March 28, 2023

Volume XIII, Number 87


March 27, 2023

Subscribe to Latest Legal News and Analysis

Do Your Vendor Contracts Comply with CCPA?

Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California.

See our prior alert here to see if CCPA applies to your business. Any entity processing personal information of California consumers on your behalf (i.e., your vendors and service providers) must have a written contract in place including specific language. Review the steps below to help bring vendor contracts in compliance with CCPA.

Consider that “consumers” is broadly defined as a resident of California for other than a transitory purpose and could include customers, employees, business contacts and others. CCPA broadly defines “personal information” and may capture pieces of information your business had not previously treated as personal information, and consequently may reach across your vendors broadly as well.

Do we need to amend our existing vendor contracts to comply? If you answer “yes” to all of the questions below, then you will be required to update them.

  • Does CCPA apply to our company?
  • Does our company use or share personal information of California consumers with any service providers?
  • Will the contracts be in place on or after January 1, 2020 when CCPA applies?

How do we amend our existing vendor contracts? Either an informal agreement or more formal amendment could work if signed by and binding on both parties.

What about any new vendor contracts? Keep all this in mind for them, too

What language must we add to existing or new vendor contracts to comply? Include these terms:

Prohibit the vendor from retaining, using or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract for your business (including retaining, using, or disclosing the personal information for a commercial purpose other than providing such services).

CCPA broadly defines “commercial purposes” in a manner that largely restricts the vendor’s ability to use the personal information for their own benefit outside of rendering services to your business. Engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism, is not within the meaning of “commercial purposes.”

POTENTIAL TRAP FOR THE UNWARY: CCPA requires additional actions to avoid being categorized as “selling” to your vendor the personal information you use or share with your vendor - even if the vendor was merely intended to help you process the data. To avoid this trap, additional terms are required to be included in the vendor contract and you are also required to make appropriate disclosures of the business purpose for which the data was shared with the vendor in your public privacy notice. CCPA enumerates acceptable business purposes, as a concept separate and distinct from the commercial purposes mentioned above.

This overview does not substitute for considering CCPA’s requirements in their entirety

Copyright © 2023 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume IX, Number 122

About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Of Counsel

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients...

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude