January 27, 2021

Volume XI, Number 27

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

If a Service Provider Agreed to A Data Processing Addendum that Complied with The CCPA Will a New Addendum Be Needed for The CPRA that Includes Additional Use Restrictions?

It depends.

As discussed in Q 223, the CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023.  Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that were put in place to satisfy the CCPA.

In the context of use restrictions, the CCPA required that companies prohibit service providers from “using . . . the personal information” that they received “for any purpose” other than a purpose specified in the parties agreement.”[1]  The CPRA includes the same prohibition, but also states that an agreement with a service provider should (1) specify that personal information is being provided only for a “limited and specified purpose,” [2] (2) permit the business to take reasonable steps to stop or remediate unauthorized use of personal information, [3] (3) grant the business the right to take “reasonable and appropriate steps” to ensure that a service provider’s use is consistent with the agreement, [4] and (4) prohibit a service provider from combining the business’s personal information with personal information that it receives from other clients. [5]

Many of the new use-related requirements of the CPRA may already exist within a service provider agreement or a data processing addendum.  For example, to the extent that the parties’ agreements already identify the use to which data will be put, provide the parties with remedies in the event of contractual breach, and prohibit the service provider from combining data from multiple sources, the agreement may already comply with the requirements of the CPRA.

[1] Cal. Civil Code § 1798.140(v) (Oct. 2020).

[2] Cal. Civil Code § 1798.100(d)(1).

[3] Cal. Civil Code § 1798.100(d)(5).

[4] Cal. Civil Code § 1798.100(d)(3).

[5] Cal. Civil Code § 1798.140(ag)(1)(A).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 332
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement