Introduction to this series on the CCPA for service providers

Service providers play a central and increasingly complex role in California’s privacy landscape. Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), vendors that process personal information on behalf of a business must comply with a detailed set of statutory and regulatory requirements that govern how data may be used, retained, disclosed, secured, and managed. These obligations go far beyond simple contractual limitations—they now include purpose‑limitation rules, data‑minimization standards, cooperation duties, and strict prohibitions on secondary use.

This guide is designed to give service providers a clear, practical understanding of their responsibilities under the CCPA and its regulations. It explains the legal framework, the operational requirements, the mandatory contract terms, and the specific obligations related to consumer rights, cybersecurity audits, risk assessments, and automated decision‑making technology. It also highlights the distinctions between service providers, contractors, and third parties, and outlines the risks of misclassification or noncompliance.

By consolidating the regulatory requirements and translating them into actionable guidance, this document equips service providers with the knowledge they need to meet their obligations, support their business customers, and avoid enforcement exposure in an increasingly regulated environment.

In this post you will find:

• History and Evolution of the CCPA
• When does the CCPA apply to a Service Provider?

Upcoming over the next week you will also get:

• USE AND RETENTION OF PERSONAL INFORMATION; OPERATIONALIZING CCPA
• CONTRACTING GUIDE FOR SERVICE PROVIDERS UNDER THE CCPA
• CCPA GUIDE TO SERVICE PROVIDER ENFORCEMENT AND FINES

Before we dive into the more complex issues let’s begin with an overview of the history and what is a service provider under the law.

History and Evolution of the CCPA, the CPRA, and California’s Privacy Regulatory Framework

🏁 1. Origins of the CCPA (2018–2020)

The California Consumer Privacy Act (CCPA) was enacted in 2018 as the first broad, comprehensive consumer privacy law in the United States. It was passed rapidly—within a week—to preempt a more stringent ballot initiative. The law took effect on January 1, 2020, and enforcement began on July 1, 2020.

The CCPA introduced:

• Consumer rights to access, delete, and opt out of the sale of personal information
• Obligations on businesses to provide notices and transparency
• A limited private right of action for certain data breaches

The California Attorney General (AG) was initially the sole regulator, responsible for issuing regulations and enforcing the statute.

🔄 2. The CPRA (2020): A Major Expansion and Overhaul

In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA). The CPRA significantly amended and expanded the CCPA, transforming it into a more GDPR‑like framework.

Key CPRA changes included:

• Creating new rights (correction, opt‑out of sharing, ADMT rights)
• Adding purpose limitation, data minimization, and retention rules
• Expanding definitions of “sensitive personal information”
• Strengthening service provider/contractor requirements
• Requiring cybersecurity audits and risk assessments for high‑risk processing
• Establishing a new enforcement agency: the California Privacy Protection Agency (CPPA)

The CPRA became fully operative on January 1, 2023, with enforcement beginning later due to regulatory delays.

🏛️ 3. The Regulatory Scheme: Attorney General + CPPA

Attorney General (AG)

• Enforced the CCPA from 2020 onward
• Issued the first set of CCPA regulations
• Retains enforcement authority even after the CPPA’s creation

California Privacy Protection Agency (CPPA)

Created by the CPRA, the CPPA is the first dedicated privacy regulatory agency in the U.S. It has authority to:

• Issue regulations
• Conduct investigations
• Bring enforcement actions
• Audit businesses
• Oversee both the CCPA and the Delete Act (for data brokers)

The CPPA began formal rulemaking in 2022 and finalized its first major regulatory package in March 2023.

Together, the AG and CPPA form a dual‑enforcement model, with the CPPA leading rulemaking and day‑to‑day oversight, and the AG retaining prosecutorial authority.

📜 4. The CCPA Regulations: Evolution and Scope

Initial AG Regulations (2020)

The Attorney General issued the first set of regulations to clarify:

• Notice requirements
• Opt‑out mechanisms
• Verification procedures
• Service provider obligations

These regulations were designed to operationalize the original CCPA.

CPRA‑Driven CPPA Regulations (2022–2023)

The CPPA’s 2023 regulations:

• Updated and harmonized the AG’s regulations with CPRA amendments
• Added detailed rules on:
  • Purpose limitation and data minimization
  • Contract requirements for service providers/contractors
  • Consumer rights (correction, sharing opt‑out, ADMT)
  • Dark patterns
  • Recordkeeping and training
• Reorganized the regulatory structure for clarity

The Office of Administrative Law approved these regulations on March 29, 2023, making them the operative regulatory framework.

Ongoing Rulemaking (2023–2026)

The CPPA continues to develop additional regulations on:

• Cybersecurity audits
• Risk assessments
• Automated decision‑making technology (ADMT)
• Data broker requirements under the Delete Act

This ongoing rulemaking reflects California’s shift toward a more comprehensive, governance‑based privacy regime.

🧠 Summary

• CCPA (2018–2020): First broad U.S. privacy law; AG-led enforcement; foundational consumer rights.
• CPRA (2020): Voter‑approved overhaul; added new rights, obligations, and created the CPPA.
• Regulatory Scheme: Dual enforcement by the AG and CPPA; CPPA leads rulemaking and audits.
• CCPA Regulations: Evolved from AG’s 2020 rules to CPPA’s 2023+ GDPR‑style governance regulations.

California now operates the most comprehensive and mature privacy regulatory system in the United States, with a dedicated agency and a continuously expanding rulemaking agenda.

When does the CCPA apply to a service provider?

A company that is not a covered CCPA “business” is still subject to the CCPA whenever it receives personal information from a business and processes it as a “service provider.”
In that role, the service provider must comply with all statutory and regulatory obligations that apply to service providers, regardless of revenue, data volume, or consumer count.

Under the CCPA, a “business” is a for-profit entity that meets specific thresholds and determines the purposes and means of processing personal information. This includes sole proprietorships, partnerships, LLCs, corporations, and other legal entities that operate in California and satisfy one or more criteria: (1) annual gross revenues over $26.625 million (adjusted for inflation), (2) buys, sells, or shares personal information of 100,000 or more consumers, households, or devices, or (3) derives 50% or more of annual revenue from selling or sharing personal information. A business is subject to the CCPA’s full set of obligations, including consumer rights, notice requirements, opt-out mechanisms, and enforcement exposure. Importantly, affiliated entities that share branding or control may also be considered part of the same “business” under the law.

📘 1. The CCPA Applies to a Service Provider Whenever It Receives PI From a Business Under a CCPA‑Compliant Contract

A service provider becomes subject to the CCPA when:

• It receives personal information from a CCPA‑regulated business
• It processes that information on behalf of the business
• It is bound by a contract containing all required service‑provider terms

This is true even if the service provider:

• Has less than $25M in revenue
• Processes fewer than 100,000 consumers’ data
• Has no California customers of its own
• Does not meet any of the business‑threshold criteria

Service provider status is triggered by the relationship, not by size or revenue.

📘 2. A Service Provider Has Direct, Independent Obligations Under the CCPA

Once a company is acting as a service provider, it must comply with all service‑provider obligations, including:

Statutory obligations

• Use PI only for the business purposes in the contract
• No selling or sharing PI
• No secondary use
• No combining PI except under narrow exceptions
• Implement reasonable security
• Assist the business with consumer requests
• Delete or return PI at termination
• Flow down required terms to subprocessors

Regulatory obligations (CPRA regulations §§7050–7053)

• Allow audits, assessments, and scans
• Permit remediation steps
• Maintain records of processing sufficient to demonstrate compliance
• Ensure subprocessors meet the same requirements

These obligations apply even if the service provider is not a business.

📘 3. When the CCPA Does Not Apply to a Service Provider

A company is not subject to the CCPA in its own right (i.e., as a business) unless it meets the business thresholds.

But it is subject to the CCPA in its role as a service provider whenever it processes PI on behalf of a business.

The only time the CCPA does not apply is when:

• The company is not a business and
• It is not receiving PI from a business and
• It is not acting as a service provider or contractor and
• It is not receiving PI from a third party in a way that triggers “sale/share” obligations

In practice, this is rare for B2B vendors.

📘 4. Why This Matters: A Non‑Business Service Provider Can Still Be Penalized

A service provider that is not a business can still face:

• Direct enforcement by the CPPA or AG
• Civil penalties for violating service‑provider obligations
• Liability for causing the business to violate the CCPA
• Contractual breach claims
• Reclassification as a “third party” (which converts the data transfer into a “sale/share”)

The CPRA explicitly states that service providers are independently liable for their own violations.

📘 5. Practical Examples

Example 1: Small SaaS vendor 

A small analytics vendor processes PI for a large retailer.
Even though the vendor is not a “business,” it must comply with all service‑provider obligations.

Example 2: Cloud hosting provider with no California customers

A hosting provider stores PI for a California business.
It becomes a service provider and must comply with the CCPA for that processing.

Example 3: Marketing automation vendor that fails to include required terms

If required terms are missing, the vendor is not a service provider.
The transfer becomes a sale/share, and the vendor is exposed to enforcement.

🎯 Bottom Line

A company does not need to be a CCPA “business” for the CCPA to apply.
If it processes personal information on behalf of a business, it is a service provider, and the CCPA applies to that processing.

The obligations attach to the role, not the size or status of the company.

CCPA Service Provider vs. GDPR Processor

Here’s the clearest, most practical way to understand it: a CCPA “service provider” and a GDPR “processor” are conceptually similar, but the GDPR imposes far more prescriptive, detailed, and mandatory obligations. The CCPA’s framework is lighter, more contract‑driven, and more focused on preventing “sales” or “sharing,” while the GDPR’s processor regime is a full operational compliance system.

Below is a structured comparison that captures both the similarities and the critical differences.

🔍 How a CCPA Service Provider and a GDPR Processor Are the Same

✔️ 1. Both process personal information on behalf of another entity

– CCPA: on behalf of a business
– GDPR: on behalf of a controller

✔️ 2. Both must follow the instructions of the business/controller

Neither can decide the purposes or means of processing.

✔️ 3. Both are prohibited from using the data for their own purposes

This is central to both frameworks.

✔️ 4. Both require contracts with specific restrictions

Each law requires written agreements limiting:
– Use
– Retention
– Disclosure
– Purpose of processing

✔️ 5. Both allow subcontracting only with flow‑down obligations

Sub‑processors/sub‑service providers must be bound by equivalent terms.

🔍 How They Are Different (This Is Where the Real Action Is)

1️⃣ GDPR imposes far more detailed, mandatory obligations

A GDPR processor must comply with:
– Article 28 contractual requirements
– Security obligations (Art. 32)
– Recordkeeping (Art. 30)
– Breach notification to the controller (Art. 33)
– DPIA support (Art. 35)
– Demonstrating compliance (Art. 5(2))

A CCPA service provider has no equivalent operational obligations beyond contract terms.

2️⃣ GDPR processors have direct statutory duties; CCPA service providers mostly do not

Under GDPR, processors are directly regulated and can be fined independently.

Under CCPA, service providers:
– Are regulated primarily through contract, not statute
– Have limited direct obligations
– Are not subject to GDPR‑style administrative fines for processor violations

3️⃣ GDPR requires a lawful basis; CCPA does not

A processor must ensure the controller has a lawful basis (consent, contract, legitimate interests, etc.).
CCPA has no lawful‑basis requirement at all.

4️⃣ GDPR restricts international transfers; CCPA does not

Processors must comply with:
– SCCs
– BCRs
– Adequacy decisions
– Transfer impact assessments

CCPA has no cross‑border transfer regime.

5️⃣ CCPA service provider status is tied to avoiding a “sale” or “sharing”

This concept does not exist in GDPR.

A vendor becomes a service provider largely to:
– Avoid triggering “sale”
– Avoid opt‑out obligations
– Maintain the business’s compliance posture

GDPR has no equivalent “sale/sharing” construct.

6️⃣ GDPR processors have independent liability; CCPA service providers generally do not

A GDPR processor can be fined up to 2% of global revenue for processor‑specific violations.

A CCPA service provider is only liable if:
– It violates the contract
– It uses data outside permitted purposes
– It becomes a “third party” by misusing data

7️⃣ CCPA allows more flexibility in combining data

GDPR sharply restricts combining datasets without a lawful basis.

CCPA allows combining data if permitted by contract and consistent with the business purpose.

🧠 Bottom Line Summary

A CCPA service provider ≈ a GDPR processor in concept, but not in obligations.

– GDPR processors operate under a rigorous, prescriptive, statutory compliance regime.
– CCPA service providers operate under a contract‑based, purpose‑limitation regime focused on preventing “sales” and “sharing.”

Update: How the Latest CCPA Regulations Change the Analysis

1️⃣ California now imposes GDPR‑style operational obligations on service providers

The prior analysis correctly noted that CCPA service providers had no operational duties beyond contract terms.
That is no longer fully true.

Under the new regulations, service providers must now:

• Maintain reasonable security procedures (codified more explicitly)
• Comply with data minimization and purpose‑limitation rules
• Limit collection/use to what is reasonably necessary and proportionate
• Provide detailed processing disclosures to the business
• Support the business’s compliance with consumer rights

These obligations are still lighter than GDPR Articles 28, 30, 32, and 33—but the gap has narrowed.

Updated takeaway:
CCPA service providers now have some direct statutory obligations, not just contractual ones.

2️⃣ Risk assessments and cybersecurity audits move California closer to GDPR DPIAs

The prior analysis correctly stated that GDPR processors must support DPIAs and breach notifications, while CCPA service providers had no equivalent duties.

The new regulations introduce:

• Mandatory risk assessments for high‑risk processing
• Mandatory cybersecurity audits for certain businesses
• ADMT (automated decision‑making) governance obligations

While these duties fall primarily on the business, service providers must now cooperate and provide information—similar to GDPR Art. 28(3)(f) and Art. 35(2).

Updated takeaway:
Service providers now play a supporting role in risk assessments, narrowing the gap with GDPR processors.

3️⃣ Purpose limitation and data minimization now apply to service providers

Previously, these were GDPR‑only concepts.

The new CCPA regulations add:

• Purpose specification
• Use limitation
• Data minimization
• Retention limitation

These apply to all processing, including service providers.

Updated takeaway:
California now embeds GDPR‑style foundational principles into service provider obligations.

4️⃣ Restrictions on combining personal information are now more GDPR‑like

Your prior analysis noted that CCPA allowed more flexibility in combining datasets.

The new regulations tighten this:

• Service providers may combine data only for limited, enumerated purposes
• Combining data for cross‑context behavioral advertising is prohibited
• Combining data for analytics or service improvement requires strict contractual authorization

Updated takeaway:
California now restricts data combination in ways that resemble GDPR’s purpose‑limitation and lawful‑basis constraints.

5️⃣ Service providers now have clearer, more prescriptive contractual requirements

The CPRA regulations expand the mandatory contract terms, including:

• Detailed processing instructions
• Retention period requirements
• Prohibitions on secondary use
• Monitoring and audit rights
• Subcontractor flow‑down obligations

This moves closer to GDPR Article 28(3), though still less exhaustive.

CONCLUSION TO THIS INTRODUCTORY POST AND PREVIEW

As we’ve seen, the CCPA imposes distinct and evolving obligations on service providers — from contractual safeguards to operational discipline. In the next post, we’ll dive into how service providers must limit use and retention of personal information, and what it takes to operationalize those limits in real systems. Then we’ll turn to the contracting guide, where we’ll break down the required terms, flow-down obligations, and enforcement risks tied to missing clauses. Finally, we’ll conclude the series with a practical guide to enforcement and fines, showing how service providers can mitigate exposure and build defensible compliance programs. Stay tuned — each post builds toward a complete, actionable understanding of service provider compliance under the CCPA.