When to Classify a Vendor as a Service Provider and/or Processor

Classifying vendors as service providers/processors is a complicated task, which is why we try to provide privacy documentation for as many companies as possible through our Vendor Database. However, you may still have a few data recipients left which we have not been able to classify. 

The easiest way to begin is to simply contact the vendor directly and ask if they can provide the information you need. We provide an email template for this purpose. Sometimes the vendor is not very responsive, though, or the person you’re dealing with may not really understand what it is you’re asking for. In these cases, you may have to do your own research and decide about how to classify the vendor. This article will provide information about what you’re looking for.

Note: This process will require you to review contractual language to determine if it meets specific legal requirements. If you are unsure about this, we recommend you seek assistance from an attorney.

Overview

First, a note about terminology. The CCPA calls these types of data recipients “service providers,” while most other privacy laws call them “processors.” Despite the difference in names, their roles within privacy compliance are very similar: They are outside entities that process personal data on your business's behalf, and their contract with your business prevents them from using that data for any other purpose. While they are similar, the CCPA’s contract requirements for service providers are slightly different that the contract requirements for processors found in other laws (more on that below).

Second, a vendor can only be classified as a service provider/processor if they have a contract that meets all the requirements. If not, then that vendor should be classified as a third party.

Example:

Your business uses an email vendor to send promotions to customers. You’ve contacted the company, you’ve reviewed all the contracts you could find, but you could not find anything with the language required of service providers or processors. You should classify the vendor as a third party. Why? Without the required privacy language, that vendor may be allowed to take your email list and sell it to other companies. They may not actually be doing that, but it’s the fact that they could do it that is the issue.

Language for Service Providers (CCPA)

Under the CCPA, in order for a data recipient to be a service provider, they must be contractually prohibited from doing any of the following:

• Selling or sharing the personal information
• Retaining, using, or disclosing the personal information for any purpose other than for business purposes specified in the contract
• Retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business
• Combining the personal information that the service provider receives from the business with personal information that it receives from other sources

The contract does not necessarily need to contain these exact words, but it does have to have the effect of prohibiting these things.

Alternatively, it may be permissible for a vendor contract to simply state that the vendor shall be considered a service provider, as that term is defined by the CCPA. It’s not 100% clear that this is enough, but it may be all you have.

Another issue that is not clear is whether a vendor can be considered a service provider if it only has the processor language described in the next section. Arguably, the processor language covers the same bases, but we don’t know yet if regulators will agree with that conclusion.

See an example of service provider language 

Language for Processors (Most Other Privacy Laws)

Other state privacy laws and the GDPR all share very similar language regarding processors. A processor must be contractually bound to do all of the following:

• Adhere to the instructions of a controller (i.e., your business)
• Assist the controller in meeting the controller's obligations, including:
  • To fulfill the controller's obligation to respond to consumer rights requests
  • By assisting the controller in meeting the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of security; and
  • Providing necessary information to enable the controller to conduct and document data protection assessments.
• Within the contract, clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties
• Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the personal data
• At the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law
• On the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance
• Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor
• Allow and cooperate with reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor

This is a lot of information, but the good news is that it is standard language typically found together in one place, usually within a data protection agreement (DPA). Once you find part of it—for example, the first requirement about adhering to the controller’s instructions—you’ll probably find the rest in the surrounding paragraphs.

Looking for guidance on where to look? Try this help article.

This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.