In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:
-
Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[2]
-
Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[3] or
-
Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[4]
As a result, whether a particular analytics cookie provider is considered a “service provider” depends upon whether the contract in place between a website operator and the analytics provider contains the above-referenced terms.
The CPRA amended the CCPA’s definition such that, beginning Jan. 1, 2023, the written contract between a website operator and an analytics cookie provider would also need to contain the following additional prohibitions in order for the analytics provider to be considered a service provider:
-
Prohibition against selling or sharing personal information,[5]
-
Prohibition against retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,[6] and
-
Prohibition against combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.[7]
[1] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[2] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[3] Cal. Civ. Code 1798.140(v) (Oct. 2020).
[4] Cal. Civ. Code 1798.140(v).
[5] Cal. Civ. Code 1798.140(ag)(1)(A).
[6] Cal. Civ. Code 1798.140(ag)(1)(C).
[7] Cal. Civ. Code 1798.140(ag)(1)(D).