Readers of this blog know that we have been analyzing both the draft California Consumer Privacy Act (“CCPA”) regulations and the California Attorney General’s associated effort to clarify and modify the CCPA before it takes effect on January 1, 2020. Today, we would like to address Section 999.314 of the proposed regulations, a provision intended to: 1) clarify the breadth of the CCPA service provider exception; and 2) address how service providers should handle CCPA-related consumer requests.
Who is a CCPA service provider and how should service providers handle consumer requests?
Defining CCPA Service Provider
The CCPA defines a “service provider” as any entity operated for profit that “processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract . . . .” Transferring a consumer’s personal information to a service provider (in its capacity as a service provider) is, generally, an exception to what constitutes the “sale” of personal information under the statute. In the case of such an exception, certain consumer data safeguards and associated consumer request obligations created by the CCPA are not triggered. The draft CCPA regulations clarify that an entity that performs services on behalf of an organization that is not a “business” as defined by the CCPA (i.e., a nonprofit or governmental entity), but that would otherwise meet the CCPA “service provider” definition, “shall be deemed a service provider for purposes of the CCPA and these regulations.” Stated differently, the regulation clarifies that a person or entity can be a service provider even if the person or entity provides services to a third party that does not fall within the definition of “business.” The California State Attorney General added this regulation to address public concern that, as written, the CCPA would not have required a service provider to comply with consumer requests in situations where the applicable person, nonprofit or governmental entity would not otherwise be required to do so.
Handling Consumer Requests
The draft CCPA regulations clarify that a service provider may not use personal information received from one of its business customers to provide services to another entity, unless that information is necessary to detect data security incidents or protect against fraudulent or illegal activity. The original language of the CCPA allowed for the sharing of personal information that was “reasonably necessary and proportionate to achieve the operational purpose” of the subject service contract. Unfortunately, the statement is unclear as to what is considered “reasonably necessary and proportionate.” The draft CCPA regulations clarify that the only exception to this prohibition on use and sharing is for purposes of data security and protection against fraudulent or illegal activity.
The draft CCPA regulations also impose new obligations on service providers that receive requests to know or requests to delete related to personal information that the service providers collect on behalf of their underlying business customers. If, for some reason, service providers do not comply with such consumer requests, service providers must explain to consumers the basis for any such denials, and must inform each affected consumer that his/her request should be made directly to the business for whom the service provider maintains the information.
Finally, the California State Attorney General recognizes that a service provider is in the unique position of also, in some circumstances, meeting the CCPA definition of “business.” The draft CCPA regulations clarify that any service provider that otherwise meets the business definition in its direct dealings with consumers shall separately comply with the CCPA and its implementing regulations with respect to any consumer personal information that it collects, maintains, or sells outside of its role as a service provider.