On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria,[1] the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated.[2]

Examples of companies that handle personal information on a company’s behalf include marketing companies, managed security service providers (MSSP), and software-as-a-service (SaaS) providers such as payment processing, document and email management, and customer analytics companies.

Why this Matters

Under the California Consumer Privacy Act (“CCPA”), companies that handle consumer information on behalf of a company are “service providers.”[3] The CCPA requires that a company enter into an agreement with a service provider that

prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business … [4]

This is important because the CCPA exempts a company for any violation of the CCPA if its service providers have executed an agreement and they, not the company providing the personal information, violates any of the rights given to California consumers under the CCPA.[5]

For example, if a company provides personal information of California consumers to a marketing company to assist it with developing a marketing strategy, and that company sells that information when the consumers have exercised their right “to opt out of the sale”[6] of their information, the company providing the information will not be liable if it has a “written contract” with the service provider prohibiting the sale of information.

Put another way, if a company provides the personal information of its California consumers to a MSSP to ensure the security of that information, and the MSSP uses that information to market to those consumers, the company providing the information will be liable if it has not required the MSSP in a “written contract” to use the information “for the specific purpose of” providing it security services.

Agreements Under the CCPA

In short, the CCPA provides a way for companies to shift liability for violations of the CCPA to service providers.[7] If, however, for whatever reason you do not get a company that handles personal information on your behalf to agree in writing to not use that information for any purpose other than “the specific purpose of performing the services specified,” that company is no longer a service provider. Instead, under the CCPA that party is a “third party.”[8]

In a third party situation, a company providing the personal information can be liable for CCPA violations committed by the third party unless they can show that “at the time of disclosing the personal information” they did not know, or have reason to believe, that the third party intended to commit a CCPA violation.[9] A violation of the CCPA can result in a penalty of $2,500 or $7,500 for an intentional violation for each consumer whose personal information is violated “if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance.”[10]

The distinction between service providers and third parties under the CCPA highlights the need for companies that sell goods or services to California consumers to carefully review their relationships with companies that handle personal information on their behalf. Given the penalty amounts that can multiply per consumer, this is the type of situation where an ounce of prevention is worth a pound of cure.

If you have questions about the CCPA and its application to your company and its agreements with companies that handle personal information on your behalf, please reach out to one of our Global Privacy & Security Blog authors.

[1] See CCPA is Coming – Is Your Business Prepared for the Data Requests & Lawsuits? (explaining who is covered by the CCPA).
[2] See CCPA is Here – Is Your Privacy Notice Ready?
[3] California Legislative Information, Cal. Civil Code § 1798.140(v)
[4] Id. § 1798.140(t)(2)(C).
[5] See CCPA is Coming – Is Your Business Prepared for the Data Requests & Lawsuits? (discussing what rights the CCPA creates for consumers).
[6] Id. § 1798.135(a)(4).
[7] This type of exemption is not a novel concept. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities can shift liability by requiring that service providers sign an agreement ensuring they limit the use of personal information (https://www.hhs.gov/hipaa/for-professionals/faq/236/covered-entity-liable-for-action/index.html).
[8] California Legislative Information, Cal. Civil Code § 1798.140(w).
[9] Id. § 1798.140(w)(2)(B).
[9] Id. § 1798.155 (a).