The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
- When would a “service provider” be considered a “business” for the purposes of the CCPA?
An entity is considered a “business” under the CCPA when it determines the “purposes and means” of the processing of personal information, and falls under one of the volume thresholds set out by the Act – i.e., it has annual gross revenue exceeding $25 million, transactions of personal information relating to 50,000 or more individuals, or it derives at least 50% of its revenue from the sale of personal information.1 In contrast, a service provider processes personal information “on behalf of a business” and is bound by a written contract from
- retaining personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”2
- using personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”3 or
- disclosing personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”4
While there is no judicial or regulatory interpretation within California as to when a company determines the “purposes and means” of processing, it is conceivable that a California court could interpret a service provider that breaches contractual prohibitions against retention, use, or disclosure as functionally determining the purpose and means of processing. Were that to occur, the service provider would not necessarily convert itself into a “business” for the purposes of the CCPA and thus subject to the obligations imposed by the Act upon businesses. For example, if a service provider was found to determine the purpose and means of processing, but still fell below the volume thresholds, then it might fall outside both the definition of a “service provider,” and the definition of a “business” under the Act.
In comparison, under the European GDPR the Article 29 Working Party provided significant guidance concerning when a vendor makes decisions concerning how and why data will be processed sufficient to take it out of the scope of being a “processor” and into the realm of being a “controller’ because it determines (jointly or independently with its client) the purpose and means of processing. While the analysis depends upon a variety of factors, if the service provider makes any of the following decisions there is a reasonable likelihood that a European supervisory authority would consider it to be a “controller:”
- What the data will be used for.
- What data elements will be processed.
- How long the data will be stored.
- Who is to have access to the data.
Unlike the CCPA, the GDPR does not impose any volume thresholds that must be met before an entity can be classified as a “controller.”