In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[2]
- Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[3] or
- Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[4]
As a result, whether a particular behavioral advertising cookie provider is considered a “service provider” depends upon whether the contract in place between a website operator and the behavioral advertising company contains the above-referenced terms.
The CPRA amended the CCPA’s definition such that, beginning on January 1, 2023, the written contract between a website operator and a behavioral advertising company would also need to contain the following additional prohibitions in order for the advertising company to be considered a service provider:
- A prohibition against selling or sharing personal information,[5]
- A prohibition against retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,[6] and
- A prohibition against combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.[7]
The California Attorney General has suggested that some behavioral advertising companies may fall within the above definition of a service provider. Specifically the Attorney General stated that the “CCPA allows a service provider to furnish advertising services to the business that collected personal information from the consumer, and such ads may be shown to the same consumer on behalf of the same business on any website.”[8] The Attorney General further cautioned, however, that to be considered a service provider, the AdTech partner must not use the personal information that it collects from one business to “provide advertising services to other businesses.”[9] Furthermore, under the regulations implementing the CCPA, the AdTech partner must be prohibited from “building or modifying household or consumer profiles” from the data that it receives.[10]
[1] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[2] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[3] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[4] Cal. Civ. Code 1798.140(v).
[5] Cal. Civ. Code 1798.140(ag)(1)(A).
[6] Cal. Civ. Code 1798.140(ag)(1)(C).
[7] Cal. Civ. Code 1798.140(ag)(1)(D).
[8] FSOR Appendix A at 167 (Response No. 519).
[9] FSOR Appendix A at 167 (Response No. 519).
[10] CCPA Reg. 999.314(c)(3).