California — Scope & Applicability

The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), applies to businesses that meet a statutory definition combining organizational form, California commercial nexus, and one of three quantitative thresholds. The CPRA amendments became operative January 1, 2023.

Organizational and nexus requirements. Under Cal. Civ. Code § 1798.140(d)(1), a covered "business" must be:

• A for-profit legal entity (sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity) organized or operated for the profit or financial benefit of its shareholders or other owners;
• An entity that collects consumers' personal information, or on whose behalf such information is collected;
• An entity that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information (the "controller" function in GDPR terminology); and
• An entity that does business in the State of California.

Three alternative quantitative thresholds. A business meeting the above criteria is subject to the CCPA/CPRA if it satisfies any one of the following thresholds in § 1798.140(d)(1)(A)–(C):

(A) Revenue threshold: As of January 1 of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted biennially for inflation pursuant to § 1798.185(a)(5). The California Privacy Protection Agency (CPPA) publishes the adjusted threshold; effective January 1, 2025, the threshold is $26.625 million.

(B) Volume threshold: Alone or in combination, annually buys, sells, or shares the personal information of 100,000 or more consumers or households. The CPRA raised this threshold from "50,000 or more consumers, households, or devices" under the original CCPA; the current 100,000 threshold removed "devices" as a separate counting unit.

(C) Revenue-from-sale threshold: Derives 50 percent or more of its annual revenues from selling or sharing consumers' personal information.

Controlled entities and voluntary certification. Section 1798.140(d)(2) extends CCPA coverage to entities controlled by or under common control with a business that satisfies the threshold tests, and to entities that share common branding with the business (such as a shared name, service mark, or trademark) "such that the average consumer would understand that two or more entities are commonly owned." The CCPA also applies to joint ventures in which the business participates to the extent the joint venture shares the business's common branding. Any person or entity may voluntarily certify that it is subject to the CCPA and thereby assume the statute's obligations (§ 1798.140(d)(3)).

CCPA vs. CPRA effective dates. The original CCPA took effect January 1, 2020. Proposition 24 (the CPRA) was approved by California voters on November 3, 2020, and its substantive amendments—including the revised business-threshold language—became operative January 1, 2023. The CPPA, established by the CPRA, assumed rulemaking and enforcement authority and published comprehensive regulations effective March 29, 2023 (11 CCR §§ 7000 et seq.).

Agency. The California Privacy Protection Agency (CPPA) is the principal enforcing authority; its website is cppa.ca.gov. The Attorney General retains concurrent enforcement authority for certain violations.

Source: Cal. Civ. Code § 1798.140 Source: CPPA FAQ – Business Threshold Source: CPPA Notice of Proposed Rulemaking (July 2022)

The CCPA/CPRA grants privacy rights to consumers, defined under Cal. Civ. Code § 1798.140(g) as "a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier." This definition has three critical components: natural-person requirement, California residency, and functional scope.

Natural person only. Only natural persons—human beings—qualify as consumers under the CCPA/CPRA. Business entities, corporations, partnerships, and other legal persons do not have CCPA consumer rights. The statute protects personal information about individuals, not commercial entities.

California residency — dual-prong test under 18 CCR § 17014. The CCPA incorporates California's personal-income-tax residency standard by reference to Title 18, California Code of Regulations, section 17014 as it existed on September 1, 2017. Under that regulation, a "California resident" includes two categories of individuals:

(1) Physical-presence prong: Every individual who is in California for other than a temporary or transitory purpose. An individual visiting California for vacation, a brief business transaction, or a short-term engagement typically has a temporary or transitory purpose and is not a resident. By contrast, an individual who moves to California for employment that may last indefinitely, to improve health during a long recuperation, or to retire without a definite plan to leave is in the state for other than temporary or transitory purposes and qualifies as a resident—even if that person remains domiciled elsewhere.

(2) Domicile prong: Every individual who is domiciled in California but is outside the state for a temporary or transitory purpose. A California domiciliary traveling for vacation, fulfilling a temporary work assignment, or attending to a brief matter outside the state remains a California resident under the CCPA. Domicile means "the place where an individual has his true, fixed, permanent home and principal establishment" to which he intends to return (18 CCR § 17014(c)). No individual can have more than one domicile at a time, and domicile continues until a new one is established.

Six-month guideline (not a bright line). Section 17014(b) of Title 18 of the California Code of Regulations states that an individual whose aggregate presence in California does not exceed six months in a taxable year, who is domiciled outside California, and who does not engage in activity beyond that of a seasonal visitor, tourist, or guest will generally be in the state for temporary or transitory purposes. This is a safe harbor, not a ceiling: presence for longer than six months does not automatically confer residency, and presence for fewer than six months does not preclude it. The determination depends on the facts and circumstances, particularly the definiteness and expected duration of the purpose.

Functional scope — employees, job applicants, and business contacts. The statute's text does not distinguish between individuals acting as retail customers and individuals acting in other capacities. The CCPA consumer rights therefore extend to:

• Employees of a California business who are California residents.
• Job applicants submitting information to a California business.
• Business contacts, such as employees of vendors, service providers, or partners, who are California residents.

An early employment and business-to-business exemption in § 1798.145(m)–(n) expired on December 31, 2022. Since January 1, 2023, California-resident employees and business contacts have the full suite of CCPA rights (access, deletion, correction, opt-out of sale/sharing, and limitation of sensitive personal information use), subject to the general exemptions in § 1798.145.

Verification, not certification. A business receiving a CCPA request is required to verify the requestor's identity to guard against fraudulent requests (11 CCR § 7061), but the CCPA does not require consumers to certify California residency to assert their rights. The CPPA advises businesses that "the most efficient method would be to ask consumers whether they reside in California with the intent to stay there and accept their response as accurate." As a practical matter, many businesses apply CCPA protections broadly to all U.S. users rather than attempting a fact-intensive, individualized residency determination for every data subject.

Source: Cal. Civ. Code § 1798.140 Source: CPPA — California Consumer Privacy Act as amended (PDF, July 15, 2024) Source: CPPA FAQ — Who has privacy rights under the CCPA?

The California Consumer Privacy Act includes a comprehensive set of statutory exemptions under Cal. Civ. Code § 1798.145 that carve out specific categories of personal information and business conduct from CCPA coverage. These exemptions are data-specific, not entity-specific: a covered business must still comply with the CCPA for all personal information that falls outside an exempted category.

## General exemptions for legal compliance — § 1798.145(a)

Section 1798.145(a) provides that the CCPA does not restrict a business's ability to:

• (1) Comply with federal, state, or local laws or comply with a court order or subpoena to provide information;
• (2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
• (3) Cooperate with law enforcement agencies concerning conduct or activity that the business reasonably believes may violate federal, state, or local law;
• (4) Exercise or defend legal claims; or
• (5) Collect, use, retain, sell, share, or disclose consumers' personal information in ways that are necessary to investigate, establish, exercise, prepare for, or defend legal claims.

These provisions permit a business to decline a consumer deletion or access request when fulfilling that request would obstruct compliance with another legal obligation or impair the business's ability to pursue or defend a claim. Subdivision (a)(3) applies only to Section 1798.150 (the private right of action for data breaches); businesses cannot invoke subdivision (a) to exempt themselves from other CCPA obligations.

## Health information — HIPAA and CMIA exemption — § 1798.145(c)

Section 1798.145(c)(1) exempts two categories of health information:

(A) Protected Health Information (PHI) governed by HIPAA. The CCPA does not apply to PHI that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the U.S. Department of Health and Human Services, 45 C.F.R. Parts 160 and 164. This exemption covers only the specific data elements that qualify as PHI under HIPAA when held by a HIPAA-covered entity or business associate. Non-PHI held by the same entity (for example, marketing data, employee records, or website analytics not tied to treatment, payment, or healthcare operations) remains subject to the CCPA.

(B) Medical information governed by the California Confidentiality of Medical Information Act (CMIA). The CCPA does not apply to medical information governed by the CMIA, Cal. Civ. Code §§ 56–56.37, or information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects (the Common Rule, 45 C.F.R. Part 46) or the Good Clinical Practice guidelines of the International Council for Harmonisation, or the Protection of Human Subjects regulations of the FDA, 21 C.F.R. Parts 50 and 56. This carve-out is similarly data-specific: a healthcare provider or health plan must apply the CCPA to personal information that does not qualify as medical information under CMIA.

Subdivision (c)(3) provides that the exemptions in (c)(1) do not apply to Section 1798.150, meaning that HIPAA-covered entities and business associates remain subject to the CCPA's private right of action for security breaches.

## Financial information — GLBA and related federal statutes — § 1798.145(e)

Section 1798.145(e) exempts personal information collected, processed, sold, or disclosed subject to the federal Gramm-Leach-Bliley Act (GLBA, Public Law 106-102) and implementing regulations, the California Financial Information Privacy Act (Cal. Fin. Code §§ 4050 et seq.), or the federal Farm Credit Act of 1971 (12 U.S.C. §§ 2001–2279cc and implementing regulations, 12 C.F.R. Part 600 et seq.).

The GLBA exemption is transactional and data-specific. Financial institutions must determine, at the data-element and data-flow level, whether specific personal information is governed by GLBA. For example:

• Transaction and account information generated in the course of providing a financial product or service to a consumer (such as account balances, payment history, and loan terms) is typically exempt under GLBA.
• Website browsing data, marketing data, and IP addresses collected outside the context of applying for or using a financial product or service are not exempt and remain subject to the CCPA, even when collected by a financial institution.
• Information shared with a non-financial-institution third party for general marketing purposes may fall outside GLBA's scope and be subject to the CCPA.

Subdivision (e) also provides that the exemption does not apply to Section 1798.150, preserving the private right of action for breaches of financial-institution-held data.

## Fair Credit Reporting Act — § 1798.145(d)

Section 1798.145(d) exempts personal information collected, processed, sold, or disclosed subject to the federal Fair Credit Reporting Act (FCRA, 15 U.S.C. § 1681 et seq.) and implementing regulations. This exemption covers consumer reports, credit scores, background checks, and investigative consumer reports when collected, furnished, or used in compliance with the FCRA. For example, a consumer reporting agency or a business that obtains a credit report to evaluate creditworthiness is exempt from CCPA obligations for that specific data, but must comply with the CCPA for other personal information it collects.

The exemption does not apply to Section 1798.150.

## Driver's Privacy Protection Act — § 1798.145(f)

Section 1798.145(f) exempts personal information collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy Protection Act of 1994 (DPPA, 18 U.S.C. §§ 2721 et seq.). The DPPA governs the disclosure of personal information contained in state motor vehicle records. This exemption does not apply to Section 1798.150.

## Vehicle warranty and recall information — § 1798.145(g)

Section 1798.145(g)(1) provides a narrow carve-out from the opt-out-of-sale obligations under § 1798.120 for vehicle information or ownership information retained or shared between a new motor vehicle dealer (as defined in Cal. Veh. Code § 426) and the vehicle's manufacturer (as defined in Cal. Veh. Code § 672) if:

• The information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to 49 U.S.C. §§ 30118–30120; and
• The dealer or manufacturer that receives the information does not sell, share, or use that information for any other purpose.

This exemption is limited to Section 1798.120 (the right to opt out of sale or sharing). All other CCPA obligations—access, deletion, correction, notice, and disclosure—continue to apply to vehicle and ownership information.

## Publicly available information — § 1798.140(v)(2)

Although codified in the definitions section rather than § 1798.145, the exclusion of publicly available information from the definition of "personal information" functions as a de facto exemption. Section 1798.140(v)(2) excludes information that is lawfully made available from federal, state, or local government records and information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media. This carve-out is fact-intensive; mere appearance of information on a third-party website does not necessarily render it "publicly available" if the consumer did not intend or authorize broad disclosure.

## Deidentified and aggregate information — § 1798.140(o) and (j)

The CCPA does not apply to deidentified information (information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided the business maintains and uses the information in deidentified form and does not attempt to reidentify it) or aggregate consumer information (information relating to a group or category of consumers, from which individual consumer identities have been removed). Businesses that maintain deidentified data must implement technical safeguards, prohibit reidentification, and publicly commit to maintaining the data in deidentified form (§ 1798.140(o)).

## Employment and B2B exemptions — expired December 31, 2022

An earlier exemption under § 1798.145(m)–(n) for employment-related personal information and business-to-business communications expired on December 31, 2022. Since January 1, 2023, California-resident employees, job applicants, and business contacts (such as employees of vendors or contractors) have the full suite of CCPA consumer rights, subject only to the general exemptions in § 1798.145(a) (for example, a business may retain employee data necessary to exercise or defend legal claims or comply with other laws).

Source: Cal. Civ. Code § 1798.145 Source: CPPA — California Consumer Privacy Act as amended (PDF, July 15, 2024) Source: CPPA FAQ — Does the CCPA apply to my business?

The CCPA applies to for-profit entities that "do business in the State of California" and meet one of the three quantitative thresholds (revenue, volume, or revenue-from-sale). Cal. Civ. Code § 1798.140(d)(1). The statute does not define "doing business in California," and neither the California Privacy Protection Agency (CPPA) nor the Attorney General has issued formal guidance establishing a bright-line test. As a result, the territorial reach of the CCPA is determined by a combination of statutory text, the "wholly outside California" safe-harbor exemption, and practical interpretation.

No statutory definition. Section 1798.140 enumerates dozens of defined terms—business, consumer, personal information, sale, service provider—but does not include a definition of "doing business." The legislative history and CPPA FAQ acknowledge the requirement without clarifying its boundaries. The California Privacy Protection Agency's compliance materials state that a business must "do business in California" but do not specify whether physical presence, employees, sales, or website accessibility suffices.

The "wholly outside California" safe harbor — negative boundary. Section 1798.145(a)(3)(B) provides that the CCPA does not apply to the collection or sale of a consumer's personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of the statute, commercial conduct takes place wholly outside California if:

• The business collected that information while the consumer was outside of California;
• No part of the sale of the consumer's personal information occurred in California; and
• No personal information collected while the consumer was in California is sold.

This three-prong test establishes what does not constitute doing business in California for CCPA purposes. The statute further provides that a business may not circumvent the CCPA by storing personal information on a device while the consumer is in California and then collecting that information when the consumer (and the stored data) is outside the state.

Practical interpretation — likely a low bar. Although the statute is silent on what affirmatively constitutes doing business, the structure of § 1798.145(a)(3)(B) implies that any commercial conduct involving California residents or California-collected data brings a business within CCPA scope, provided the business also meets the organizational and threshold criteria in § 1798.140(d). Courts and practitioners generally interpret "doing business in California" broadly to include:

• Operating a website or mobile application accessible to California residents, even without a physical presence in the state, when the business collects personal information from California users.
• Marketing, advertising, or selling products or services to California residents, whether through digital channels, mail order, or telephone.
• Employing California residents or recruiting California job applicants, including remote workers.
• Maintaining a physical location, subsidiary, or affiliate in California.
• Engaging in any transaction for financial gain that involves California consumers.

The CCPA does not require a business to be domiciled in California, maintain a California office, or derive a minimum percentage of revenue from California transactions. An out-of-state (or non-U.S.) entity that operates exclusively online and has no physical presence in California will likely be deemed to "do business" in the state if it collects personal information from California residents and meets one of the quantitative thresholds.

No analogy to tax nexus codified. Some secondary commentary references California Revenue and Taxation Code § 23101, which defines "doing business" for corporate income tax purposes (sales, property, or payroll thresholds). The CCPA does not incorporate that definition by reference, and the CPPA has not adopted it as interpretive guidance. Businesses should not assume that tax-nexus safe harbors apply to CCPA coverage.

Recommendation. In the absence of formal agency guidance, a conservative compliance posture treats "doing business in California" as satisfied whenever a business collects personal information from one or more California residents (as defined in § 1798.140(g)) through any commercial channel—website, app, telephone, or in-person interaction—and the commercial conduct does not fall entirely within the "wholly outside California" safe harbor. Businesses that meet the quantitative thresholds and have any California consumer touchpoint should assume CCPA applicability unless they can affirmatively demonstrate that every aspect of the relevant commercial conduct occurred outside the state.

Source: Cal. Civ. Code § 1798.140 Source: Cal. Civ. Code § 1798.145 (AB 1416, 2019) Source: CPPA FAQ — Does the CCPA apply to my business?

The CCPA/CPRA creates two privileged categories of data recipients—service providers and contractors—that allow businesses to disclose personal information without triggering "sale" or "sharing" obligations and without consumers invoking opt-out rights under § 1798.120. These categories are contractually defined: an entity qualifies as a service provider or contractor only if the business enters into a written contract that imposes statutory use restrictions. A disclosure that does not meet these contractual requirements is a disclosure to a third party and, if made for monetary or other valuable consideration, constitutes a "sale" subject to opt-out.

## Service provider — § 1798.140(w)

A service provider is defined in Cal. Civ. Code § 1798.140(w) as "a person that processes personal information on behalf of a business and that receives personal information from or on behalf of the business for a business purpose pursuant to a written contract" meeting four mandatory requirements.

Four mandatory contract provisions. Under § 1798.140(w)(1)–(4), the written contract must prohibit the service provider from:

(1) Selling or sharing the personal information. The service provider cannot sell (as defined in § 1798.140(ad)) or share (as defined in § 1798.140(ah)) the personal information it receives from the business.

(2) Retaining, using, or disclosing the personal information for any purpose other than the specific business purpose. The contract must restrict the service provider to the enumerated business purposes in § 1798.140(e) and may not permit use for a commercial purpose of the service provider itself, except as permitted by subdivision (e)(6) (providing advertising and marketing services to the consumer, excluding cross-context behavioral advertising).

(3) Retaining, using, or disclosing the information outside the direct business relationship. The service provider may not use the personal information outside the direct business relationship with the disclosing business. This restriction prevents the service provider from repurposing the data for its own customer base or for unrelated product lines.

(4) Combining personal information from multiple sources. The service provider may not combine the personal information received from the business with personal information it receives from or on behalf of another person or collects from its own interaction with consumers, except to perform any business purpose as defined in regulations adopted pursuant to § 1798.185(a)(9) or as provided in subdivision (e)(6) (advertising and marketing services, but not cross-context behavioral advertising) and in regulations adopted by the California Privacy Protection Agency (CPPA). Section 7002(f) of the CPPA's regulations, 11 CCR § 7002(f), clarifies the narrow circumstances in which commingling is permitted—generally limited to detecting security incidents, debugging, and short-term transient uses.

Optional monitoring provision. Subdivision (w)(2) provides that the contract may (not must) permit the business, with notice to the service provider, to monitor the service provider's compliance through measures including ongoing manual reviews, automated scans, and regular assessments, audits, or technical and operational testing. Because this provision uses permissive language, a service provider contract without a monitoring clause still qualifies under the statute, though the business loses contractual leverage to audit compliance.

Subcontracting. A service provider may engage another service provider (a subcontractor or sub-service provider) to assist in performing the business purposes, provided the subcontractor also enters into a written contract with the same four mandatory restrictions (§ 1798.140(w)(3)). The CPPA regulations at 11 CCR § 7051(a)(5) confirm that businesses and service providers may subcontract processing to other service providers or contractors, and the subcontractor inherits the same restrictions.

Business purpose — § 1798.140(e). The statute defines "business purpose" as "the use of personal information for the business's operational purposes, or other notified purposes, or for the service provider or contractor's operational purposes," provided the use is reasonably necessary and proportionate. Subdivision (e) enumerates eight categories of permitted business purposes:

• (1) Auditing related to counting ad impressions and verifying positioning and quality of ad impressions;
• (2) Helping to ensure security and integrity;
• (3) Debugging to identify and repair errors;
• (4) Short-term, transient use (provided the personal information is not disclosed to another third party and is not used to build a profile or otherwise alter the consumer's experience outside the current interaction);
• (5) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services;
• (6) Providing advertising and marketing services, except for cross-context behavioral advertising (a critical carve-out introduced by the CPRA), provided the service provider or contractor does not combine personal information of opted-out consumers from multiple sources;
• (7) Undertaking internal research for technological development and demonstration;
• (8) Undertaking activities to verify or maintain the quality or safety of a service or device owned, manufactured, or controlled by the business, and to improve, upgrade, or enhance the service or device.

The CPRA amendment to subdivision (e)(6) excluded cross-context behavioral advertising from the list of permitted business purposes, forcing businesses that engage in cross-context behavioral advertising with third-party ad-tech vendors to treat those disclosures as "sharing" and offer an opt-out under § 1798.120.

## Contractor — § 1798.140(ae)

The contractor category was introduced by the CPRA (effective January 1, 2023) to cover entities to which a business makes available personal information, as distinct from service providers who process personal information on behalf of a business and receive it from or on behalf of the business. The practical distinction rests on the nature of the engagement: service providers typically perform data-centric processing (hosting, analytics, payment handling, customer relationship management), whereas contractors provide less data-centric services where personal information access is incidental (for example, a law firm, accounting firm, or consultant who needs access to a business's database to perform professional services but does not "process" the data on the business's behalf).

Four mandatory contract provisions plus certification. Under § 1798.140(ae)(1), a contractor is a person to whom the business makes available personal information for a business purpose pursuant to a written contract that:

(A) Prohibits the contractor from:

• (i) Selling or sharing the personal information;
• (ii) Retaining, using, or disclosing the personal information for any commercial purpose other than providing the services specified in the contract;
• (iii) Retaining, using, or disclosing the personal information outside the direct business relationship;
• (iv) Combining the personal information with personal information received from or on behalf of another person or collected from its own interaction with the consumer, except as permitted for business purposes under regulations and subdivision (e)(6).

(B) Includes a certification made by the contractor that the contractor understands the restrictions in subparagraph (A) and will comply with them. This certification requirement is unique to contractors—the service provider definition in subdivision (w) does not require a certification. In practice, many businesses include a substantially similar certification in service provider contracts for contractual completeness, but the statute only mandates it for contractors.

(C) Permits, subject to agreement with the contractor, the business to monitor the contractor's compliance through measures including ongoing manual reviews, automated scans, and regular assessments, audits, or other technical and operational testing. Like the service provider monitoring provision, this is permissive ("permits"), not mandatory. The phrase "subject to agreement with the contractor" acknowledges that the contractor may negotiate the scope of monitoring or decline certain intrusive audit rights.

Subcontracting. Section 1798.140(ae)(2) provides that a contractor may engage another contractor (a sub-contractor) to assist in meeting the same written contractual obligations that the contractor has with the business, provided the sub-contractor also agrees to the same restrictions.

## Consequence of non-compliance — third-party status and sale

If a disclosure of personal information does not satisfy the contract requirements in § 1798.140(w) or (ae), the recipient is a third party as defined in § 1798.140(ai): "a person who is not any of the following: (1) The business that collects personal information from consumers under this title. (2)(A) A person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract" meeting the contractor requirements. If the business discloses personal information to a third party for monetary or other valuable consideration, that disclosure is a sale under § 1798.140(ad)(1), triggering the consumer's right to opt out under § 1798.120 and the business's obligation to post a "Do Not Sell or Share My Personal Information" link under § 1798.135.

"Valuable consideration" is broadly construed. The CCPA does not define "valuable consideration," but the CPPA and courts interpret it expansively. In the context of digital advertising, the exchange of personal information in return for free or reduced-price services, access to a platform, or reciprocal data sharing can constitute valuable consideration. Many businesses that share personal information with ad-tech partners for targeted advertising have concluded that those disclosures are "sales" and offer a universal opt-out, even when no money changes hands.

## Practical compliance discipline

Contract review is not optional. A business that discloses personal information to vendors, cloud providers, analytics platforms, customer-support tools, or professional-services firms must confirm that each disclosure is covered by a written contract containing the four mandatory prohibitions (and, for contractors, the certification). A missing or defective contract converts a lawful business-purpose disclosure into a sale or sharing transaction, exposing the business to enforcement by the CPPA and, in some cases, to the Attorney General. The statute does not grandfather pre-CCPA contracts; businesses must amend or replace legacy master service agreements.

Service provider vs. contractor classification. Although the two categories are subject to nearly identical restrictions, the certification and monitoring-permission language differ. Many businesses draft a single "Data Processing Addendum" template that includes both the service provider and contractor language, permitting the template to cover either relationship. The statute does not prohibit an entity from qualifying as both a service provider and a contractor under separate contracts or for separate data flows.

Subcontracting requires cascading contracts. Businesses must ensure that service provider and contractor agreements authorize subcontracting and require the service provider or contractor to impose the same statutory restrictions on all subcontractors. The CPPA regulations at 11 CCR § 7051(a)(5) state that "a service provider or contractor may engage another service provider or contractor to assist it in meeting the same written contractual obligations the service provider or contractor has with the business." A service provider that subcontracts without a compliant written subcontract breaches the business's contract and may cause the business to be in violation of the CCPA.

Cross-context behavioral advertising carved out. Under the CPRA amendment to § 1798.140(e)(6), cross-context behavioral advertising is excluded from the list of permitted business purposes. A business that shares personal information with an ad-tech vendor for cross-context behavioral advertising (defined in § 1798.140(k) as targeted advertising based on a consumer's personal information obtained from the consumer's activity across businesses, websites, applications, or services other than the business with which the consumer intentionally interacts) must treat the disclosure as "sharing" under § 1798.140(ah) and offer consumers an opt-out under § 1798.120(b). The service provider or contractor carve-out does not apply.

Source: Cal. Civ. Code § 1798.140 Source: CPPA — California Consumer Privacy Act as amended (PDF, effective January 1, 2026) Source: CPPA Regulations, 11 CCR §§ 7000 et seq. (effective March 29, 2023)

The CCPA distinguishes between three categories of entities that receive personal information from a covered business: service providers, contractors, and third parties. Disclosures to service providers and contractors—when made pursuant to a compliant written contract—do not constitute "sale" or "sharing" under the CCPA and therefore do not trigger consumer opt-out rights under Cal. Civ. Code §§ 1798.120 (opt-out of sale/sharing) or 1798.135 (notice requirements). By contrast, disclosure of personal information to a third party for valuable consideration constitutes a "sale," and disclosure to a third party for cross-context behavioral advertising constitutes "sharing." Both require opt-out mechanisms. The distinction turns on the contractual framework governing the disclosure and the recipient's permitted uses.

Service provider — definition. Under Cal. Civ. Code § 1798.140(ag), a service provider is a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that:

• Is organized or operated for the profit or financial benefit of its shareholders or other owners;
• Processes information on behalf of a business; and
• Receives a consumer's personal information from or on behalf of the business for a business purpose pursuant to a written contract that prohibits the service provider from retaining, using, or disclosing the personal information for any purpose other than the specific business purposes set forth in the contract (including any commercial purpose other than providing the services specified in the contract), and from retaining, using, or disclosing the personal information outside of the direct business relationship between the service provider and the business.

Service providers typically perform data-centric processing functions such as cloud hosting, payment processing, data analytics, customer relationship management (CRM), email marketing, and IT security services. The defining characteristic is that the service provider processes personal information as an agent of the business, on the business's instructions, for purposes directed by the business.

Contractor — definition. The CPRA, which became operative January 1, 2023, introduced a second trusted-vendor category: the contractor. Under Cal. Civ. Code § 1798.140(j), a contractor is a person to whom the business makes available a consumer's personal information for a business purpose pursuant to a written contract that satisfies the same core restrictions as a service-provider contract. The statutory language distinguishes contractors by the verb "makes available" rather than "processes on behalf of." Contractors tend to provide services in which access to personal information is incidental to the primary service rather than the core deliverable—for example, a law firm representing the business, an accounting firm conducting an audit, or a facility-management vendor whose employees access employee directories when servicing a building.

The contractual restrictions on service providers and contractors are nearly identical. Both are prohibited from selling or sharing the personal information, using it for any purpose other than the specified business purposes, using it outside the direct business relationship, and (subject to regulatory exceptions) combining personal information from multiple sources. The primary differences are:

• Certification: A contractor's contract must include a certification by the contractor that it understands the restrictions and will comply with them (§ 1798.140(j)(2)(B)). The statute does not impose an equivalent certification requirement on service-provider contracts.
• Compliance monitoring: Contractor contracts must permit the business to monitor the contractor's compliance (subject to the contractor's agreement) through ongoing manual reviews, automated scans, and regular assessments or audits at least once every 12 months (§ 1798.140(j)(2)(C)). Service-provider contracts may include similar monitoring rights (§ 1798.140(ag)(2)(D)), but the language is permissive ("the contract may") rather than mandatory.

Required contract terms — 11 CCR § 7051. The California Privacy Protection Agency (CPPA) regulations elaborate on the statutory contract requirements. Under 11 CCR § 7051, a compliant service-provider or contractor contract must:

(1) Prohibit the service provider or contractor from selling or sharing the personal information;

(2) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information for any purpose other than the business purposes specified in the contract or as otherwise permitted by the CCPA and regulations;

(3) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information for any commercial purpose other than the business purposes specified in the contract, unless expressly permitted by the CCPA or regulations;

(4) Prohibit the service provider or contractor from retaining, using, or disclosing the personal information outside the direct business relationship between the service provider or contractor and the business, unless expressly permitted by the CCPA or regulations;

(5) Prohibit the service provider or contractor from combining the personal information it receives from the business with personal information it receives from another person or collects from its own interaction with the consumer, except as permitted by CPPA regulations for certain enumerated business purposes;

(6) Require the service provider or contractor to comply with all applicable sections of the CCPA and regulations, including—with respect to the personal information collected pursuant to the written contract—providing the same level of privacy protection as required of businesses;

(7) Grant the business the right to take reasonable and appropriate steps to ensure that the service provider or contractor uses the personal information in a manner consistent with the business's CCPA obligations, including ongoing manual reviews, automated scans, and regular assessments or audits (at least once every 12 months);

(8) Require the service provider or contractor to notify the business after it makes a determination that it can no longer meet its obligations under the CCPA and regulations; and

(9) Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the service provider or contractor's unauthorized use of personal information.

If any of these required contractual prohibitions is missing from the written contract, the entity does not meet the statutory definition of a service provider or contractor, and the disclosure is treated as a sale or sharing to a third party.

Permitted uses — exceptions to the general prohibitions. The CPPA regulations specify that service providers and contractors may use personal information received under the contract for certain limited internal purposes even if not enumerated in the written contract, including:

• Detecting, preventing, or investigating data security incidents or protecting against malicious, deceptive, fraudulent, or illegal activity (11 CCR § 7050(a)(4));
• Building or improving the quality of the service provider's or contractor's own services, provided the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source (11 CCR § 7050(a)(5)).

These carve-outs permit a vendor to use the personal information to debug its platform or harden its security without characterizing those activities as unauthorized retention.

Third party — the residual category. A third party is any person who is not the business that collected the information, not a service provider to that business, and not a contractor to that business (§ 1798.140(ai)). Disclosing personal information to a third party for monetary or other valuable consideration constitutes a sale under § 1798.140(ad)(1). Disclosing personal information to a third party for cross-context behavioral advertising constitutes sharing under § 1798.140(ah)(1). Both trigger the consumer's right to opt out (§ 1798.120) and the business's obligation to post a "Do Not Sell or Share My Personal Information" link on its homepage (§ 1798.135). The absence of a compliant contract transforms a vendor into a third party and the data flow into a sale or share.

Practical consequences — contractual compliance as a safe harbor. A business that discloses personal information to a vendor without a compliant service-provider or contractor contract must treat the disclosure as a sale or share, which requires:

• Disclosing the categories of personal information sold or shared in the privacy policy (§ 1798.115);
• Providing a conspicuous "Do Not Sell or Share My Personal Information" link on the homepage (§ 1798.135(a)(1));
• Honoring consumer opt-out requests within 15 business days (§ 1798.135(a)(4)); and
• Refraining from selling or sharing the personal information of consumers who have opted out.

The contract is not merely a formality—it is the sole statutory mechanism that exempts a disclosure from the sale and sharing definitions. California Attorney General and CPPA enforcement actions have targeted businesses that disclosed personal information to advertising technology vendors and other third parties without compliant contracts, characterizing those disclosures as unreported sales. Conversely, a business that maintains a compliant contract and does not have actual knowledge or reason to believe that the service provider or contractor intends to violate the CCPA is not liable for the service provider's or contractor's unauthorized use of the personal information (§ 1798.145(i)(1)).

Subcontractors and flow-down. A service provider or contractor that engages a subcontractor to assist in performing services for the business must have a written contract with the subcontractor that satisfies the same requirements as the business-to-service-provider contract (11 CCR § 7051(b)). The CCPA imposes direct flow-down obligations on service providers and contractors when they engage downstream processors.

Due diligence and monitoring. Whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CCPA (11 CCR § 7051(c)). A business that never enforces the terms of the contract, never exercises its rights to audit or test the service provider's or contractor's systems, and never monitors compliance may not be able to rely on the statutory safe harbor if the vendor's use violates the CCPA.

Source: Cal. Civ. Code § 1798.140 Source: 11 CCR § 7051 — Contract Requirements for Service Providers and Contractors Source: 11 CCR § 7050 — Service Providers and Contractors