CCPA QOTD: Isn’t every vendor a “service provider” under the CCPA?

Mintz - Privacy & Cybersecurity Viewpoints
Contact

Mintz - Privacy & Cybersecurity Viewpoints

The short answer is “no”.  The CCPA has a specific definition for “service provider” at Section 1798.140(v) – see our annotated version of the CCPA here – and it also requires a vendor to be bound by a written contract that prohibits it from:

  • Retaining the personal information for “any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract … or as otherwise permitted by this title”
  • Disclosing the personal information “for any purpose …”  you get the drift.   See Section 1798.140(v)

Your CCPA-covered business could be using vendors that do not qualify as “service providers” under the CCPA, particularly where the vendor is permitted to make independent decisions about the use/disclosure of the personal information.  Service providers may retain/use/disclose information for its own purposes if it is aggregated or de-identified --- but note that the standards under the CCPA are not crystal clear.

The reason all of this is important under the CCPA is that extremely broad definition of “sell,” (Section 1798140(t)(1)) that states that business that shares personal information with a service provider is not “selling” the personal information if the service provider is prohibited from using the personal information for its own purposes (Section 1798.140(t)(2)(C)).  We are awaiting further guidance on how interpretation of the CCPA will view whether use by a vendor of personal information received from a customer to improve products or services generally would cause those transfers to be a “sale.”  Stay tuned.

We’ll be taking a few days off for the holidays (and to continue working on CCPA projects…..), but will be back!

Happy Holidays to all and thanks for reading!

The Mintz Privacy Team

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Mintz - Privacy & Cybersecurity Viewpoints | Attorney Advertising

Written by:

Mintz - Privacy & Cybersecurity Viewpoints
Contact
more
less

Mintz - Privacy & Cybersecurity Viewpoints on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.