Where to Look for Service Provider Language
In order to be considered a service provider, the CCPA requires that the contract between a vendor and business include assurances about how the vendor will handle your consumers’ data. Every vendor is different, so the service provider language (if it exists) may be in a different location with each of your vendors. In most cases, it will be in the data processing agreement (DPA), the terms of service, or the privacy policy.
Finding the Right Document
If you have any contracts you received directly from the vendor, especially any that were signed, start by reviewing those documents. They probably supersede any generic documents from the vendor’s website and are more likely to contain the necessary information. If you do not have any such contract, move on to the publicly available agreements you can find online.
When checking any of these documents, the first step should be to first verify that it actually applies to your consumers’ personal information. For example, a company’s online privacy policy commonly only covers personal information that it collects directly from users of the website, not the data it processes on behalf of its business customers. If you cannot find the relevant documents in your records or online, contact the vendor for assistance.
Data Processing Agreements
If a vendor has a data processing agreement (a.k.a., data processing addendum, data protection agreement, or DPA), that is the most likely place to find the relevant service provider language. However, you must be sure it applies to California consumers. Because DPAs were originally created in response to the EU’s General Data Protection Regulation (GDPR), sometimes they apply only to the processing of EU consumers’ data.
Terms of Service
Where there is no DPA, the next best place to look is in the terms of service (a.k.a., service agreement, subscriber agreement, terms and conditions, etc.). It is the core of your contract with the vendor, and is likely to deal in some way with the privacy and security of your business’s data.
Privacy Policy
Most vendors will have a privacy policy on their website. Though this may seem like the obvious place to start your search, it is often the case that the online privacy policy only applies to personal information collected directly on the website. For example, it may describe how the vendor processes your user registration data (name, email address, etc.), but not how it processes the personal information of your consumers. When checking the privacy policy, first check whether it applies to the processing the vendor does on behalf of your business.