Two of the main players in the California Consumer Privacy Act (CCPA (CPRA)) are the business and the service provider.

The CCPA (CPRA) has very different definitions for these two types of companies, and they each have very different roles and responsibilities.

Want to understand if your company is a business or a service provider under the CCPA (CPRA)? Let's take a detailed look at the differences between these terms, and why those differences matter.

(Note that the CPRA amended the CCPA, taking effect on January 1, 2023.)



Defining a Business

Businesses are the main subject of the CCPA (CPRA). The law exists to regulate how businesses treat consumers' (California residents') personal information.

The CCPA (CPRA) defines a "business" as any legal entity that:

  • Operates for profit
  • Operates in California
  • Determines the purposes and means of the processing of personal information (we'll look at this below), and
  • Meets at least one of the CCPA/CPRA's "three thresholds" (we'll look at these below)

Virtually any type of company can be a business - not only social media or big tech companies.

It is not necessary to have any physical presence in California, or even the United States, in order to be considered a business under the CCPA (CPRA).

The CCPA/CPRA's Three Thresholds

The CCPA's Three Thresholds

To qualify as a business, a company must meet at least ONE of the CCPA/CPRA's "three thresholds," which are that the company:

  1. Has annual gross revenues of at least $25 million
  2. Annually buys, receives for commercial purposes, sells, or shares for commercial purposes, personal information of over 100,000 consumers, devices, or households, or
  3. Derives 50 percent or more of its annual revenues from the sharing or selling of consumers' personal information

Do Third-Party Cookies Contribute to Threshold "B"

There is no clear answer on whether using third-party cookies constitutes the "sale" of personal information.

However, legal commentators make the following observations:

  • The CCPA (CPRA) includes cookies, IP addresses, and "online identifiers" among its definition of "personal information"
  • A "sale" of personal information can be any transfer of personal information in exchange for any "valuable consideration" (benefit)
  • The California Attorney-General's CCPA Proposed Regulations suggest that "user-enabled privacy controls, such as a browser plugin" could represent a way to enable consumers to opt out of the sale of their personal information

On balance, therefore, it appears that the CCPA (CPRA) does consider using third-party cookies to be a type of "sale."

If correct, this interpretation would bring many, many companies within the CCPA/CPRA's definition of a "business."

Any for-profit company could be a business if both the following conditions are met:

  1. It uses third-party cookies on its website or app, and
  2. The website or app gets over 50,000 unique hits or users per year originating in California

For more information, see our article CCPA: What Constitutes a "Sale" of Personal Information?

Do Only Californian Consumers Contribute to Threshold "C"

While the CCPA (CPRA) defines "consumer" to mean a California resident, it is understood that the definition of "consumer" is not confined to California residents for the purposes of threshold "C."

This means that if your business derives 50 percent or more of its gross annual revenues from the selling of personal information, it would fall under threshold "C" (and thus sit the definition of a "business"), regardless of where that personal information originated.

Defining a Service Provider

Defining a Service Provider

The CCPA (CPRA) defines a "service provider" as any legal entity that operates under a service provider contract (we'll look at this below) and fulfills the following characteristics:

  • Operates for profit
  • Receives consumers' personal information from a business
  • Processes the personal information on behalf of the business

Examples of service providers include email marketing companies, analytics providers, and Customer Relationship Management (CRM) services.

For a comprehensive look at service providers under the CCPA (CPRA), read our Complete Guide to CCPA Service Providers.

Service Provider Contract

A service provider must operate under a contract with the business from which it receives personal information.

The personal information received by the service provider from the business may not be retained, used, or disclosed except for the purposes of the contract or any other purposes permitted under the CCPA (CPRA).

Operating under a service provider contract means that a service provider is strictly limited in its functions, and only exists to provide specified services, to specified businesses, with specified sets of personal information.

The service provider contract is a means by which the CCPA (CPRA) ensures consumers can still exercise their rights over the personal information that has been collected by a business, even after it has been disclosed to another company.

A service provider contract is somewhat like the Data Processing Agreement that must exist between data controllers and data processors in EU law, except that the CCPA (CPRA) service provider contract requires far fewer mandatory provisions.

In fact, some service providers have simply adapted their existing Data Processing Agreements to accommodate businesses covered by the CCPA (CPRA).

Here's an example from Mailchimp's Data Processing Agreement:

Mailchimp Data Processing Addendum: California clause - CCPA definition section

Note the specific mention of the CCPA (CPRA) here to inform readers where the definitions of the terms have been taken from.

Controller vs Processor

Controller vs Processor

Anyone who's even remotely familiar with the General Data Protection Regulation (GDPR), the main privacy law in the European Union (EU), will know that the CCPA is significantly influenced by EU law.

The CCPA/CPRA's "business" and "service provider" concepts are substantially similar to the GDPR's concepts of "data controller" and "data processor."

Just as with the GDPR's controllers and processors, crucial distinction between a business and a service provider is this:

  • A business "determines the purposes and means of the processing of personal information"
  • A service provider "processes personal information on behalf of a business"

The CCPA (CPRA) doesn't explain these terms. For an understanding of this distinction, we can turn to EU law, where these concepts originate.

The chart below will help you understand if your company "determines the processes and means of the processing of personal information," or "processes personal information on behalf of a business."

However, remember that California is not the EU. The Californian courts may interpret these concepts differently.

Consider the following questions in relation to processing personal information for a specific project or business activity, for example, an advertising or lead generation campaign.

The answers in this column are relevant to determining the purposes and means of the processing of personal information. The answers in this column are relevant to processing personal information on behalf of a business.
Did you decide to process personal information? Yes No. We were instructed or to do so by a business
Did you decide on the reason or goal of the processing? Yes No. The processing is for a business's own purposes
Did you decide what types of personal information to process Yes No. The business decided
Did you decide how to carry out the processing Yes

Or

No. The other company decided, but we approved its decision

No.

Or

Yes, but the business must approve of these methods

Will you gain direct benefit from the personal information? Yes No, except for the payment we receive for it.
Do you have a direct relationship with the consumers whose personal information you are processing? Yes No. We only communicate with the business about the processing
If the other company told you to stop this project, would you comply? No. We would find another company to process the personal information of the same consumers Yes. We would have to find a new client and process different consumers' personal information

"Processing" is another term from EU law, and refers to any operation performed on personal information.

Can You Be Both a Business and a Service Provider?

Can You Be Both a Business and a Service Provider?

It is perfectly possible to be both a business and a service provider, but for the purposes of the CCPA (CPRA), you cannot be both types of company at the same time, and in respect of the same set of personal information.

For example, an email marketing company that has gross annual revenues in excess of $25 million dollars:

  • When it collects consumers' personal information and uses it for its own purposes (e.g. conducting its own direct marketing, paying its California-based staff, providing a web or app-based interface for its clients), the company is acting as a business
  • When it receives consumers' personal information from a business and processes it for the purposes of that business, the company is acting as a service provider

It is important to understand and differentiate between your obligations as a business and as a service provider.

Are You a Subcontractor?

Service providers normally receive personal information directly from a business. However, it is also possible for a service provider to receive personal information from another service provider.

When disclosing personal information to another service provider, a service provider is bound by the same conditions as a business.

This means that, In such a scenario, the first service provider must put in a place a service provider contract that prevents the second service provider from using, retaining, or disclosing the personal information for any purposes other than those specified in the contract.

Under the CCPA (CPRA), the responsibilities of a subcontracting service provider are identical to those of a "regular" service provider.

Summary

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy