Combine (subject to certain exceptions) the personal data that the service provider receives from one company with the information it receives from another company.3 The company is a service provider whenever it “processes personal data on behalf of a company”. How is the responsibility divided between the company and the service provider? The CCPA service provider`s addendum should also include information on compensation for losses and the actions that will be taken if data protection law changes while the contract is active. The definition of “sale” lists this standard as part of what is necessary to benefit from the exemption from the sale of personal data. If a service provider does not limit these activities to what is necessary, the transfer is considered a sale of personal data and is subject to the right to unsubscribe if a consumer makes such a request. In practice, the parties also regularly follow the definitions of “third party” and “sale” in Articles 1798.140 (w) and (t) (2) (C) respectively and include these definitions in service providers` contracts to avoid triggering the right of withdrawal. If you own a business, you probably work with various companies to provide products and services to your customers. These partnerships can take place in a variety of contexts. For example, you can hire a third-party company to create and manage your website. For customer relations and marketing, your company can enter into a contract with an external company known for its effective customer engagement. A “person” in this sense is not limited to one person; It also includes partnerships, businesses, non-profit organizations and essentially any other type of organization or group. In addition, the written contract with a service provider or contractor must contain certain provisions that limit the use and retention of consumers` personal data (see next section).
The proposed CCPA Regulation contains additional clarifications regarding the definition of a service provider. These rules state that businesses that provide services to persons who are not “corporations” within the meaning of the CCPA, such as not-for-profit organizations or government entities, but who otherwise meet the definition of a service provider under the Act, are considered service providers within the meaning of the CCPA and the regulations. This means that, at least with respect to proposed regulations, determining the identity of a service provider does not depend on whether the service provider is dealing with a legally regulated transaction. If the above requirements are met, the company will be classified as a service provider by the Attorney General. In order not to become a “third party” under the law, the contract must also include a certificate attesting that the person receiving the information understands the requirements and will comply with them. However, the CCPA requires that a service provider have safeguards in place to prevent the re-identification of information, as well as policies or procedures that prohibit re-identification. Comments on the first commented version of the CRPA election measure indicate that the new class of contractors was derived from the CCPA definition by third parties. A contractor is therefore any company that receives personal data from a company and enters into a contract with the above restrictions (subject to certain changes/additions described below). Interestingly, the entrepreneur category already exists in the CCPA. However, the comments acknowledge that a contractor “operates in the same way as a `service provider`, with the difference that PS`s [personal data] processes have been received `by or on behalf of a company`, while contractors use [sic] [personal data] `disclosed` by a company`. The fact that contractors and service providers are virtually identical is also reflected in the fact that the definitions of these two terms in the CPRA follow closely. Under the California Consumer Privacy Act (CCPA), determining whether or not a provider qualifies as a service provider is an important part of becoming and remaining compliant.
While California residents have the right to object to the sale of their personal information to “third parties,” service providers are by definition not third parties. This means that transfers or disclosures of personal data to service providers are exempt from the right of withdrawal.