The CPRA amended the CCPA’s definition of a service provider such that, beginning Jan. 1, 2023, a service provider could include any person (not just a legal entity), and a service provider could be a business that receives personal information “on behalf of” another business. The CPRA also added the requirement that written contracts contain the following prohibitions in addition to the three prohibitions, that were originally contained in the CCPA:

1. Selling or sharing personal information,¹

2. Retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,² and

3. Combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.³

Some attorneys may take the position that a CCPA-drafted service provider agreement that does not contain the aforementioned three specific prohibitions is insufficient to satisfy the definition of a service provider under the CPRA. From a substantive perspective, however, the three prohibitions added by the CPRA appear to be subsumed within the original three prohibitions contained within the CCPA. For example, a vendor that is contractually prohibited from “disclosing” personal information is functionally prevented from “selling or sharing” personal information (as both activities are forms of disclosure). As a result, it is difficult to identify a definitive category of vendors that is likely to qualify as a service provider under the CCPA, and yet not qualify as a service provider under the CPRA.

¹ Cal. Civ. Code 1798.140(ag)(1)(A).

² Cal. Civ. Code 1798.140(ag)(1)(C).

³ Cal. Civ. Code 1798.140(ag)(1)(D).