What Is a Service Provider?
"Service Provider" vs. "Third Party"
A “service provider” is a vendor that uses the personal information that a business discloses to it solely to provide (or improve) a service to that business. For example, a service provider is not allowed to build a database of consumer profiles about your business's users or customers, so that it can better serve other businesses. A “third party” is any person or organization that is not a service provider. In theory, a third party may do anything it wants with the personal information a business provides to it. Therefore, when a business provides personal information to third parties, that may be considered a "sale" or “sharing” of personal information.
What Is Selling & Sharing?
The CCPA defines a sale of personal information broadly to include situations where a business gives third parties access to consumer information and receives anything of value in return, such as money or a service. This obviously includes disclosing personal information to a data broker for cash, but it can also include giving a software company access to your data in exchange for a discount on its product.
Sharing personal information means making it available to a third party for the purpose of “cross-context behavioral advertising.” This means using data about a consumer’s interactions with your business (such as browsing activity on your website), and using that data to target the consumer with advertisements elsewhere. This most commonly means retargeting (a.k.a. interest-based advertising), but can also include using “custom audience” tools, in which a business can upload its customer list directly to an ad network to deliver ads to those consumers.
If your business sells PI to or shares it with third parties, it must disclose that in its online privacy policy. It must also add a "Do Not Sell or Share My Personal Information" link to its website for California consumers to opt-out of the sale of information.
Determining Vendor Classification
Service providers must provide written guarantees about how they will use your consumers’ personal information. These contracts must prohibit the service provider from doing any of the following:
- Selling or sharing the personal information
- Retaining, using, or disclosing the personal information for any purpose other than for business purposes specified in the contract
- Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business
- Combining the personal information that the service provider receives from the business with personal information that it receives from other sources
Many vendors have statements about their service provider status. Sometimes those statements are in their online terms of service or in their privacy policy. Other times, they may be contained in a data protection addendum (DPA). Usually, these statements are publicly available. But sometimes a business will need to contact the vendor directly to ask whether the vendor is a service provider. For any of your business's vendors that do not have a service provider statement, your business can consider asking the vendor to update its contract language.
Here is an example of a clear statement of a vendor's status as a service provider to the businesses it serves:
This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.