August 18, 2022

Volume XII, Number 230

Advertisement
Advertisement

August 18, 2022

Subscribe to Latest Legal News and Analysis

August 17, 2022

Subscribe to Latest Legal News and Analysis

August 16, 2022

Subscribe to Latest Legal News and Analysis

What Should We Do About the Draft CPRA Regulations?: Contracts

In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)

The contractual requirements in the draft regulations do not mirror the statute and add entirely new obligations. For example, the draft regulations prescribe a new, five-day time period in which a service provider, contractor, or third party must notify the business if they determine they can no longer comply with the CPRA’s requirements. The draft regulations also require contracts with service providers to identify the specific business purposes and services for which personal information will be processed and prohibit generic descriptions of such purposes, such as referencing the entire contract generally.

The draft regulations state that failure to meet the prescriptive requirements means that the recipient is not a service provider or contractor under the CCPA. This means that any such transfer would be deemed a “share” subject to the right to opt out of sharing. Businesses must also conduct due diligence on service providers, contractors, and third parties to take advantage of the CPRA statute’s liability shield for compliance failures of the service provider, etc. without the business’s knowledge.

Putting it into practice. While the draft regulations may undergo many updates between now and CPRA’s January 1, 2023 effective date, there are certain things companies can do today. This includes analyzing these new requirements for contracts and analyzing existing service provider relationships to identify possible gaps.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XII, Number 180
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Julia Kadish is an attorney in the Intellectual Property Practice Group in the firm's Chicago office.

Areas of Practice

Julia's practice focuses on data breach response and preparedness, reviewing clients' products and services for privacy implications, drafting online terms and conditions and privacy policies, and advising clients on cross-border data transfers and compliance with US and international privacy regulations and standards. She also workes on drafting and negotiating software licenses, data security exhibits, big data licenses, professional...

312.499.6334
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

312-499-6335
Advertisement
Advertisement
Advertisement