Privacy FAQs: Is a business responsible if its service provider misuses (or misappropriates) personal information?

June 18, 2019

The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Is a business responsible if its service provider misuses (or misappropriates) personal information?

No. 

In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from

  1. retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”1
  2. using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”2 or
  3. disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”3

If a business negotiates an agreement with a service provider that contains the three provisions above, but the service provider breaches the agreement by retaining, using, or disclosing the information for a purpose other than providing services to its client, the CCPA makes clear that the business “shall not be liable” so long “at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.”4


1. CCPA, Section 1798.140(v).

2. CCPA, Section 1798.140(v).

3. CCPA, Section 1798.140(v).

4. CCPA, Section 1798.145(h).