New CCPA rules clarify service provider privacy compliance
With the California Attorney General’s recent instructions and clarifications on the California Consumer Privacy Act (CCPA), applicable organizations classified as “service providers” must pay close attention to understand how they affect an organization’s privacy compliance. CCPA implementation rules around privacy notices and policies and guidance for responding to consumer requests were also released.
Why this matters
For all the “new” service providers per the rules, there are two primary considerations:
- Limitations on the use of the personal information processed as part of the business relationship. As a service provider, you are restricted from using the personal information obtained as part of the written contract with the business for any purposes other than those defined in the contract, with minor exceptions for internal business operations.
- Consumer rights requests. How will these requests be handled? As the service provider, you may now be responsible for responding to and potentially fulfilling requests received by consumers since the business may not be complying with the CCPA.
What you need to know
In the text of the CCPA, a service provider is identified as a for-profit legal entity that processes information on behalf of a business, to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, and said contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than what is stated in the contract or authorized by the CCPA. A business must also be a for-profit entity and collect consumer’s personal information and determines the purpose(s) and means of processing that personal information.
So what does all of that mean?
- These definitions previously excluded many small- and mid-size companies that do business in California, not-for profits that would otherwise meet the thresholds and not-for-profit vendors.
- The draft regulations stipulate that entities in a service provider to business type of relationship, where the only element eliminating the need for compliance with the CCPA is that the business does not meet the CCPA definition, will be treated as a service provider. This considerably increases the number of CCPA service providers and is not news that will be well received by organizations that previously thought they did not have to comply.
Creating this rule supports an increase in the governance of organizations that solely operate as service providers in the small- to mid-market range. For example, an organization that exclusively operates in the small business market may have enough clients for whom personal information is processed that the records could easily number in the hundreds of thousands of California residents. That is a large volume of data, and because the small businesses that are controlling the collection and purpose of the processing do not meet the CCPA business definition, the service provider would-before the regulation-not be governed either.
This change aligns with the general policy of the CCPA – providing increased transparency on and control over the personal information of California consumers used by businesses.
Steps to take now
Since the final regulations are not expected for some time, the draft regulations will be applicable when the CCPA takes effect on Jan. 1. For applicable organizations considered “service providers,” take time to review the requirements and take the following steps:
- Re-evaluate your potential compliance requirements under the CCPA. If you dismissed any accountability under this law based on a quick check that you only service non-profits or the businesses you serve all have revenue under $25 million – you may need to dig a little deeper. If you process the personal information of California residents on behalf of other organizations or the organization has directed you to collect personal information directly from their consumers, these next steps are for you.
- Review your business operations. Do your contracts identify the approved activities for the personal information and subsequently prohibit any additional activities? Is your business using the personal information obtained through these relationships for other activities? It will be important to clearly define what is covered by each business relationship to scope the activities that fall under a service provider versus those that may categorize you as a business.
- Determine a plan for handling a consumer request. Once you understand the scale and scope of your compliance requirement, identify an approach for handling consumer requests. Discuss with your clients whether they are going to fulfill consumer requests. Determine whether you as the service provider would be willing to fulfill the request, where the alternative is still responding to the consumer notifying that individual that you will not be fulfilling the request and why.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our privacy team.
 For the lawful definition of a service provider, see: CCPA, Section 9, Part (v)
 For the lawful definition of a business, see: CCPA, Section 9, Part (c)