- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
CCPA Privacy FAQs: Are payment processors and acquiring banks “service providers” under the CCPA?
It’s unclear.
A vendor must be bound by a written contract that prohibits it from:
- Retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
- Using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
- Disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
While an argument could be made that a payment processor contains the retention, use, and disclosure restrictions mandated by the CCPA because they receive information from merchants for the purpose of processing credit card payments for the benefit of the merchant, it is possible that a California court could determine that their purpose in processing the information goes beyond simply providing service for their merchant client. For example, in addition to using a credit card number transmitted from a merchant to process a credit card transaction, a payment processor may use that information to look for suspicious activity that could indicate a data breach, or identity theft of a cardholder. They may also have obligations to third parties (e.g., Visa and MasterCard) to retain cardholder information even after they have completed the transaction requested by the merchant. A court might view these types of activities as going beyond the “specific purpose of performing the services” specified in a contract with a merchant.
To the extent that a court were to determine that a payment processor or an acquiring bank does not fall under the statutory definition of “service provider,” a merchant would have to disclose to consumers that their credit card information was “sold” to these companies unless the information transfer fell under one of the exceptions to a “sale” under the CCPA. It is possible that a business could argue that by providing their credit card, the consumer implicitly or explicitly “direct[ed] the business to intentionally disclose personal information or use[d] the business to intentionally interact with a third party.” Put differently, a reasonable consumer would understand that in order for a business to process a credit card transaction, the consumer’s credit card would need to be provided to a variety of third parties ranging from a payment processor, payment gateway, payment authentication service, acquiring bank, and payment card network. The act of providing the credit card and requesting that it be used for payment must, by its nature, be a request that the business disclose the consumer’s information to these entities.