CCPA7 min read
CCPA Service Provider Requirements: Contracts and Obligations
Understanding the CCPA service provider framework is essential for businesses that share personal information with vendors, processors, and partners. Proper contracts protect both parties and ensure compliance.
Key Takeaways
| Point | Summary |
|---|---|
| Service provider definition | Entity processing data on behalf of a business under contract |
| Key distinction | Service provider relationships are not "sales" |
| Contract required | Written agreement with specific CCPA terms |
| Contractor category | CPRA added a distinct "contractor" role |
| Third party | Entities that are neither service providers nor contractors |
Quick Answer: Service providers process personal information on behalf of businesses under written contracts that prohibit retaining, using, or disclosing data except as specified. Proper service provider contracts exempt data sharing from the "sale" definition, but require specific CCPA-mandated terms.
Service Provider vs. Contractor vs. Third Party
| Role | Definition | CCPA Obligations |
|---|---|---|
| Service Provider | Processes PI on behalf of business for business purpose | Contract requirements, limited use |
| Contractor | Has access to PI under written contract | Same as service provider plus certification |
| Third Party | Any entity not a service provider, contractor, or business | Data transfers may be "sales" |
When is an Entity a Service Provider?
| Criteria | Required? |
|---|---|
| Written contract | Yes |
| Processes PI on behalf of business | Yes |
| Business purpose specified | Yes |
| Prohibited from further use | Yes |
| Prohibited from selling/sharing | Yes |
When is an Entity a Contractor?
| Criteria | Required? |
|---|---|
| Written contract | Yes |
| Made available PI for business purpose | Yes |
| Certifies understanding of restrictions | Yes |
| Prohibited from selling/sharing | Yes |
| Prohibited from retention beyond purpose | Yes |
When is an Entity a Third Party?
| Indicator | Explanation |
|---|---|
| No processing contract | Not operating under business purpose agreement |
| Independent use | Uses data for its own purposes |
| Consumer relationship | May have direct relationship with consumer |
| Sale/sharing recipient | Receives data through sale or sharing |
Contract Requirements for Service Providers
Mandatory Contract Terms
| Term | Requirement |
|---|---|
| Purpose specification | Identify specific business purpose(s) |
| Use prohibition | Cannot retain, use, or disclose PI except as specified |
| Sale/sharing prohibition | Cannot sell or share the personal information |
| Compliance certification | Certify understanding of restrictions |
| Notification obligation | Must notify if cannot meet obligations |
| Remediation cooperation | Allow business to take steps to stop non-compliant use |
| Subcontractor requirements | Same obligations flow down to subcontractors |
| Consumer rights assistance | Assist business with consumer requests |
Business Purpose Specification
The contract must specify the business purpose(s) for which PI is disclosed.
| Valid Business Purposes | Examples |
|---|---|
| Auditing | Ad impression verification |
| Security | Detecting security incidents |
| Debugging | Identifying technical errors |
| Short-term use | Contextual customization |
| Service provision | Performing contracted services |
| Quality assurance | Maintaining service quality |
| Account maintenance | Managing consumer accounts |
Prohibited Activities
Service provider contracts must prohibit:
| Prohibition | Details |
|---|---|
| Selling PI | Cannot sell to any party |
| Sharing PI | Cannot share for cross-context behavioral advertising |
| Retention beyond purpose | Cannot keep data longer than necessary |
| Use for own purposes | Cannot use data outside contract scope |
| Combining with other data | Cannot combine with data from other sources (with exceptions) |
Exceptions to Combining Prohibition
Service providers may combine data:
| Exception | Condition |
|---|---|
| Business purpose | Combining to perform contracted services |
| Legal compliance | Required by law |
| Consumer-initiated | Pursuant to consumer request |
| De-identified | Data is de-identified |
Contractor Requirements (CPRA Addition)
The CPRA added "contractor" as a distinct category with additional requirements.
Contractor-Specific Terms
| Requirement | Details |
|---|---|
| Written contract | Same as service provider |
| Certification | Must certify understanding of restrictions |
| Grant of access | Business "makes available" rather than "discloses" |
| Same prohibitions | Same use restrictions as service providers |
When to Use Contractor vs. Service Provider
| Scenario | Appropriate Category |
|---|---|
| Data processing services | Service provider |
| SaaS platforms | Service provider |
| Data access for consulting | Contractor |
| On-site vendor work | Contractor |
| Analytics platform | Service provider |
| Third-party data enrichment | Third party (if not solely for business) |
Subcontractor Requirements
Flow-Down Obligations
| Requirement | Details |
|---|---|
| Notification | Business must be notified of subcontractors |
| Contract | Subcontractor must have equivalent contract |
| Oversight | Service provider responsible for subcontractor compliance |
| Restrictions | Same prohibitions apply to subcontractor |
Subcontractor Chain
| Level | Obligation |
|---|---|
| Business | Contracts with primary service provider |
| Service provider | Contracts with subcontractor (with business consent) |
| Subcontractor | Same restrictions as service provider |
| Further subcontracting | Must continue chain of contracts |
Consumer Rights and Service Providers
Deletion Requests
| Step | Obligation |
|---|---|
| 1 | Business receives deletion request |
| 2 | Business verifies consumer identity |
| 3 | Business instructs service provider to delete |
| 4 | Service provider deletes from systems |
| 5 | Service provider instructs subcontractors |
Correction Requests
| Step | Obligation |
|---|---|
| 1 | Business receives correction request |
| 2 | Business verifies and confirms correction |
| 3 | Business instructs service provider to correct |
| 4 | Service provider updates records |
Opt-Out Requests
| Scenario | Service Provider Obligation |
|---|---|
| Consumer opts out | Business notifies service provider |
| Service provider action | Continue processing but do not sell/share |
| Downstream | Instruct subcontractors to honor opt-out |
Due Diligence Requirements
Business Obligations
| Activity | Details |
|---|---|
| Contract review | Ensure CCPA-compliant terms |
| Verification | Take reasonable steps to verify compliance |
| Monitoring | Ongoing oversight of service provider practices |
| Remediation | Address non-compliance promptly |
Red Flags for Non-Compliance
| Red Flag | Concern |
|---|---|
| Using data for own marketing | Prohibited retention/use |
| Selling insights derived from data | Prohibited sale |
| Refusing to delete | Contract violation |
| No subcontractor controls | Flow-down failure |
| Cross-client data analysis | Prohibited combining |
Audit Rights
Contract Provisions
| Element | Details |
|---|---|
| Audit right | Business should reserve right to audit |
| Scope | Compliance with CCPA contract terms |
| Frequency | Annual or as needed |
| Notice | Reasonable notice period |
| Cooperation | Service provider must cooperate |
Assessment Approaches
| Approach | Appropriate For |
|---|---|
| Self-attestation | Lower-risk service providers |
| Questionnaire | Moderate-risk service providers |
| Documentation review | Higher-risk service providers |
| On-site audit | Highest-risk service providers |
Common Contract Issues
Insufficient Purpose Specification
| Problem | Solution |
|---|---|
| Generic "any business purpose" | Enumerate specific purposes |
| Undefined scope | Clear description of services |
| Open-ended use | Limit to contracted services |
Missing Prohibitions
| Problem | Solution |
|---|---|
| No sale prohibition | Add explicit prohibition |
| No sharing prohibition | Add explicit prohibition |
| No retention limit | Specify retention period or criteria |
| No combining prohibition | Add with permitted exceptions |
Inadequate Consumer Rights Provisions
| Problem | Solution |
|---|---|
| No deletion process | Add deletion cooperation requirement |
| No correction process | Add correction cooperation requirement |
| No opt-out handling | Add opt-out notification requirement |
| No timeline | Specify response timeframes |
Sample Contract Provisions
Purpose Limitation
Text
Service Provider shall process Personal Information only for the
following specific Business Purposes: [enumerate purposes]. Service
Provider shall not retain, use, or disclose Personal Information for
any purpose other than performing the Services specified herein.Sale/Sharing Prohibition
Text
Service Provider shall not (a) sell Personal Information; (b) share
Personal Information for cross-context behavioral advertising; or
(c) retain, use, or disclose Personal Information outside of the
direct business relationship between Service Provider and Business.Certification
Text
Service Provider certifies that it understands the restrictions in
Section [X] and this Agreement and will comply with them. Service
Provider shall notify Business immediately if it can no longer meet
these obligations.Implementation Checklist
- Inventory all vendors receiving personal information
- Classify each as service provider, contractor, or third party
- Review existing contracts for CCPA compliance
- Add or amend contracts with required CCPA terms
- Establish deletion/correction instruction processes
- Implement opt-out notification procedures
- Create subcontractor approval and tracking process
- Develop audit or assessment program
- Train procurement and vendor management teams
How Bastion Helps
Managing service provider relationships for CCPA compliance requires systematic processes and appropriate contracts.
| Challenge | How We Help |
|---|---|
| Contract templates | CCPA-compliant service provider agreements |
| Vendor classification | Assessment of vendor roles under CCPA |
| Contract review | Gap analysis of existing agreements |
| Due diligence | Service provider assessment processes |
| Monitoring | Ongoing compliance tracking systems |
Need help with CCPA service provider compliance? Talk to our team →
Sources
- CPPA Regulations - Official CCPA regulations on service providers
- CCPA Text - California Civil Code definitions
- California Consumer Privacy Act (CCPA) - California Attorney General official CCPA page