The Software Alliance filed comments to the California Attorney General on draft regulations to implement the California Consumer Privacy Act (CCPA) intended to avoid upsetting the business-service provider relationship set out in the statute.
- A service provider may use personal information received from a business or consumer to serve another entity when a business or consumer directs it to do so.
- A service provider may combine information received from one or more businesses, when doing so is needed to provide and maintain the services and related services provided to those businesses. For example to improve an algorithm that powers a service provided to multiple businesses, or to combine metadata, such as to prepare to handle peak traffic times across geographies.
- A service provider should only respond to consumer requests sent to it by a business. This will help avoid the privacy and security risks associated with requiring service providers to respond directly to consumers, with whom they generally lack a direct relationship.