Service Provider (CCPA Definition)

Under CCPA Section 1798.140(ag), a sole proprietorship, partnership, LLC, corporation, association, or other legal entity that processes personal information on behalf of a business for a business purpose pursuant to a written contract. The contract must prohibit the service provider from: retaining, using, or disclosing personal information for any purpose other than performing services specified in the contract, retaining, using, or disclosing information outside the direct business relationship, or selling the personal information. Service providers are roughly analogous to GDPR processors—they process data on behalf of and under instructions from the business. However, CCPA is stricter about side uses—service providers generally cannot use client data for their own purposes, even if compatible. CPRA added 'contractors' as a similar category with additional restrictions. Organizations should: execute compliant written contracts with all service providers, ensure contracts prohibit unauthorized uses and sales, audit service provider compliance, and maintain records of service provider relationships.