January 30, 2023

Volume XIII, Number 30


January 27, 2023

Subscribe to Latest Legal News and Analysis

If a Service Provider Agreed to A Data Processing Addendum that Complied with The CCPA Will a New Addendum Be Needed for The CPRA that Specifically Prohibits Selling or Sharing of Data?

It depends.

As discussed in Q 223, the CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023.  Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that were put in place to satisfy the CCPA.

For example, the CCPA required that companies prohibit service providers from “disclosing the personal information” that they received “for any purpose other than for the specific purpose of performing the services specified in the contract for the business . . . .”[1]  The CPRA includes the same prohibition, but also states that an agreement with a service provider should prohibit the service provider from “selling or sharing [for cross-context behavioral advertising] personal information.”[2]

To the extent that a service provider agreement, or a data processing addendum, already prohibits a service provider from “disclosing” personal information for “any purpose” other than what is specified in the agreement, and the agreement does not specify that the service provider can sell or share information for targeted advertising, it’s not clear that the agreement would need to be amended to specifically state that in addition to not disclosing personal information the service provider may not sell or share it (as selling or sharing would be a form of disclosure).  To the extent, however, that an agreement that was drafted under the CCPA prohibited the general disclosure of personal information, but specified that, notwithstanding the general prohibition, a service provider could share it for cross-context advertising, the agreement might need to be amended to prohibit such disclosures in order to make clear that any transfer of information is being done on behalf of the business.

[1]  Cal. Civil Code § 1798.140(v) (Oct. 2020).

[2]  Cal. Civil Code § 1798.140(ag)(1)(A).

©2023 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 332

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...