January 21, 2022

Volume XII, Number 21

Advertisement
Advertisement

January 20, 2022

Subscribe to Latest Legal News and Analysis

January 19, 2022

Subscribe to Latest Legal News and Analysis

January 18, 2022

Subscribe to Latest Legal News and Analysis

Is it Groundhog Day? Do I need to revise all my service provider agreements again for the CCPA?

The CPRA amended the CCPA’s definition of a service provider such that, beginning Jan. 1, 2023, a service provider could include any person (not just a legal entity), and a service provider could be a business that receives personal information “on behalf of” another business. The CPRA also added the requirement that written contracts contain the following prohibitions in addition to the three prohibitions, that were originally contained in the CCPA:

  1. Selling or sharing personal information,1

  2. Retaining, using, or disclosing personal information “outside of the direct business relationship” between the service provider and the business,and

  3. Combining (subject to some exceptions) the personal information that the service provider receives from one business with information that it receives from another business.3

Some attorneys may take the position that a CCPA-drafted service provider agreement that does not contain the aforementioned three specific prohibitions is insufficient to satisfy the definition of a service provider under the CPRA. From a substantive perspective, however, the three prohibitions added by the CPRA appear to be subsumed within the original three prohibitions contained within the CCPA. For example, a vendor that is contractually prohibited from “disclosing” personal information is functionally prevented from “selling or sharing” personal information (as both activities are forms of disclosure). As a result, it is difficult to identify a definitive category of vendors that is likely to qualify as a service provider under the CCPA, and yet not qualify as a service provider under the CPRA.

1 Cal. Civ. Code 1798.140(ag)(1)(A).

2 Cal. Civ. Code 1798.140(ag)(1)(C).

Cal. Civ. Code 1798.140(ag)(1)(D).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 71
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement