Understanding your Company’s role in relation to the personal information you are processing is crucial for complying with the CCPA. Obligations under the CCPA vary depending on whether the Company is a Business, or a Service provider and the CCPA requires contracts between businesses and service providers.
The CCPA regulates how businesses treat consumers' (California residents') personal information. The CCPA defines a "business" (as a opposed to a “service provider”) as any legal entity that: determines the purposes and means of the processing of personal information - the why and how of data processing.
Companies are “businesses” with respect to their:
- customer purchase history,
- employee information,
- email marketing data.
The CCPA defines a "service provider" as an entity that: receives personal information from a business, processes the personal information on behalf of the business, and operates under a service provider contract
Examples of service providers include:
- SaaS companies,
- analytics providers, and
- Customer Relationship Management (CRM) services.
It is possible to be both a business and a service provider for the purposes of the CCPA.
For example, a CRM company is a business with respect to its customer contact data and its own employee information; but a service provider with respect to its customers’ end user data. Sharing personal information with a service provider does not count as "selling" the personal information. This is why it’s important to have a service provider agreement in place (more on that in another video).
Recap:
A Business determines the purposes and means of the processing of personal information, a Service provider processes the personal information on behalf of the business - companies can be - and often are - both. Know which you are, and make sure you are following the right rules.