3. Service Providers

An in-depth comparison between ADPPA (American Data Privacy and Protection Act) and the CALIFORNIA PRIVACY LAWS*
*CCPA (California Consumer Privacy Act) and CPRA (California Privacy Rights Act)

Result of comparison ADPPA California Privacy laws CCPA/CPRA
Quite similar, although ADPPA is more detailed and includes more prohibitions for service providers (e.g. stop providing the service in case of covered entities’ infringement).
  • Service providers can only collect and process personal data for executing the service required and are prohibited from transferring data without opt-in consent.
  • Service providers are prohibited from continuing to provide the service if it knows the covered entity infringes ADPPA.
  • Service providers must receive covered data from a covered entity according to a written contract.
  • No liability of the Covered Entity if, at time of transfer, it has no reason to know the service provider was likely to violate the Act.
  • No liability of the Service provided for ADPPA’s infringements by the covered entity if it received covered data in compliance with the ADPPA.
  • Prohibition of using personal data except for running the business relationship.
  • Service providers are subject to the same fulfillments of businesses and must grant an equivalent level of protection from a privacy standpoint.
  • No liability for businesses for service provider violations if, at time of data transfer, they did not have actual knowledge, or reason to believe, that the service provider intended to violate the Act.