CCPA RESOURCES CENTER › CCPA COMPLIANCE CHECKLIST
CCPA Compliance: Vendor Classification Checklist
Vendor Classification
Vendor classification is really an extension of data mapping, but it’s such a large and complicated task that it deserves its own checklist. During this process, businesses must examine each of their vendors and determine whether they qualify as a CCPA service provider. Disclosures to service providers are exempted from the CCPA’s definition of selling personal information, so they are not covered by a consumer’s request to opt out. For this reason, it is a very important step.
- Review the CCPA's definition of "service provider"
The data privacy law’s contract requirement for service providers is usually the most relevant issue.
- Create a list of all vendors to whom you disclose consumers' personal information
This information should already be in your business’s data map.
- Classify each vendor as either a service provider or a third party
Service providers are not considered third parties, so no disclosure of personal information to a service provider is a sale.
- Determine if disclosures to third parties count as selling or sharing personal information
Any sale or sharing of consumers’ personal information brings additional responsibilities under the CCPA.
- Update data map with results
This will help you make the proper disclosures to consumers and respond to requests to opt out.
- Identify where consumers' personal information is stored
This will make it much easier to respond to consumers’ privacy requests.
Steps for Classifying Individual Vendors
1. Review the written contract to see if it contains either:
- A statement that the vendor is a service provider as defined by the CCPA
or
- A statement that the vendor will not: sell or share the personal information; retain, use, or disclose the personal information for any purpose other than performing the services that are specified in the contract; or combine the personal information with personal information from other sources
If the answer is yes, classify the vendor as a service provider. If the answer no, then proceed below.
2. Contact the vendor and ask:
- Will the vendor execute a data privacy agreement (DPA)?
A DPA is an addendum to the vendor contract that meets the CCPA’s data privacy requirements.
If the answer is yes, classify the vendor as a service provider. If the answer is no, then classify the vendor as a third party and proceed below.
3. Determine if it is a sale or sharing of personal information:
- Does the vendor use the provided personal information to create a profile about consumers?
- Does the contract explicitly allow the vendor to retain, use, or disclose personal information for its own purposes?
If the answer to either of these questions is yes, the best course of action to treat the transaction as a sale of personal information. If the contract is completely silent about what the vendor can do with consumers’ personal information, it’s a gray area. The cautious approach would be to treat these disclosures as selling, even though they may not fall under the CCPA’s definition.
The Fastest Way to Classify Vendors
Classifying vendors can be slow, complicated, and frustrating. With TrueVault, our compliance experts have already spent hundreds of hours reading Terms of Services from the most commonly used vendors, and incorporated the key details into an easy-to-use automation tool. To save yourself days or even weeks of reviewing lengthy vendor agreements, contact our team today.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.