Privacy implication of doing business with “third parties” as opposed to “service providers” and “contractors”

Published on


With California strengthening its privacy laws, businesses need to be mindful of how they handle consumer information.

The California Consumer Privacy Act (“CCPA”) provides consumers with a variety of rights regarding the collection, selling, and sharing of their personal information. Some of the latest amendments to the CCPA expand mandatory disclosures when businesses share consumer information with other businesses (which can include vendors and contractors). However, it is important to know how to classify third-party businesses for purposes of maintaining compliance with the CCPA.

For purposes of the CCPA compliance, it is important to know whether a business is sharing information with a “third party” as opposed to a service provider or contractor. This is particularly important because a business sharing information with a “third party” can trigger the requirement for consumer notice (See Cal. Civ. Code § 1798.110(a)(4)). However, the CCPA specifically excludes “service providers” and “contractors” from being classified as third parties. So the question turns to how a “third party” can be different from a “service provider” and “contractor”.

The CCPA does not allow a service provider or contractor to be classified by name alone. The CCPA mandates that businesses must have a written contract with service providers and it is arguable that the lack thereof can lose the advantages of being classified as a service provider. See Cal. Civ. Code § 1798.140(v)

Similar to the CCPA, the European Union’s General Data Protection Regulation (GDPR) mandates some US businesses to have a data processing agreement with third-party businesses. Now that California has mandated a similar requirement, businesses should amend their service contracts to comply with both the GDPR and the CCPA.

With the development of privacy laws, it is important to stay ahead of the curve. Consult a licensed attorney to determine whether your business falls within the mandates under the GDPR and the CCPA.