Identifying Service Provider Language
In order to be considered a service provider, the CCPA requires that the contract between a vendor and business include assurances about how the vendor will handle your consumers’ data. Specifically, the contract must prohibit the vendor from:
Retaining, using, or disclosing consumer’s personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.
Service providers may also use personal information for a few additional purposes related to providing their service:
- Retaining a subcontractor, provided that contract also meets the service provider requirements
- Building or improving the quality of its services (as long as it doesn’t use the data to create or modify consumer profiles for the purpose of providing services to other businesses or to augment or correct data from other sources)
- To detect security incidents or protect against fraudulent or illegal activity
- To comply with legal orders
Reviewing your vendor contracts can be a tricky process. Sometimes the answer is obvious, but often it is not so clear. This quick guide should help you along.
Clear Examples of Service Provider Language
Some vendors have updated their contracts to match the language used in the CCPA. This makes it much easier to find and be confident that the contract meets the legal requirements.
Here is a very clear example from Microsoft’s DPA:
California Consumer Privacy Act (CCPA)
If Microsoft is processing Personal Data within the scope of the CCPA, Microsoft makes the following additional commitments to Customer. Microsoft will process Customer Data and Personal Data on behalf of Customer and, not retain, use, or disclose that data for any purpose other than for the purposes set out in the DPA Terms and as permitted under the CCPA, including under any “sale” exemption. In no event will Microsoft sell any such data.
Other contracts may simply state that the vendor will act a CCPA service provider, such as in this example from Hubspot’s DPA:
Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.
It’s important that the vendor agrees to be a service provider as defined by the CCPA, as a way of acknowledging their obligations. When terms like Service Provider are capitalized, it usually means they have a specific meaning in that document. In this case, the DPA states elsewhere that Service Provider has the same meaning as given in the CCPA.
Less Clear Examples
The CCPA does not actually require contracts to have the exact language found in the statute. If you cannot find a clear answer as in the examples above, you may try to determine whether the contract still meets the service provider requirements—that is, whether the contract in some other way prohibits the vendor from retaining, using, or disclosing personal information for purposes other than providing the services specified in the contract.
Making this determination can be difficult, and if you are uncomfortable reviewing contracts in this depth you should consider contacting the vendor directly or consulting an attorney.
GDPR Language
It is frequently the case that vendors have included language addressing their “data processor” status under the GDPR, but have not since added any CCPA-specific terms.The role of a GDPR data processor is similar to a CCPA service provider; if a vendor says it is a data processor, it is a good sign that it is also a service provider, though you must still read the contract carefully.
Such GDPR terms often refer to processing data according to the data controller’s instructions, such as in this example from Adobe’s DPA:
Adobe will only Process Personal Data within the scope of Customer’s Instructions for the applicable Adobe Cloud Service.
The term “process” is typically interpreted or defined very broadly, and covers the retention, use, and disclosure of data. The “instructions” are the written documentation of the contract. As long as the instructions are restricted to providing the service, this language should suffice because it prohibits the vendor from retaining, using, or disclosing personal information for any other purposes.
Permissions Language
Many vendors do not have CCPA- or GDPR-specific language in their contracts, but they do cover the permissions (or rights or licenses) the vendor will have with regard to your data. This can potentially meet the CCPA’s service provider requirements. Take, for example, this excerpt from Teamwork’s terms of service:
In order for us to provide services to you, we require that you grant us certain rights with respect to your Data. For example, we need to be able to transmit, store and copy your Data in order to display it to you and your colleagues, to index it so you are able to search it, to make backups to prevent data loss, and so on. Your acceptance of this TOS gives us the permission to do so and grants us any such rights necessary to provide the service to you, only for the purpose of providing the service (and for no other purpose). This permission allowing us to use third-party service providers (for example Amazon Web Services) in the operation and administration of the Service and the rights granted to us are extended to these third parties to the degree necessary in order for the Service to be provided. Depending on the service, this may involve moving your data across jurisdictional lines, or across country borders. The Company will not share, disclose, sell, lease, modify, delete or distribute any Data provided by you in any manner.
The language here suggests that the vendor may only use data for the specified purposes and nothing else. This would appear to effectively prohibit the vendor from retaining, using, or disclosing personal information outside of the purpose of providing its service, thus meeting the service provider requirements.
One important consideration is to be sure that the data being discussed is actually the personal information of your consumers. Typically, as with the “Data” in this example, the term will be capitalized and defined somewhere in the contract, so you must read that definition carefully.
Still Not Sure?
Figuring out a vendor’s service provider status can be complicated. Because you may be asked to explain your decision at some point by the California Privacy Protection Agency, you should be reasonably sure that a vendor actually is a service provider before treating it as such. If you are unsure, reaching out directly to the vendor can sometimes help clarify the issue. Otherwise, you can ask for outside help, such as from an attorney.