What is Service Provider (CCPA)?

The distinction between service providers, contractors, and third parties is critical under CCPA/CPRA because it determines whether data transfers constitute a "sale" or "sharing" of personal information. When a business shares data with a service provider under a proper contract, the transfer is generally not considered a sale, which means consumers' opt-out rights do not apply to that specific data flow. However, the service provider contract must include specific provisions: the service provider cannot sell or share the personal information, cannot retain or use it for purposes beyond those specified in the contract, cannot combine it with data from other sources (except as permitted), and must comply with CCPA obligations. CPRA introduced the additional category of "contractor," which is similar to a service provider but with additional certification and compliance requirements. Organizations should review all vendor contracts to classify each relationship correctly, ensure service provider agreements include CCPA-required provisions, and monitor service providers for compliance. Misclassifying a third party as a service provider can expose an organization to enforcement action if the data transfer is later deemed a sale without proper opt-out mechanisms.