What Is a Service Provider Under the CCPA?

Nathan Rizzuti Profile image

Written by:

Updated January 16, 2023

Internet users are more concerned about consumer privacy and security incidents now than ever before. And local, state, and federal governments are creating legislation to meet these concerns, meaning businesses must know the details of these new laws and how they can comply. Below, we’ll explain the following question: What is a service provider under the CCPA? Knowing this is crucial for businesses to take the proper steps to set up privacy policies and guard data correctly.


  • Under the CCPA, a service provider is a legal entity that operates in a direct relationship with a business to process its data.
  • A service provider must be willing to enter into a written contract with a company to comply with CCPA rules.
  • Service providers must be ready to delete data if requested by a business’s data subject.

If you want to learn more about what consumer privacy is and your online right, check out more of our articles. For example, we have one comparing the California Consumer Privacy Act vs the GDPR. And we have a detailed guide to the rights the CCPA provides California residents.

Insider Tip

Service providers can find compliance checklists online to guarantee that their organization acts per the CCCPA.

What Is a CCPA Service Provider?

Before going any further, understanding the CCPA and its intent is essential. The CCPA stands for California Consumer Privacy Act, a series of online privacy laws passed in 2018 to help set standards and definitions to guarantee consumers greater control over the data held by organizations and service providers.

So how does the CCPA define service providers? In essence, a service provider is a for-profit entity that collects and processes user data for other businesses. It’s important to note that there are specific rules around service providers as opposed to third-party.

For a business to be classified as a service provider, it must meet the following criteria:

  • Be a legal entity: sole proprietorship, partnership, limited liability company, corporation, or association.
  • Process information on behalf of another business according to a written contract.
  • The contract must stipulate that the company only uses the provided data for the purposes outlined in the written contract.

To learn more about certain classifications under other data laws, you can read our article on how the GDPR defines personal information.


Businesses outside of California must also comply with the CCPA if they process the information of California residents.

CCPA Compliance for Service Providers

Businesses must meet a list of compliance requirements to be deemed credible service providers. There are three main stipulations that service providers must meet:

  1. They must be willing to enter a written contract with the business they are partnered with
  2. They must limit the collection of the data to only the necessary information for the purposes listed within the contract
  3. Have a system to receive consumer requests for data deletion by CCPA section 1798.105
  4. Be able to delete the PII of a data subject of the business

For more information, read the CCPA to understand the finer details of service provider requirements.

STAT: The CCPA protects close to $12 billion of personal consumer data annually. (source)

What Is a Service Provider Under the CCPA FAQs

What happens if a business isn’t CCPA compliant?

If a business fails to comply with the CCPA, it can result in heavy fines. Likewise, a business’s reputation can suffer if the compliance failure becomes public.

Do businesses need to register under the CCPA?

There is no official registration process for the CCPA. However, businesses and service providers must know the compliance requirements.

How Long Do Service Providers Have to Delete Customer Data Once Requested?

Under the CCPA, businesses and service providers must delete a customer’s data within 45 days of the request.
Nathan Rizzuti Profile image