The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other states.

One important part of that assessment is the data processing addendum. 

Emergence of the data processing addendum

Just two years ago, the concept of a data processing addendum did not even exist for many companies. Now, the data processing addendum is engrained in the lexicon of every privacy practitioner throughout the world and forms the contractual foundation upon which data is processed by one party on behalf of another. While companies continue to enter into these addenda for GDPR purposes, there is a growing buzz among industry lawyers about whether a data processing addendum is required or advisable in order to comply with the CCPA. Common questions being posed include:

  • Do companies need to amend their existing data processing addenda in order to comply with the CCPA?
  • Is there a long-term solution to avoid having to draft new data processing addenda every time a jurisdiction adopts a new privacy law?

GDPR data processing addenda

Article 28 of the GDPR generally requires a written contract between a “controller” and “processor” to govern the processing of personal data (in certain limited instances, a processor may be able to satisfy Article 28 through another “legal act” that is binding upon such processor, but this is not relevant for our discussion here).  

At a high level, the “controller” determines what personal data will be processed and for what purposes (i.e., “the purposes and means of processing”), and the “processor” carries out such processing based on the controller’s instructions. Their contract must contain certain provisions enumerated within Article 28, including that the processor will (1) comply with the GDPR; and (2) assist with the controller’s GDPR compliance. These provisions include promises to process personal data only on the documented instructions of the controller, provide “adequate security,” assist with data subject rights, and give appropriate breach notification, among others. Further, the contract must require the processor to flow down all such obligations to its subprocessors in similar data processing addenda.

These GDPR requirements started a flurry of activity, whereby controllers and processors entered into data processing addenda as riders to their master services agreement (or similar agreement) in order to comply with Article 28.

A CCPA data processing addendum and beyond?

Under the CCPA, compliance obligations attach to three different types of entities: (1) a “business;” (2) a “service provider;” and (3) a “third party.”  Each is a defined term under the CCPA.

Taking a cue from the GDPR, the CCPA defines a “business” as a for-profit entity that determines the “purposes and means of the processing of ... personal information.”

A “service provider” is a for-profit entity that processes this personal information “on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract ....” This written contract must prohibit the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”

Finally, a “third party” is defined in the negative. It is any entity that is not (1) a business that “collects” personal information from a consumer; or (2) a service provider with the contractual restrictions described above and in this paragraph (or any other “person” with the same such contractual restrictions). Interestingly, the “third party” definition adds prohibitions that must be included within the written contract between the business and the service provider or another person in order to not be considered a third party (although it is unclear why). 

Specifically, such written contracts must also prohibit the service provider or another person from (i) “selling” the personal information (a “sale” is a defined term under the CCPA); and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. It must also contain a “certification” by the service provider or another person that it understands all its contractual restrictions and will comply with them.

To sum this up: A business determines the purposes and means of processing; a service provider processes personal information on behalf of a business; and the business and service provider must have a written contract containing certain provisions. Sounds quite similar to the GDPR! However, there are two key differences:

  1. It is unclear whether an entity must be provided personal information from a business in order to be considered a “service provider.” Under the GDPR, processors oftentimes collect personal information directly from customers pursuant to a controller’s orders. Under a literal reading of the CCPA, a service provider must receive personal information from a business in order to be considered as such. If that is the case — which we hope the California attorney general will clarify — then it will be more difficult for certain entities, such as analytics providers that collect information directly from a website visitor, to be considered service providers. Instead, they may be considered businesses or third parties. 
  2. The CCPA’s written contract requires much less than Article 28 of the GDPR. While Article 28 of the GDPR has a list of provisions that must be included in the contract, the CCPA only prohibits a service provider from using personal information for any purpose outside of the services rendered to the business. There is no requirement, for example, for service providers to flow down their prohibitions to other service providers; however, practically speaking, this may be necessary so that service providers can better comply with their contracts with businesses (i.e., only disclose personal information to provide the services).

With the deadline fast approaching and no guidance yet from the California attorney general on these issues, businesses and service providers are well advised to make specific amendments to their existing data processing addenda (or draft a separate one) to account for the CCPA’s various idiosyncrasies, such as to ensure that the service provider is not also accidentally considered a “third party.” If a business discloses personal information to a “third party,” the business has additional obligations (e.g., to disclose the categories of third parties in its privacy policy and provide explicit notice before a third party sells to others). 

In light of the current regulatory uncertainty and the specific requirements contained in the CCPA, relying on vague “compliance with applicable laws” representations is insufficient and imprudent.

Such amendments to existing or new data processing addenda should state which entity is the “service provider” under the CCPA and that such service provider:

  • Receives the personal information from the business pursuant to a “business purpose,” although it is unclear whether you need to state the specific business purpose.
  • Will not “sell” the personal information (as the term “sell” is defined under the CCPA).
  • Will retain, use or disclose such personal information only for the specific purpose of performing the services and within the direct business relationship with the business.
  • “Certifies” that it understands its contractual restrictions and shall comply with them.

In addition, the document should address such contentious issues as indemnification, limitation of liability, and what happens in the event of a change in law.

In order to assist companies within the digital advertising ecosystem to comply with the GDPR and the CCPA (and similar state laws in the future), the Interactive Advertising Bureau and the American Association of Advertising Agencies are teaming up with stakeholders from across the ecosystem to draft a model data processing addendum to which parties can voluntarily choose to adhere. This working group will stay active so that the model can evolve as additional jurisdictions adopt new privacy laws or change existing laws. The working group plans to release the model data processing addendum in the third or fourth quarter of this year.

Photo by Jordi Vich Navarro on Unsplash