Skip to content

In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[2]
  2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[3] or
  3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[4]

As a result, whether a particular analytics cookie provider is considered a “service provider” depends upon whether the contract in place between a website operator and the analytics provider contains the above-referenced terms.

The CPRA amended the CCPA’s definition such that, beginning Jan. 1, 2023, the written contract between a website operator and an analytics cookie provider would also need to contain the following additional prohibitions in order for the analytics provider to be considered a service provider:

  1. Prohibition against selling or sharing personal information,[5]
  2. Prohibition against retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,[6] and
  3. Prohibition against combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.[7]

[1] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[2] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[3] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[4] Cal. Civ. Code 1798.140(v).

[5] Cal. Civ. Code 1798.140(ag)(1)(A).

[6] Cal. Civ. Code 1798.140(ag)(1)(C).

[7] Cal. Civ. Code 1798.140(ag)(1)(D).