One of the larger exemptions to being deemed a seller of personal data under the CCPA is the “service provider” exemption. I am not going to quote the statutory language as frankly its written in a confusing way. But the CCPA states that a business will not be deemed a seller of personal data, with respect only to its relationship with a service provider, where such business uses or shares with a service provider personal information of a consumer, where:
- its necessary to perform a business purpose, and
- the service provider does not further collect, sell or use the personal information, and
- the business has provided notice that information is being used or shared in its terms and conditions (which should comply with CA law, see 1798.135)
The CCPA broadly defines “business purpose” as that which uses the personal information for the business or a service provider for reasonable and necessary uses proportinate to get the operational purpose for which it was collected. Specifically, auditing, security purposes, debugging, transient use, performance of services (providing accounts, customer service, etc.), internal research, verifying quality or security of services or products.
If a business gets a right to delete information, it should pass that request along to its service providers and they should process the request and delete the information they have.
An agreement addressing specific items should be in place between the company and its service providers and many companies are now scrambling to amend all of their current agreements with service providers to ensure compliance with CCPA.