Part three of this CCPA client alert series focuses on the obligations for service providers pursuant to the CCPA.

The California Consumer Privacy Act of 2018 (the “CCPA”) and the related proposed Attorney General Regulations (the “Regulations”) provide California consumers with increased privacy rights and protections with respect to their personal information. Businesses that are subject to the CCPA must comply with various notice obligations and requirements related to the collection, deletion and sale of personal information. The California Attorney General intends to begin enforcing the CCPA and the Regulations on July 1, 2020.

A “service provider” is an entity that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract. The CCPA and the Regulations set forth certain obligations for service providers, including the following:

• A service provider must not retain, use or disclose personal information obtained in the course of providing services except for the specific purpose of performing its services under the contract and in certain circumstances set forth in the Regulations, which circumstances may include processing or maintaining personal information on behalf of the business in compliance with the written contract for services, detecting data security incidents, and protecting against fraudulent or illegal activity.
• A service provider cannot sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business.
• If a service provider receives a request to know personal information or a request to delete personal information from a consumer, it must either act on behalf of the business in responding or inform the consumer that the request cannot be acted upon because it was sent to a service provider of the primary business.
• If a business receives a request to delete personal information from a consumer, it must direct any service provider to also delete such information from their records.

A service provider that is itself considered a business subject to the CCPA must also comply with the CCPA and the Regulations with respect to any personal information it collects, maintains or sells outside of its role as a service provider.

This client alert provides a summary of certain requirements related to service providers pursuant to the CCPA and the Regulations. This is simply a summary of some key points, so check with your ECJ attorney for the critical details regarding the CCPA and the Regulations. Client alerts related to other important aspects of the CCPA and the Regulations can be found on our blog or by reading our latest articles on Covered Businesses and Required Notices and Handling Consumer Requests.

For further details on whether the CCPA applies to your business, a better understanding of consumer rights under the CCPA and clarification of your company’s obligations thereunder, you can download a copy of ECJ's Business Guide to the CCPA.