According to the CCPA (California Consumer Privacy Act), determining if a vendor is considered a service provider or not is crucial to ensuring compliance.
Californians have the right to opt-out of having their personal information sold to third parties; however, service providers are not third parties (based on the official definition). Because of this definition, disclosures or transfers of personal information to a service provider will be exempt from this opt-out right.
This is important to understand since the data privacy law has imposed additional responsibilities on businesses that sell personal information. For example, it is necessary to disclose this sale to consumers in the written privacy policy, give consumers the option to opt-out, and post a link on their homepage for consumers to click if they want to avoid having their personal information sold.
Since the definition provided by the CCPA related to selling personal information is slightly vague, knowing what examples of these disclosures to service providers benefit businesses.
Sometimes referred to as CCPA 2.0, the CPRA has made several changes to the current law, including a new outside party – contractors.
According to the amended CCPA, the role of contractors is like service providers, but not the same. Contractors are not seen as third parties. This means that any disclosure of personal information to a contractor is exempt from the definition of a sale by the law.
While CCPA contractors and service providers are similar in some ways, they are by no means identical. To better understand the differences, consider the definition of both as amended by the CPRA:
It is worth noting that in these definitions, the word “person” is not limited to an individual. It can also include nonprofits, corporations, partnerships, and any other type of group or organization. Also, the written contract with a contractor or service provider must have specific provisions in place that limit the retention and use of personal information.
To some, those definitions may seem the same; however, there are some differences. For example, the definition of a contractor is broader. It includes anyone a business provides consumer’s personal information to for business purposes. On the other hand, the service provider is limited to someone who must “process information” for the business. Additionally, the contractor can only receive personal information from the business, while a service provider can receive it on behalf of the business. This shows that businesses have more control over contractors versus service providers.
"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.
