January 21, 2022

Volume XII, Number 21

Advertisement
Advertisement

January 20, 2022

Subscribe to Latest Legal News and Analysis

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis

Analytics companies are service providers under the CCPA, right?

In order to be considered a service provider under the CCPA, a legal entity must process personal information “on behalf of a business”[1] and be prohibited by contract from:

  1. Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[2]

  2. Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”[3] or

  3. Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”[4]

As a result, whether a particular analytics cookie provider is considered a “service provider” depends upon whether the contract in place between a website operator and the analytics provider contains the above-referenced terms.

The CPRA amended the CCPA’s definition such that, beginning Jan. 1, 2023, the written contract between a website operator and an analytics cookie provider would also need to contain the following additional prohibitions in order for the analytics provider to be considered a service provider:

  1. Prohibition against selling or sharing personal information,[5]

  2. Prohibition against retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,[6] and

  3. Prohibition against combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.[7]

[1] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[2] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[3] Cal. Civ. Code 1798.140(v) (Oct. 2020).

[4] Cal. Civ. Code 1798.140(v).

[5] Cal. Civ. Code 1798.140(ag)(1)(A).

[6] Cal. Civ. Code 1798.140(ag)(1)(C).

[7] Cal. Civ. Code 1798.140(ag)(1)(D).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 71
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement