News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | A data processing addendum for the CCPA? Related reading: IAPP resource: 'CCPA Amendment Tracker'

rss_feed

""

The digital advertising industry is undergoing a rapid regulatory transformation. The EU General Data Protection Regulation went into effect more than a year ago, and the California Consumer Privacy Act is right around the corner with a Jan. 1, 2020, effective date. Other jurisdictions are likely to follow. Industry lawyers created legal frameworks to comply with the GDPR but now need to determine what changes are needed to comply with the CCPA and, potentially, future privacy laws in other states.

One important part of that assessment is the data processing addendum. 

Emergence of the data processing addendum

Just two years ago, the concept of a data processing addendum did not even exist for many companies. Now, the data processing addendum is engrained in the lexicon of every privacy practitioner throughout the world and forms the contractual foundation upon which data is processed by one party on behalf of another. While companies continue to enter into these addenda for GDPR purposes, there is a growing buzz among industry lawyers about whether a data processing addendum is required or advisable in order to comply with the CCPA. Common questions being posed include:

  • Do companies need to amend their existing data processing addenda in order to comply with the CCPA?
  • Is there a long-term solution to avoid having to draft new data processing addenda every time a jurisdiction adopts a new privacy law?

GDPR data processing addenda

Article 28 of the GDPR generally requires a written contract between a “controller” and “processor” to govern the processing of personal data (in certain limited instances, a processor may be able to satisfy Article 28 through another “legal act” that is binding upon such processor, but this is not relevant for our discussion here).  

At a high level, the “controller” determines what personal data will be processed and for what purposes (i.e., “the purposes and means of processing”), and the “processor” carries out such processing based on the controller’s instructions. Their contract must contain certain provisions enumerated within Article 28, including that the processor will (1) comply with the GDPR; and (2) assist with the controller’s GDPR compliance. These provisions include promises to process personal data only on the documented instructions of the controller, provide “adequate security,” assist with data subject rights, and give appropriate breach notification, among others. Further, the contract must require the processor to flow down all such obligations to its subprocessors in similar data processing addenda.

These GDPR requirements started a flurry of activity, whereby controllers and processors entered into data processing addenda as riders to their master services agreement (or similar agreement) in order to comply with Article 28.

A CCPA data processing addendum and beyond?

Under the CCPA, compliance obligations attach to three different types of entities: (1) a “business;” (2) a “service provider;” and (3) a “third party.”  Each is a defined term under the CCPA.

Taking a cue from the GDPR, the CCPA defines a “business” as a for-profit entity that determines the “purposes and means of the processing of ... personal information.”

A “service provider” is a for-profit entity that processes this personal information “on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract ....” This written contract must prohibit the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business.”

Finally, a “third party” is defined in the negative. It is any entity that is not (1) a business that “collects” personal information from a consumer; or (2) a service provider with the contractual restrictions described above and in this paragraph (or any other “person” with the same such contractual restrictions). Interestingly, the “third party” definition adds prohibitions that must be included within the written contract between the business and the service provider or another person in order to not be considered a third party (although it is unclear why). 

Specifically, such written contracts must also prohibit the service provider or another person from (i) “selling” the personal information (a “sale” is a defined term under the CCPA); and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. It must also contain a “certification” by the service provider or another person that it understands all its contractual restrictions and will comply with them.

To sum this up: A business determines the purposes and means of processing; a service provider processes personal information on behalf of a business; and the business and service provider must have a written contract containing certain provisions. Sounds quite similar to the GDPR! However, there are two key differences:

  1. It is unclear whether an entity must be provided personal information from a business in order to be considered a “service provider.” Under the GDPR, processors oftentimes collect personal information directly from customers pursuant to a controller’s orders. Under a literal reading of the CCPA, a service provider must receive personal information from a business in order to be considered as such. If that is the case — which we hope the California attorney general will clarify — then it will be more difficult for certain entities, such as analytics providers that collect information directly from a website visitor, to be considered service providers. Instead, they may be considered businesses or third parties. 
  2. The CCPA’s written contract requires much less than Article 28 of the GDPR. While Article 28 of the GDPR has a list of provisions that must be included in the contract, the CCPA only prohibits a service provider from using personal information for any purpose outside of the services rendered to the business. There is no requirement, for example, for service providers to flow down their prohibitions to other service providers; however, practically speaking, this may be necessary so that service providers can better comply with their contracts with businesses (i.e., only disclose personal information to provide the services).

With the deadline fast approaching and no guidance yet from the California attorney general on these issues, businesses and service providers are well advised to make specific amendments to their existing data processing addenda (or draft a separate one) to account for the CCPA’s various idiosyncrasies, such as to ensure that the service provider is not also accidentally considered a “third party.” If a business discloses personal information to a “third party,” the business has additional obligations (e.g., to disclose the categories of third parties in its privacy policy and provide explicit notice before a third party sells to others). 

In light of the current regulatory uncertainty and the specific requirements contained in the CCPA, relying on vague “compliance with applicable laws” representations is insufficient and imprudent.

Such amendments to existing or new data processing addenda should state which entity is the “service provider” under the CCPA and that such service provider:

  • Receives the personal information from the business pursuant to a “business purpose,” although it is unclear whether you need to state the specific business purpose.
  • Will not “sell” the personal information (as the term “sell” is defined under the CCPA).
  • Will retain, use or disclose such personal information only for the specific purpose of performing the services and within the direct business relationship with the business.
  • “Certifies” that it understands its contractual restrictions and shall comply with them.

In addition, the document should address such contentious issues as indemnification, limitation of liability, and what happens in the event of a change in law.

In order to assist companies within the digital advertising ecosystem to comply with the GDPR and the CCPA (and similar state laws in the future), the Interactive Advertising Bureau and the American Association of Advertising Agencies are teaming up with stakeholders from across the ecosystem to draft a model data processing addendum to which parties can voluntarily choose to adhere. This working group will stay active so that the model can evolve as additional jurisdictions adopt new privacy laws or change existing laws. The working group plans to release the model data processing addendum in the third or fourth quarter of this year.

Photo by Jordi Vich Navarro on Unsplash


Approved
CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT
Credits: 1

Submit for CPEs

Authors
Headshot Matt Savare IAPP Member Contributor
Headshot Michael Hahn Nonmember Contributor
Headshot Sundeep Kapur Nonmember Contributor
Tags
U.S.
Privacy Law
Privacy Operations Management
Privacy Opinion
1 Comment

If you want to comment on this post, you need to login.

  • comment Marc Schultz • Sep 2, 2020 
    Has there been any progress on standard DPA language e.g. Standard Contractual Clauses?
Related Stories
IAPP resource: 'CCPA Amendment Tracker'
There has been a flurry of state-level legislative activity in 2019 leading up to the implementation of the California Consumer Privacy Act, Jan. 1, 2020. More than a dozen amendments addressing various parts of the comprehensive state law have surfaced in the California Legislature this year. To he...
Read More queue Save This
Competing CCPA amendments sculpt law's scope
The California Consumer Privacy Act, passed in June 2018, includes various consumer rights and business obligations regarding consumer personal information. One of the most significant rights contained in the CCPA is the right for a consumer to opt out of the sale of their personal information to th...
Read More queue Save This
Encryption, redaction and the CCPA
1
There appears to be consistent confusion with regard to the California Consumer Privacy Act and its incentives to encrypt and redact personal information wherever possible. Specifically, the CCPA encourages security through two means. First, non-encrypted and non-redacted information that is breach...
Read More queue Save This
Related Stories
Tags
U.S.
Privacy Law
Privacy Operations Management
Privacy Opinion
Recent Comments