Published: December 2019

Many of us understand in theory what the California Consumer Privacy Act means for consumer rights and that it creates a totally new ecosystem of relationships between and among businesses that are covered by the law and other legal entities with whom they do business.

Unfortunately, that new ecosystem bears little resemblance to the controller/processor structure of the EU General Data Protection Regulation and leaves much to be desired when it comes to facilitating the privacy practitioner’s job of categorizing and risk-ranking business partners. To make matters worse, the attorney general did not issue draft regulations until October, and those regulations likely will not be finalized until July of 2020.

This white paper is designed to provide a little guidance to those who are struggling to identify different parties in the ecosystem and draft contractual provisions accordingly. It is also intended to become a chapter in the second edition of the IAPP’s “Data Processing Agreements” book in 2020.