Summary of CPRA Contractual Obligations
This chart provides a summary of the CPRA's contractual requirements.
Published: 15 Feb. 2021
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors.
- Outlining new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information.
- Placing direct enforceable obligations on service providers and contractors.
- Mandating due diligence of processing operations.
This resource provides a summary of the CPRA's contractual requirements.
Summary of CPRA Contractual Requirements
Section 1798.100(d)(1-5)
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
CPRA Sections 1798.140(ag) (“Service provider”) and 1798.140(j) (“Contractor”)
- Prohibits sale or sharing of PI.
- Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in the contract.
- Prohibits retention, use, or disclosure of PI outside direct relationship with business.
- Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats.
- Notifies business of the use of sub-processors.
- Contractually binds sub-processors to the same processing obligations.
- May permit, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year.
- Prohibits sale or sharing of PI*.
- Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in contract*.
- Prohibits retention, use, or disclosure of PI outside direct relationship with business*.
- Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats.
- Notifies business of the use of sub-processors.
- Contractually binds sub-processors to the same processing obligations.
- Permits, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year.
- Includes certification of understanding and compliance*.
*These provisions are associated with a “person” under CCPA’s definition of third parties, which is subject to contractual restrictions and characterized as something other than a third party without any explanation as to how that “person” relates or doesn’t to a “service provider.” It appears that “person” became a “contractor” under CPRA.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Summary of CPRA Contractual Obligations
This chart provides a summary of the CPRA's contractual requirements.
Published: 15 Feb. 2021
Contributors:
Caitlin Fennessy
Vice President and Chief Knowledge Officer, IAPP
CIPP/US
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors.
- Outlining new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information.
- Placing direct enforceable obligations on service providers and contractors.
- Mandating due diligence of processing operations.
This resource provides a summary of the CPRA's contractual requirements.
Summary of CPRA Contractual Requirements
Section 1798.100(d)(1-5)
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
- Specifies PI sold or disclosed for limited purposes.
- Requires compliance with CPRA obligations.
- Requires provision of CPRA-level of privacy protection.
- Requires notification to the business if can no longer meet CPRA obligations.
- Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above.
- Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations.
CPRA Sections 1798.140(ag) (“Service provider”) and 1798.140(j) (“Contractor”)
- Prohibits sale or sharing of PI.
- Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in the contract.
- Prohibits retention, use, or disclosure of PI outside direct relationship with business.
- Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats.
- Notifies business of the use of sub-processors.
- Contractually binds sub-processors to the same processing obligations.
- May permit, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year.
- Prohibits sale or sharing of PI*.
- Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in contract*.
- Prohibits retention, use, or disclosure of PI outside direct relationship with business*.
- Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats.
- Notifies business of the use of sub-processors.
- Contractually binds sub-processors to the same processing obligations.
- Permits, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year.
- Includes certification of understanding and compliance*.
*These provisions are associated with a “person” under CCPA’s definition of third parties, which is subject to contractual restrictions and characterized as something other than a third party without any explanation as to how that “person” relates or doesn’t to a “service provider.” It appears that “person” became a “contractor” under CPRA.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Tags:
Related resources
Global AI Governance Law and Policy: Jurisdiction Overviews
US State Privacy Legislation Tracker
Organizational Digital Governance Report 2025
US State Comprehensive Privacy Laws Report
