As we continue to dig into the core tenets of CCPA readiness and compliance, let’s take a step back to focus on terminology, specifically, the three categories of companies named within the CCPA: businesses, service providers, and third parties. As you’ll see, many of these terms differ from how the GDPR defines them—yet another reason why companies should not conflate GDPR compliance with CCPA readiness.
Please note that while the definitions within this post are how they are defined by the CCPA, nothing below should be considered legal guidance. This post is solely meant to inform and raise awareness.
How does the CCPA define a business?
Under the CCPA, a business is a for-profit company operating in California for which one or more of the following are true:
- Annual gross revenues over $25M.
- Annually buys, receives, sells, or shares personal information of over 50,000 California consumers, households, or devices.
- Derives at least 50% of annual revenue from selling California consumers’ personal information.
Though CCPA’s definition is more stringent, businesses are similar to data controllers—the companies that make decisions around the collection and processing of personal data—under GDPR.
How does the CCPA define a service provider?
The CCPA defines service providers as for-profit companies for which both the following conditions are true:
- Has a contractual relationship with a business to process consumer personal information for specific purposes.
- The contract prohibits the service provider from processing or using the data in ways not outlined within the contract.
In other words, there are specific lines drawn around what a service provider can and cannot do with consumer personal information received from a business. Service providers cannot share or use personal information unless they are fulfilling their contractual obligations.
Service providers are similar to GDPR’s concept of data processors—companies that collect or process data on behalf of a data controller.
How does the CCPA define third parties?
In the context of CCPA, third parties are defined as companies that are not businesses or service providers. Draft regulations released on October 10, 2019, further elaborate on third parties, defining “categories of third parties” as:
“Types of entities that do not collect personal information directly from consumers, including but not limited to advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, social networks, and consumer data resellers.” (11 CCR §999.301(e))
It’s worth noting that these categories are not mutually exclusive. It is possible for a single company to act as a business in certain scenarios and as a service provider or third party in others. Understanding which scenarios you’re acting as a business, service provider, or third party in is a crucial part of your compliance journey.
The information provided in this blog does not constitute legal advice. Please consult your legal counsel to obtain legal advice.