to a European processor by an American company that is not subject to the GDPR receives the GDPR’s processor-imposed protections, but does not receive the GDPR’s controller-imposed protections.  From a functional standpoint this means that the European processor should:

• Enter into a contract with its client that satisfies the requirements of Article 28 of the GDPR (except that the contract does not need to include provisions that are designed to help a controller satisfy controller-imposed obligations under the GDPR).
• Not process data except on instructions from its client, unless required to do so by Union or Member State law.
• Maintain a record of all categories of processing carried out on behalf of its client pursuant to Article 30(2) of the GDPR.
• Cooperate with European supervisory authorities upon request.
• Implement technical and organisational measures to ensure an appropriate level of security.
• Notify its client without undue delay after becoming aware of a personal data breach.
• Designate (if needed) a data protection officer.
• Take steps to comply with restrictions on the cross-border transfer of information.³

1. GDPR, Article 3(1) (emphasis added).

2. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 9.

3. EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 11.

[View source.]