CCPA and Third-Party AI Vendors: What Businesses Need in Contracts and Disclosures
Most businesses are sharing California consumer data with AI tools — chatbots, analytics platforms, personalization engines — without the contracts and privacy disclosures CCPA requires. The service provider / third party classification matters enormously, and AI model training complicates it.
The Classification That Changes Everything
Under CCPA (as amended by CPRA), every entity that receives personal information from your business falls into one of three buckets: service provider, contractor, or third party. The bucket determines whether consumers have opt-out rights over that data transfer, and whether you can rely on a processing agreement or need full opt-out infrastructure.
A service provider processes personal information only to perform services you specified — nothing else. A contractor is similar but operates on a direct business-to-business engagement basis. A third party can use the data for its own commercial purposes. Sharing data with a third party constitutes a "sale or share" under CCPA, triggering the consumer's right to opt out and the requirement to honor Global Privacy Control (GPC) signals.
The problem with many AI vendors: they are functionally classified as third parties even when businesses assume they're service providers. The reason is model training.
The Model Training Problem
The sticking point in nearly every AI vendor relationship is whether the vendor uses customer data to train, fine-tune, or improve its AI models. If they do — and many SaaS AI tools do by default — the vendor is using personal information for its own commercial purposes, not just yours. That makes them a third party under CCPA.
AI chatbot vendor trains on your chat transcripts to improve its models
Classification: Third Party
Data sharing is a 'sale or share' — consumers have opt-out rights; you need 'Do Not Sell or Share' infrastructure
AI analytics platform uses your data only to generate reports for you
Classification: Service Provider
Write a CCPA-compliant processing contract; no opt-out required; consumers can request deletion
AI vendor uses anonymized, aggregated data to improve models (individual records stripped)
Classification: Disputed — likely still Service Provider if truly de-identified
De-identification must meet CCPA's standard; retain documentation that individual records are not recoverable
AI vendor uses your data to serve advertising or personalization for other customers
Classification: Third Party
This is cross-context behavioral advertising — triggers opt-out rights and GPC compliance
Required Contract Terms for AI Service Providers
If your AI vendor genuinely qualifies as a service provider, CCPA requires a written contract that includes specific provisions. Many standard AI vendor agreements don't meet these requirements out of the box — you'll often need to negotiate addenda or Data Processing Agreements.
Purpose limitation clause
The contract must specify that personal information is disclosed only for limited, specified purposes — the exact business purposes you're hiring the vendor for, no more.
Prohibition on secondary use
The vendor must be contractually prohibited from retaining, using, selling, or disclosing personal information for any purpose other than performing the contracted services. No model training. No product improvement. No cross-client aggregation.
CCPA compliance obligation
The vendor must agree to comply with applicable CCPA requirements, including maintaining appropriate security measures and honoring consumer deletion requests.
Deletion or return on termination
At contract termination, the vendor must delete or return all personal information and certify deletion. 'Data lives in model weights' is not a compliant response.
Audit and verification rights
CCPA allows businesses to take reasonable and appropriate steps to ensure service provider compliance. Your contract should include audit rights or at minimum a vendor certification process.
Downstream transfer restrictions
If the vendor uses subprocessors (e.g., their own AI infrastructure vendors), those subprocessors must be bound by the same restrictions. Get a list of subprocessors and require notification of changes.
Privacy Notice Updates Required
Your CCPA privacy notice must disclose what personal information you collect, why, and with whom you share it. The rise of AI tools has created widespread gaps between what privacy notices say and what's actually happening to consumer data.
What Your Notice Must Disclose
- •Categories of personal information shared with AI vendors
- •Business or commercial purpose for each AI data transfer
- •Categories of service providers and third parties receiving data
- •Whether data is 'sold or shared' to AI vendors for cross-context advertising
- •Consumer rights to opt out, delete, and correct
- •How to submit 'Do Not Sell or Share' requests (if applicable)
Common Privacy Notice Gaps for AI Users
- •Listing only 'analytics providers' without specifying AI tools
- •Omitting AI chatbot vendors who receive conversation data
- •Not disclosing AI personalization engines processing behavioral data
- •Using 'improve our services' as the purpose when vendor uses data for own AI training
- •Failing to add 'Do Not Sell or Share' link when AI vendors qualify as third parties
- •Not updating notice when adding new AI tools post-publication
Sensitive Personal Information and AI
CPRA created a new category — sensitive personal information (SPI) — with heightened protections. SPI includes precise geolocation, race/ethnicity, religion, health data, biometrics, financial account information, sexual orientation, and the contents of communications. If your AI tools process SPI, consumers have the right to limit its use to necessary business purposes, and you need to honor that right.
AI customer service chatbots
Chat transcripts may contain health complaints, financial issues, or personal disclosures — all potentially SPI. Ensure your chatbot vendor has SPI restrictions in their contract.
AI analytics on customer behavior
Precise geolocation tracking fed into AI personalization is SPI. If your analytics AI processes location at the address level, SPI rules apply.
AI in HR or talent management
Résumés and employment applications often include race, health status, and financial history — SPI. AI screening tools processing this data require SPI-compliant data handling.
AI for financial services or lending
Financial account details processed by AI decisioning tools are SPI. Special handling and limiting-use rights apply to all such data flows.
Action Checklist: AI Vendor CCPA Compliance
Frequently Asked Questions
We use OpenAI's API with opt-out of training. Does that make them a service provider?
Using the API with data-training opt-out is the right step — it contractually prohibits OpenAI from using your prompts and completions to train its models. Combined with OpenAI's data processing addendum, the API relationship can qualify as a service provider relationship for CCPA purposes. Verify that your account actually has training opt-out enabled (it's not always the default), and execute the DPA explicitly rather than relying on ToS alone.
What if an AI vendor refuses to sign a CCPA-compliant DPA?
Then they are almost certainly a third party under CCPA, not a service provider. You have two choices: treat the data sharing as a 'sale or share' and implement consumer opt-out rights for that specific vendor, or stop sharing California consumer personal information with that vendor for that purpose. A vendor that won't contractually limit its use of your customers' data is using it for its own purposes.
Does CCPA apply if we're only sharing business-to-business data (company contacts, not consumers)?
CCPA's B2B exemption was significantly narrowed by CPRA. As of January 2023, business contacts and employees of companies are largely covered by CCPA. If you're sharing data about individual people — even in a professional context — CCPA likely applies. The exemption for truly non-person business data (aggregate company financials, product information) remains narrow.
We're a small business under the CCPA threshold. Do these rules still apply?
CCPA applies to businesses that meet one of three thresholds: $25M+ annual gross revenue, buying/selling/receiving/sharing personal information of 100,000+ consumers or households, or deriving 50%+ of revenue from selling personal information. If you're under all three thresholds, CCPA doesn't apply to you directly. But if you serve California consumers who are customers of CCPA-covered businesses, those businesses will require your CCPA compliance as part of their vendor management.
The Core Rule to Internalize
Any AI vendor that uses your customer data for its own model improvement, product development, or commercial purposes is a third party under CCPA — not a service provider — regardless of how they describe themselves in their marketing. Treating them as service providers when they're third parties is a CCPA violation that creates consumer opt-out rights you're not honoring.
Get your AI vendor list, check each vendor's data use policy, and sign proper DPAs where you can. Where you can't, treat the relationship as a third-party data share and implement the opt-out infrastructure. It's not complicated — it's just work that most companies haven't done yet.