consumers who have opted-out of the sale/sharing that the service provider or contractor receives from, or on behalf
of, the business with personal information that the service provider or contractor receives from, or on behalf of, another
person or collects from its own interaction with consumers. A person who contracts with a business to provide cross-
context behavioral advertising is a third party and not a service provider or contractor with respect to cross-context
behavioral advertising services. Illustrative examples follow.
(1)  Business S, a clothing company, hires a social media company as a service provider for the purpose of providing
Business S’s advertisements on the social media company’s platform. The social media company can serve Business S by
providing non-personalized advertising services on its platform based on aggregated or demographic information (e.g.,
advertisements to women, 18-30 years old, that live in Los Angeles). However, it cannot use a list of customer email
addresses provided by Business S to identify users on the social media company’s platform to serve advertisements to
them.
(2)  Business T, a company that sells cookware, hires an advertising company as a service provider for the purpose of
advertising its services. The advertising agency can serve Business T by providing contextual advertising services, such
as placing advertisements for Business T’s products on websites that post recipes and other cooking tips.
(c)  If a service provider or contractor receives a request made pursuant to the CCPA directly from the consumer, the service
provider or contractor shall either act on behalf of the business in accordance with the business’s instructions for responding
to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a
service provider or contractor.
(d)  A service provider or contractor that is a business shall comply with the CCPA and these regulations with regard to any
personal information that it collects, maintains, or sells outside of its role as a service provider or contractor.
(e)  A person who does not have a contract that complies with section 7051, subsection (a), is not a service provider or a
contractor under the CCPA. For example, a business’s disclosure of personal information to a person who does not have a
contract that complies with section 7051, subsection (a), may be considered a sale or sharing of personal information for
which the business must provide the consumer with the right to opt-out of sale/sharing.
(f) A service provider or a contractor shall comply with the terms of the contract required by the CCPA and these regulations.
(g)  Whether an entity that provides services to a nonbusiness must comply with a consumer’s CCPA request depends upon
whether the entity is a “business,” as defined by Civil Code section 1798.140, subdivision (d).
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115,
1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.
11 C.C.R. § 7051. Contract Requirements for Service Providers and Contractors
(a) The contract required by the CCPA for service providers and contractors shall:
(1)  Prohibit the service provider or contractor from selling or sharing personal information business it Collects pursuant to
the written contract with the business.
(2)  Identify the specific Business Purpose(s) for which the service provider or contractor is processing personal information
pursuant to the written contract with the business, and specify that the business is disclosing the personal information
to the service provider or contractor only for the limited and specified Business Purpose(s) set forth within the contract.
The Business Purpose shall not be described in generic terms, such as referencing the entire contract generally. The
description shall be specific.
California Consumer Privacy Act of 2018 (as amended by the
91 | 
California Privacy Rights Act of 2020) and Related Regulations