Published: February 2021
The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors.
To achieve this objective, CPRA expands on California Consumer Privacy Act requirements by:
- Outlining new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information.
- Placing direct enforceable obligations on service providers and contractors.
- Mandating due diligence of processing operations.
This chart provides a summary of the CPRA's contractual requirements.
Summary of CPRA Contractual Requirements (Bold text indicates a change from CCPA) |
||||||
Section 1798.100(d)(1-5) | ||||||
Third Parties | Service Providers | Contractors | ||||
Specifies PI sold or disclosed for limited purposes | Specifies PI sold or disclosed for limited purposes | Specifies PI sold or disclosed for limited purposes | ||||
Requires compliance with CPRA obligations | Requires compliance with CPRA obligations | Requires compliance with CPRA obligations | ||||
Requires provision of CPRA-level of privacy protection | Requires provision of CPRA-level of privacy protection | Requires provision of CPRA-level of privacy protection | ||||
Requires notification to the business if can no longer meet CPRA obligations | Requires notification to the business if can no longer meet CPRA obligations | Requires notification to the business if can no longer meet CPRA obligations | ||||
Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above | ||||
Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations | ||||
CPRA Sections 1798.140(ag) (“Service provider”) and 1798.140(j) (“Contractor”) | ||||||
Third Parties | Service Providers | Contractors | ||||
Prohibits sale or sharing of PI | Prohibits sale or sharing of PI* | |||||
Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in the contract | Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in contract* | |||||
Prohibits retention, use, or disclosure of PI outside direct relationship with business | Prohibits retention, use, or disclosure of PI outside direct relationship with business* | |||||
Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats | Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats | |||||
Notifies business of the use of sub-processors | Notifies business of the use of sub-processors | |||||
Contractually binds sub-processors to the same processing obligations | Contractually binds sub-processors to the same processing obligations | |||||
May permit, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year | Permits, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year | |||||
Includes certification of understanding and compliance* | ||||||
*These provisions are associated with a “person” under CCPA’s definition of third parties, which is subject to contractual restrictions and characterized as something other than a third party without any explanation as to how that “person” relates or doesn’t to a “service provider.” It appears that “person” became a “contractor” under CPRA. |
Top-10 operational impacts of the CPRA - Part 6: Service providers, contractors and third parties
This piece is the sixth in a ten-part series covering the operational impacts of the California Privacy Rights Act.
View Here