CCPA/CPRA: Service Provider and Contractor Requirements
Service Provider and Contractor Requirements [§ 1798.140, § 7050-7051]
Rule: Businesses must enter written contracts with service providers and contractors that include specific mandatory clauses, prohibition on selling/sharing personal information, and audit rights.
Definitions [§ 1798.140]
Service Provider [§ 1798.140(ag)]
A for-profit entity that:
- Processes personal information on behalf of a business
- Receives personal information for a business purpose pursuant to written contract
- Is prohibited from retaining, using, or disclosing the personal information except as necessary to perform services OR for specific permitted purposes
Key distinction: Service provider processes data FOR the business (not for its own purposes).
Contractor [§ 1798.140(j)]
A for-profit entity that:
- Processes personal information on behalf of a business
- Receives personal information for a business purpose pursuant to written contract
- Is prohibited from retaining, using, or disclosing the personal information except as necessary to perform services OR for specific permitted purposes
- May use personal information to improve or market its services to the business (cannot sell outside)
Key distinction: Contractor can use data to improve services offered to that business. Cannot use across multiple clients.
Third Party [§ 1798.140(ai)]
Any entity that is not:
- The business collecting personal information
- A service provider or contractor
If data is shared with a third party: This constitutes “sale” or “sharing” requiring consumer opt-out right.
Contract Requirements [§ 7051]
Mandatory Contract Clauses
ALL contracts with service providers or contractors must include:
| Requirement | Details |
|---|---|
| 1. Sales/Sharing Prohibition | ”Service provider/contractor shall not sell or share personal information” |
| 2. Specific Business Purposes | List purposes with specificity — no generic descriptions like “business operations” |
| 3. Retention Restrictions | Cannot retain, use, or disclose PI beyond stated purposes or CCPA allowances |
| 4. Commercial Use Prohibition | Cannot use PI for commercial purposes outside specified contract purposes |
| 5. Data Isolation | Cannot combine contract data with information from other sources (unless permitted by CCPA) |
| 6. CCPA Compliance | Must comply with all applicable CCPA sections and provide equivalent privacy protections |
| 7. Audit Rights | Business has right to conduct reviews/audits at least once every 12 months |
| 8. Notification of Inability | Service provider must notify business if unable to meet CCPA obligations |
| 9. Remediation Rights | Business may require cessation of unauthorized use and verification of deletion |
| 10. Consumer Request Enablement | Contract allows business to comply with consumer CCPA requests |
Example Business Purpose Specifications
| ❌ Too Generic | ✅ Sufficiently Specific |
|---|---|
| ”Business operations" | "Payroll processing and tax compliance" |
| "Marketing purposes" | "Email campaign management and performance analytics" |
| "Data analysis" | "Customer churn prediction modeling using purchase history" |
| "Service delivery" | "Payment processing and fraud detection for transactions” |
Prohibited Activities [§ 7050, 7051]
Service providers and contractors cannot:
| Prohibited Activity | Exception |
|---|---|
| Sell personal information | None — absolute prohibition |
| Share personal information for cross-context behavioral advertising | None — absolute prohibition |
| Retain, use, or disclose PI outside stated purposes | Only for specific CCPA-permitted purposes (below) |
| Combine personal information with other sources | Only if CPRA explicitly permits |
| Use PI for own commercial benefit | Contractors may improve/market services TO that business only |
Permitted Uses Beyond Contract Purposes [§ 7050(c)]
Service providers may use personal information for these specific purposes WITHOUT it counting as “sale”:
- Performing services specified in the written contract
- Detecting security incidents, protecting against malicious/illegal activity
- Debugging to identify and repair errors
- Short-term transient use (e.g., displaying contextual ads, NOT cross-context behavioral advertising)
- Internal uses reasonably aligned with consumer expectations given relationship context
Important: Even these uses require contract specification.
Contractor-Specific Requirements [§ 1798.140(j)]
Contractors (but NOT service providers) must:
| Requirement | When Required | Format |
|---|---|---|
| Annual Certification | Once every 12 months | Written statement to business |
| Understanding Certification | Initial and annual | Certify understanding of CCPA/CPRA restrictions |
| Compliance Certification | Initial and annual | Certify compliance with restrictions |
| Use Limitations Certification | Ongoing | Will not use PI for any purpose except performing services OR improving/marketing services to that business |
Sample Certification Language:
“[Contractor Name] certifies that it understands the restrictions in CCPA/CPRA § 1798.140(j) and will comply with them. We will not use personal information received from [Business Name] for any purpose except performing services specified in our contract or for improving/marketing our services to [Business Name].”
Audit Rights [§ 7051(a)(7)]
Businesses must include in contracts:
| Audit Element | Requirement |
|---|---|
| Frequency | At least once every 12 months |
| Scope | Review and audit service provider’s compliance with CCPA/contract terms |
| Access | Right to inspect relevant records, systems, and practices |
| Remediation | If non-compliance found, business may require cessation and deletion |
| Verification | Service provider must provide verification of deletion upon request |
Best practice: Schedule annual audits, maintain documentation, use standardized questionnaires.
Notification Obligations [§ 7051(a)(8)]
Service provider/contractor must notify business if:
- Unable to meet CCPA obligations specified in contract
- Systems/practices change in way that affects ability to comply
- Becomes aware of unauthorized access or disclosure
Timeline: Notification should be prompt (within reasonable time after discovery).
Subcontractor Requirements [§ 7051(b)]
If service provider/contractor uses subcontractors:
- Flow-down requirements: Subcontract must include ALL same CCPA requirements
- Business approval: Some contracts require business pre-approval of subcontractors
- Liability: Service provider remains liable for subcontractor’s CCPA violations
- Audit rights: May extend to subcontractors
Business Due Diligence [§ 7051(c)]
“Reason to believe” standard:
- Business’s enforcement of contract terms
- Exercise of audit rights
- Response to notifications of inability to comply
Factors into whether business has “reason to believe” service provider is using personal information in violation of CCPA.
Practical impact: Cannot ignore red flags. Must investigate and remediate violations.
Enforcement and Liability
| Violation | Consequence |
|---|---|
| Service provider sells/shares PI | Civil penalties up to $7,500 per violation (intentional) |
| Business fails to include required contract terms | Civil penalties up to $2,500 per violation |
| Business has “reason to believe” violation but doesn’t act | Vicarious liability for service provider’s violations |
| Contractor fails to certify | Contract may be deemed non-compliant |
Privacy Policy Disclosures [§ 1798.130(a)(5)(D)]
Business privacy policies must disclose:
“The categories of personal information that the business disclosed to a service provider or contractor for a business purpose in the preceding 12 months.”
Must specify:
- Which categories were disclosed
- To which service providers/contractors
- For what business purposes
Practical Guidance for Businesses
Contract Template Checklist
- Identify specific business purposes (not generic)
- Include all 10 mandatory clauses from § 7051
- Specify audit frequency (at least annual)
- Include notification requirements
- Address subcontractor approval process
- Include contractor certification requirement (if contractor)
- Specify data retention/deletion obligations
- Include breach notification timelines
- Define “business purpose” vs “commercial purpose”
- Address conflict with other jurisdictions (GDPR, etc.)
Vendor Assessment Questionnaire
Before engaging service provider/contractor:
- What business purposes will you process PI for?
- Do you sell or share personal information with third parties?
- Do you use personal information for your own commercial purposes?
- Do you subcontract processing to others?
- What security measures protect personal information?
- How do you handle consumer rights requests from our customers?
- Can you provide CCPA compliance certifications?
- Will you undergo annual audits of CCPA compliance?
Annual Audit Components
- Review current contract for CCPA compliance
- Verify no unauthorized selling/sharing of PI
- Confirm purposes remain aligned with contract
- Check for unauthorized commercial use
- Review subcontractor agreements
- Obtain contractor certifications (if applicable)
- Test consumer request handling procedures
- Review security incidents/breaches
- Update contract if business purposes changed
Comparison: Service Provider vs. Contractor vs. Third Party
| Aspect | Service Provider | Contractor | Third Party |
|---|---|---|---|
| Processes on behalf of business | Yes | Yes | No |
| Written contract required | Yes | Yes | No |
| Can sell/share PI | No | No | Yes (if consumer doesn’t opt out) |
| Can use for own commercial purposes | No | Limited (improve/market to that business only) | Yes |
| Annual certification required | No | Yes | No |
| Audit rights required | Yes | Yes | No (business controls via contract) |
| Consumer opt-out required | No | No | Yes (for sale/sharing) |
Transition from Service Provider to Third Party
If service provider/contractor:
- Uses personal information beyond contract purposes
- Sells or shares personal information
- Uses personal information for own commercial benefit (beyond contractor exception)
→ Entity becomes “third party” requiring:
- Consumer opt-out mechanism
- Updated privacy disclosures
- Potential notice to affected consumers
Common Pitfalls
| Mistake | Consequence | Fix |
|---|---|---|
| Generic contract language (“business operations”) | Contract may be deemed non-compliant | Specify exact purposes |
| No audit rights in contract | Cannot verify compliance | Add audit provision (annual minimum) |
| Contractor never certifies | Non-compliant contract | Require annual certification |
| Service provider uses data for marketing other clients | Becomes “third party” — triggers opt-out rights | Renegotiate as contractor OR obtain opt-out consent |
| Business ignores audit red flags | Vicarious liability for violations | Investigate and remediate promptly |
Note on § 1798.136 (Browser Opt-Out Signals)
Clarification: Section 1798.136 relates to browser opt-out preference signals, NOT service provider requirements.
§ 1798.136 requires browsers to include functionality for consumers to send opt-out signals. This section becomes operative January 1, 2027.
Service provider/contractor requirements are found in:
- § 1798.140(ag), (j) — Definitions
- § 7050-7051 (Regulations) — Contract requirements
Citation
11 CCR § 7050 — Service Providers and Contractors
11 CCR § 7051 — Contract Requirements for Service Providers and Contractors
Related: IAPP: CPRA Contractual Obligations