The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from
If a business negotiates an agreement with a service provider that contains the three provisions above, but the service provider breaches the agreement by retaining, using, or disclosing the information for a purpose other than providing services to its client, the CCPA makes clear that the business “shall not be liable” so long “at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.”4
1. CCPA, Section 1798.140(v).
2. CCPA, Section 1798.140(v).
3. CCPA, Section 1798.140(v).
4. CCPA, Section 1798.145(h).