Under the CCPA, every entity that receives personal information from a business falls into one of three categories: service provider, contractor, or third party. The category you fall into determines what you can do with the data, what obligations you carry, and what compliance burdens your customers face when sharing data with you.
If you’re a B2B SaaS company and you haven’t affirmatively qualified as a service provider through proper contractual language, California treats you as a third party by default. That default has consequences most founders don’t anticipate.
Why the Classification Matters
The CCPA defines “sale” of personal information broadly. It’s not limited to exchanging data for money. Any disclosure of personal information to a third party for monetary or other valuable consideration can constitute a sale. And “sharing” for cross-context behavioral advertising triggers similar obligations.
When your customer discloses personal information to you (their SaaS provider), the CCPA’s treatment of that disclosure depends entirely on your classification.
If you qualify as a service provider, the disclosure is not a sale. Your customer can share data with you for defined business purposes without triggering opt-out requirements, “Do Not Sell” disclosures, or the other compliance obligations the CCPA imposes on sales. This is the carve-out that makes the B2B SaaS model work under California law.
If you’re classified as a third party, the disclosure may constitute a sale or sharing under the CCPA. That triggers a cascade of obligations for your customer: they must disclose the sale in their privacy policy, post a “Do Not Sell or Share My Personal Information” link on their homepage, and honor consumer opt-out requests. Your customer’s procurement team knows this, which is why sophisticated California-based buyers scrutinize your service provider status before signing.
The practical impact: if you can’t demonstrate that you qualify as a service provider under the CCPA, California-based enterprise customers face additional compliance burdens by working with you. That’s friction you don’t want in your sales cycle.
How to Qualify as a Service Provider
Qualifying as a service provider isn’t automatic. It requires specific contractual language. The CCPA sets out clear requirements.
Written contract. There must be a written agreement between your customer (the business) and you (the service provider). The absence of a written contract is strong evidence that you’re a third party, not a service provider. For most B2B SaaS companies, this means your DPA or Terms of Service must contain CCPA-specific service provider language.
Purpose limitation. The contract must specify the business purposes for which you process personal information. You’re prohibited from retaining, using, or disclosing the personal information for any purpose other than performing the services specified in the contract.
No secondary use. You cannot use the personal information you receive for your own independent commercial purposes. You can’t combine it with personal information from other sources (other customers, your own data collection, or third parties) except as specifically permitted by the CCPA.
Certification. The contract must include a certification that you understand the CCPA requirements and will comply with them.
Compliance obligations. The contract must obligate you to comply with applicable CCPA requirements, provide the same level of privacy protection as the CCPA requires, and notify the business if you can no longer meet your obligations.
For most B2B SaaS companies, these requirements are addressed in the DPA. If your DPA doesn’t include CCPA-specific service provider language, or if you don’t have a DPA at all, you likely don’t qualify as a service provider under the CCPA. You’re a third party by default.
What the CPRA Changed
The California Privacy Rights Act (CPRA), which amended the CCPA effective January 2023, made several changes relevant to service providers.
It added “contractor” as a fourth entity classification. A contractor is similar to a service provider but with additional requirements, including an obligation to allow the business to monitor and audit compliance at least annually. The contractor classification was designed for relationships where the entity receiving data isn’t strictly processing it “on behalf of” the business in the way a traditional service provider would.
It strengthened the contractual requirements for all entity types, including mandatory provisions about compliance monitoring, notification obligations, and the right of the business to take remedial steps if the service provider can no longer meet its CCPA obligations.
It also clarified that service providers may use personal information for limited internal purposes (improving service quality, detecting security incidents, debugging) as long as the use doesn’t involve building consumer profiles for use in providing services to other businesses.
How This Connects to Your DPA
Your CCPA service provider status and your DPA are directly connected. The DPA is typically where the contractual language qualifying you as a service provider lives.
A well-drafted DPA for a B2B SaaS company serving California customers should include: a CCPA-specific section or annex that establishes your service provider status, the required purpose limitations on how you process personal information, prohibitions on secondary use and cross-customer data combination, the certification that you understand and will comply with CCPA requirements, and provisions for handling consumer rights requests (access, deletion, correction) that your customer passes through to you.
If your DPA was drafted for GDPR compliance only (using processor/controller terminology without CCPA-specific provisions), it may not satisfy the CCPA’s service provider requirements. The GDPR processor framework and the CCPA service provider framework overlap significantly, but they’re not identical. Review your DPA to confirm it addresses both.
What Happens If You Don’t Take a Stance
If you don’t have CCPA-specific service provider language in your agreements, the default is that you’re a third party. Here’s what that means in practice.
Your customers’ disclosures of personal information to you may be classified as a “sale” or “sharing” under the CCPA. Your customers must disclose this in their privacy policy and provide opt-out mechanisms for California consumers. If a consumer opts out, your customer may need to stop sharing data with you, which functionally means they can’t use your product for that consumer’s data.
Enterprise procurement teams in California understand this framework. When they evaluate a SaaS vendor, they check whether the vendor qualifies as a service provider. If you can’t demonstrate that you do, the procurement team has to assess whether using your product triggers additional CCPA compliance obligations for their business. That assessment takes time, involves legal review, and may result in the deal stalling or the customer choosing a competitor who has their service provider status sorted out.
The fix is straightforward: include CCPA-specific service provider language in your DPA. If you already have a DPA, add a California-specific annex. If you don’t have a DPA, this is one more reason to get one in place. The contractual language is well-established and doesn’t require novel drafting. It requires attention.
A Note on Dual Roles
As covered in the privacy policy post earlier in this series, B2B SaaS companies are typically both a processor/service provider (for customer data) and a controller/business (for their own data). Your CCPA service provider status applies to how you handle customer data. For data you collect independently (website visitors, marketing contacts, your own employee data), you’re operating as a business under the CCPA with your own direct compliance obligations.
Make sure your privacy policy and your DPA reflect both roles clearly. The service provider framework governs one category of data. Your direct CCPA obligations as a business govern the other.
Those direct obligations include: providing a privacy policy that discloses categories of personal information collected, purposes, and categories of third parties you share with. Providing a notice at collection before or at the point you collect personal information. Honoring consumer rights requests (access, deletion, correction, opt-out of sale or sharing). Posting a “Do Not Sell or Share My Personal Information” link if applicable. Implementing reasonable security measures, which is particularly important because the CCPA’s private right of action for data breaches is tied to a failure to maintain reasonable security. And for processing that presents significant risk to consumer privacy, conducting risk assessments as required under the CPRA’s newer provisions.
No Boiler provides self-service legal document generation and educational content. This material and our service is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them. No Boiler is not a law firm, and communications with us do not create an attorney-client relationship or carry any expectation of confidentiality. Use of our platform and content is governed by our Terms of Service and Privacy Policy.