Editors note: This piece is the sixth in a ten-part series covering the operational impacts of the California Privacy Rights Act.
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors.
To achieve this objective, CPRA expands on California Consumer Privacy Act requirements by:
- Outlining new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information.
- Placing direct enforceable obligations on service providers and contractors.
- Mandating due diligence of processing operations.
Taken together, these CPRA provisions will require data supply chains to become more dynamic and responsive. This is a tall order given the number of entities often involved in modern processing operations. One recent study by Osano found that the average company shares its data with 730 different vendors and third parties. Each entity in these data processing chains subject to CPRA requirements, either directly or via contract, will need to scrutinize their data maps and data processing agreements (yet again) and prepare for updates, as explained below.
Definitions
CPRA defines covered businesses, third parties, service providers and contractors, in order to task each separately. CPRA builds on CCPA’s definitions of service providers (Section 1798.140(ag)(1)) and third parties (Section 1798.140(ai)) and adds a definition for contractor (Section 1798.140(j)(1)).
CCPA defines third party in the negative as a person who is not (1) a business that collects personal information or (2) a person to whom the business discloses personal information for a business purpose pursuant to a written contract, provided there are certain contractual restrictions in place. While the definition does not use the term “service provider,” many of the contractual requirements that disqualify a person from being a “third party” are included in the definition of service provider. Meanwhile, CCPA Regulations Section 999.314 states that a “business that provides services to a person or organization that is not a business, and that would otherwise meet the requirements and obligations of a “service provider” under the CCPA and these regulations, shall be deemed a service provider for purposes of the CCPA and these regulations.”
Under CPRA, the contractual terms that disqualify someone from being a third party are included in the definition of contractor, and the definition of third party specifically excludes both contractors and service providers. It is not immediately clear why service providers and contractors are differentiated under CPRA given that the requirements it places on each are nearly identical (with a few noteworthy exceptions discussed below). Still, the distinction seems intentional and appears to rest on the purposes for which personal information is shared and the types of services each entity provides – data processing in the case of service providers versus less data-centric services in the case of contractors.
Specifically, CPRA defines a service provider as a “person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract…..” Contractor is defined as a “person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract….”. And third party is defined by what it is not - a person other than the business, a service provider or contractor.
Each of the above definitions is tied to specific contractual requirements, as explained below and laid out in detail in the chart that follows, in comparison to requirements already in effect under the CCPA.
Contractual requirements: Third parties
CPRA’s new contractual requirements governing a business’ sale or sharing of personal information to a “third party” in Section 1798.100(d)(1) are less extensive than those governing transfers to contractors or service providers, but potentially more impactful. Today, most businesses have data processing agreements in place with service providers, whereas, contracts governing transfers of personal information to third parties, with which the business may or may not have a continuing relationship, are somewhat less standard.
CPRA creates two new overarching requirements for such contracts. First, contracts must provide that the protections, both use limitations and privacy rules, follow personal information through the supply chain, see Sections 1798.100(d)(1-2). Second, these contracts must allow some level of due diligence by the business to help ensure third party processing remains consistent with CPRA obligations. They also create a feedback loop by mandating that the third party notify the business if it can no longer meet its CPRA obligations, and granting the business rights to take “reasonable and appropriate steps” to remediate unauthorized use of the personal information in such cases, see Sections 1798.100(d)(3-5).
While less common than standard data protection authority requirements, these obligations look strikingly similar to those in Privacy Shield’s Accountability for Onward Transfer Principle. As a result, the thousands of companies already certified to the Privacy Shield Framework should be able to leverage and update existing compliance mechanisms to meet these CPRA requirements.
Contractual requirements: Service providers and contractors
Under CPRA, all the new requirements discussed above must also be included in contracts with service providers and contractors with which businesses share personal data for a “business purpose.” CPRA also requires contractual commitments tailored more to the relationship between the business and service providers and contractors.
The additional CPRA requirements for contracts with service providers and contractors are included in the definitions for these terms and build on those already in effect under CCPA for service providers.
The CCPA requires that such contracts prohibit the retention, use, or disclosure of personal information for purposes other than performing the services specified. CPRA makes one adjustment to this requirement – limiting processing to a specified “business purpose,” which is defined in the Act and subject to future regulations. It also applies these contractual requirements to the definition of contractors and adds six more for both service providers and contractors.
These new contractual requirements are: 1) a prohibition on selling or sharing the personal information; 2) a prohibition on retaining, using or disclosing the personal information outside of the direct business relationship between the service provider and the business; 3) a prohibition related to combining personal information from different sources - an area also subject to future regulations; 4) a requirement to notify the business of sub-processors; 5) a mandate to bind sub-processors by written contract to the same processing obligations; 6) and provisions regarding monitoring of compliance (which are framed with a “may” in the case of service providers only, suggesting they are not required). It is worth noting that requirements one and two above were already applicable to the other “person” identified in CCPA’s definition of third party, which was neither a service provider nor a third party. Finally, CPRA requires that contractors (but not service providers) certify their understanding of and compliance with these contractual requirements. Again, under CCPA, this requirement excluded someone from being a third party.
Many of the additional requirements for transfers to service providers and contractors resemble those in the current standard contractual clauses for transfers from EU controllers to non-EU processors as well as GDPR Article 28-mandated DPAs. Given the European Commission’s stated-plans to finalize the update to SCCs in March and an anticipated one-year implementation period, companies may be able to make necessary contractual updates to accommodate both the new SCCs and CPRA concurrently.
Direct obligations
CPRA also directly obligates service providers and contractors to assist businesses in putting in place the above contractual protections and in several other areas, paraphrased below, while subjecting them to administrative enforcement in Section 1798.155.
Specifically, CPRA requires a service provider or contractor to:
- Assist the business through appropriate technical and organizational measures in complying with the requirement to implement reasonable security procedures and practices, when it has collected personal information pursuant to a written contract with the business, Sections 1798.130(a)(3)(A) and 1798.100(e).
- Refrain from using sensitive personal information upon instructions from the business, with caveats, Section 1798.121(c).
- Assist the business in responding to a verifiable consumer request, including by:
- Providing to the business the consumer’s personal information in the service provider or contractor’s possession, Section 130(a)(3)A.
- Correcting or enabling the business to correct inaccurate information, 1798.130(a)(3)A.
- Deleting or helping the business delete personal information received, at the business's direction, 105(c)(3).
- Notifying any of its own service providers or contractors to delete personal information, with caveats, 105(c)(3).
The above direct obligations are paired with those placed on the business to notify service providers and contractors as well as third parties, where it does not require disproportionate effort, to delete personal information upon receiving a verified consumer request.
It is also worth noting that Section 999.314 of CCPA Regulations provides that a “service provider shall not sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business,” implying that the business needs to communicate such opt-out requests to service providers fulfilling such functions. In addition, Section 999.315 of the CCPA Regulations states, “If a business sells a consumer’s personal information to any third parties after the consumer submits their request but before the business complies with that request, it shall notify those third parties that the consumer has exercised their right to opt-out and shall direct those third parties not to sell that consumer’s information.”
Finally, the CPRA provides that a business is not directly liable if a service provider uses personal information in violation of the Act, “provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation,” Section 1798.145(i)(1).
Increased due diligence & more responsive data supply chains
Taken together, CPRA’s provisions on compliance monitoring, cooperative efforts to fulfill consumer requests, and mandated notifications will demand increased accountability in all directions and push data supply chains to become more dynamic and responsive.
CPRA provisions governing data transfers could also lead to greater automation and standardization throughout processing chains. Service providers assisting many clients could soon see a barrage of notifications and calls for assistance to access, correct and delete personal information or limit the use of sensitive information. If these notifications come through many channels and platforms, in many forms, businesses and their vendors could be overwhelmed. While recent IAPP survey data suggests that data access request numbers still remain manageable for the majority of companies, CPRA could significantly increase their numbers. If it does, this could encourage efforts to standardize and automate how consumer request signals are sent into the data supply chain.
The broader context
Organizations preparing to comply with these and other CPRA provisions will need to consider them in the context of the broader legal landscape in which each business operates. Globally, the principles governing transfers to third parties and service providers are converging. But the legal landscape is shifting fast, the requirements are rarely identical, and they often demand contractual commitments binding data recipients to jurisdiction-specific provisions and oversight. Helpfully, the California Attorney General’s Office made clear, in response to public comments, that “neither the CCPA, nor the regulations, specify any mandatory contract language,” Appendix A, row 525.
Still, as new data protection laws stack up around the globe, contractual and data management complexities will as well, particularly for companies striving to maintain global privacy and data management programs. With that complex legal landscape in mind, we will continue to offer updates as CPRA regulations and guidance are adopted.
Summary of CPRA Contractual Requirements (Bold text indicates a change from CCPA) | ||||||
Section 1798.100(d)(1-5) | ||||||
Third Parties | Service Providers | Contractors | ||||
Specifies PI sold or disclosed for limited purposes | Specifies PI sold or disclosed for limited purposes | Specifies PI sold or disclosed for limited purposes | ||||
Requires compliance with CPRA obligations | Requires compliance with CPRA obligations | Requires compliance with CPRA obligations | ||||
Requires provision of CPRA-level of privacy protection | Requires provision of CPRA-level of privacy protection | Requires provision of CPRA-level of privacy protection | ||||
Requires notification to the business if can no longer meet CPRA obligations | Requires notification to the business if can no longer meet CPRA obligations | Requires notification to the business if can no longer meet CPRA obligations | ||||
Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | ||||
Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | ||||
CPRA Sections 1798.140(ag) (“Service provider”) and 1798.140(j) (“Contractor”) | ||||||
Third Parties | Service Providers | Contractors | ||||
Prohibits sale or sharing of PI | Prohibits sale or sharing of PI* | |||||
Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in the contract | Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in contract* | |||||
Prohibits retention, use, or disclosure of PI outside direct relationship with business | Prohibits retention, use, or disclosure of PI outside direct relationship with business* | |||||
Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats | Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats | |||||
Notifies business of the use of sub-processors | Notifies business of the use of sub-processors | |||||
Contractually binds sub-processors to the same processing obligations | Contractually binds sub-processors to the same processing obligations | |||||
May permit, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year | Permits, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year | |||||
Includes certification of understanding and compliance* | ||||||
*These provisions are associated with a “person” under CCPA’s definition of third parties, which is subject to contractual restrictions and characterized as something other than a third party without any explanation as to how that “person” relates or doesn’t to a “service provider.” It appears that “person” became a “contractor” under CPRA. |
Photo by Wil Stewart on Unsplash