Updated: February 2, 2021

The California Privacy Rights Act aims to provide a continuing level of protection for personal information as it flows from covered businesses to third parties, service providers, contractors, and even their sub-processors.

To achieve this objective, CPRA expands on California Consumer Privacy Act requirements by:

  • Outlining new contractual requirements to govern the sale, sharing, disclosure and receipt of personal information.
  • Placing direct enforceable obligations on service providers and contractors.
  • Mandating due diligence of processing operations.

This chart provides a summary of the CPRA's contractual requirements.

Top-10 operational impacts of the CPRA
Part 6:
Service providers, contractors and third parties

This piece is the sixth in a ten-part series covering the operational impacts of the California Privacy Rights Act.
View Here


Summary of CPRA Contractual Requirements
(Bold text indicates a change from CCPA)
Section 1798.100(d)(1-5)
Third Parties Service Providers Contractors
Specifies PI sold or disclosed for limited purposes Specifies PI sold or disclosed for limited purposes Specifies PI sold or disclosed for limited purposes
Requires compliance with CPRA obligations Requires compliance with CPRA obligations Requires compliance with CPRA obligations
Requires provision of CPRA-level of privacy protection Requires provision of CPRA-level of privacy protection Requires provision of CPRA-level of privacy protection
Requires notification to the business if can no longer meet CPRA obligations Requires notification to the business if can no longer meet CPRA obligations Requires notification to the business if can no longer meet CPRA obligations
Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above Grants business right to “reasonable and appropriate steps” to stop and remediate unauthorized PI use upon notification above
Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations Grants business rights to “reasonable and appropriate” steps to help ensure PI use is consistent with the business’s CPRA obligations
CPRA Sections 1798.140(ag) (“Service provider”) and 1798.140(j) (“Contractor”)
Third Parties Service Providers Contractors
  Prohibits sale or sharing of PI Prohibits sale or sharing of PI*
  Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in the contract Prohibits retention, use, or disclosure of PI for any purpose other than business purposes specified in contract*
  Prohibits retention, use, or disclosure of PI outside direct relationship with business Prohibits retention, use, or disclosure of PI outside direct relationship with business*
  Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats Prohibits combining PI with PI from another person or collects from its own interaction with the consumer, with caveats
  Notifies business of the use of sub-processors Notifies business of the use of sub-processors
  Contractually binds sub-processors to the same processing obligations Contractually binds sub-processors to the same processing obligations
  May permit, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year Permits, subject to agreement, the business to monitor contractual compliance, including through manual reviews, automated scans, regular assessments, audits, technical and operational testing at least once a year
    Includes certification of understanding and compliance*
*These provisions are associated with a “person” under CCPA’s definition of third parties, which is subject to contractual restrictions and characterized as something other than a third party without any explanation as to how that “person” relates or doesn’t to a “service provider.” It appears that “person” became a “contractor” under CPRA.