The CCPA states that a service provider must be contractually prohibited from “retaining, using, or disclosing the personal information [provided to it by a business] for any purpose other than for the business purposes specified in the contract for the business . . . .”[1] That prohibition, however, may not apply to information once
service provider
California Privacy Rights Act Nudges State Closer to the GDPR
After Europe blazed the trail by passing the sweeping General Data Protection Regulation (“GDPR”) in 2016, California followed closely in the footsteps of European efforts by passing the most comprehensive data privacy law in the United States, the California Consumer Privacy Act (the “CCPA”). Effective January 1, 2020, the CCPA provided a number of obligations…
CFPB Warns Insufficient Data Security Measures May Violate Consumer Financial Protection Act
On Aug. 11, 2022, the U.S. Consumer Financial Protection Bureau issued guidance indicating that financial institutions and service providers that fail to adopt sufficient data security measures to protect consumer financial data may violate the Consumer Financial Protection Act provision prohibiting unfair acts and practices.
Service-Provider Compliance With California Consumer Privacy Act—Written Policies and Procedures
What types of documents, policies, procedures, and protocols should service providers consider putting in place to comply with the CCPA?
The written policies and procedures that service providers put into place to assist in their compliance with the CCPA differ depending upon several factors including the size of the service provider, the quantity of personal…
Is it Groundhog Day? Do I need to revise all my service provider agreements again for the CCPA?
The CPRA amended the CCPA’s definition of a service provider such that, beginning Jan. 1, 2023, a service provider could include any person (not just a legal entity), and a service provider could be a business that receives personal information “on behalf of” another business. The CPRA also added the requirement that written contracts contain…
Analytics companies are service providers under the CCPA, right?
In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or
…
All this talk about adtech, and I’m confused: Can’t behavioral advertising companies be service providers under the CCPA?
In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or
…
So Many Confusing Terms! Is a service provider (CCPA) really the same thing as a processor (GDPR)?
No.
The European GDPR does not use the term “service provider” and, instead, refers to “processors.” While processors within the GDPR are defined in a similar manner to service providers under the CCPA, the GDPR is far more proscriptive regarding the contractual terms that must be present in a processor agreement. Specifically, the GDPR requires…
Is a company that accepts credit cards a service provider under the CCPA with respect to credit card related information?
Potentially.
Some consumers may assume that a company owns the payment card-related information that it collects when it accepts payment cards (e.g., credit or debit cards). In order to process payment cards, however, a company typically must enter into a written contract with a payment processor or merchant-bank. Those contracts often specify that payment card-related…