Is Your Business A Service Provider?
If your business provides services to other businesses and processes the personal information of California residents to do so, your business could be a service provider under the CCPA. A service provider is a special type of vendor that processes PI on a business’s behalf, and does so under specific contractual obligations limiting its use of the PI businesses share with it. Service providers may use such PI only for purposes of providing services, or for internal purposes to improve services.
Why does it matter if you’re a service provider?
The CCPA does not require service providers to make disclosures directly to consumers about the PI they collect or process about those consumers as a service provider. Instead, a service provider can respond to CCPA requests by letting the consumer know that their CCPA request cannot be acted on because it has been sent to a service provider.
What this means is that the consumer should direct their CCPA request to the business who controls the PI - not to the service provider who merely processes the PI on the business’s behalf. Think about it this way: because a service provider has contractual limitations on using or sharing the PI it receives from its business customers, a service provider is like an extension of the business when it comes to PI the business shares with it.
Is my company a “business” or a “service provider”? It could be both...
A single company can be both a “business” and a “service provider,” but not for the same PI. For example, let’s say your company provides customer support software to businesses. Your company is a “business” under the CCPA as to the PI it collects from its business customers - such as the contact information of the business’s employees. Your company asks for that information and determines how to use it – it may use that information to provide updates about its services and advertise new features.
However, your company is a “service provider” as to the PI of its customers’ users, whose information your company collects to process customer service requests from the users of its business customers.
What are the CCPA requirements for qualifying as a service provider?
If your business processes PI for a business purpose pursuant to a written contract that limits its use of the PI a business shares with it, it is likely a service provider.
Note: A service provider can use PI shared with it for internal purposes, such as to improve the quality of its services or to comply with a legal obligation. However, if it uses PI it collects from a business to build profiles on consumers and uses those profiles to enhance services provided to other businesses, it is not a service provider.
Here's an example of service provider terms: