No. 

In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from:

  1. retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
  2. using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
  3. disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”

If a service provider negotiates an agreement with a client that contains the three provisions above, the CCPA states that the service provider will “not be liable” in the event that it’s client fails to fulfil the client’s obligations as a “business” under the Act. So, for example, a service provider should not be liable if its client fails to post a privacy notice, inaccurately describes its sharing practices, or fails to disclose that it has transferred personal information to the service provider.