January 27, 2021

Volume XI, Number 27

Advertisement

January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

Will the CPRA Require that Businesses Impose Additional Contractual Requirements on Service Providers?

As discussed in Q 204, the CCPA requires that a service provider agree to three substantive restrictions involving the retention, use, and disclosure of personal information.  The CPRA ostensibly expands upon the three substantive contractual restrictions by referring to nine additional provisions that should be included within a service provider agreement.  The following chart compares the substantive service provider contractual provisions under the CCPA with those that will be required by the CPRA beginning January 1, 2023:

Requirement

CCPA

CPRA

Retention Restrictions

1. Delete or return data.  Agreement must require that a service provider delete or return data at the end of an engagement
(i.e., not retain data).

✓[1]

✓[2]

 Use Restrictions

2. Use Restrictions.  A service provider can only process personal data consistent with a business’s instructions (i.e., not use it for something other than to perform services under the agreement or improve the quality of services).

✓[3]

✓[4]

3. Stop unauthorized use.  Agreement permits the business to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

X

✓[5]

4. Grants business reasonable rights.  Agreement grants the business the right to take “reasonable and appropriate steps” to help ensure that the service provider “uses” personal information consistent with the business’s legal obligations.  For example, these might include reasonable audit rights.

X

✓[6]

5. Combining personal information from multiple clients.  Agreement prohibits a service provider from “combining the personal information” that it receives from one business with the personal information that it receives from another business (or collects from its own interaction with consumers), except if it relates to a business purpose identified by regulations to be adopted by the California Privacy Protection Agency.

X/✓[7]

✓[8]

Disclosure Restrictions

6. Disclosure Restrictions.  Agreement prohibits disclosing personal information other than to perform services specified in the contract.

[9] [10]

7. Prohibition against selling or sharing.  Agreement prohibits service provider from selling personal information or sharing personal information for the purpose of cross-context behavioral advertising.

X/✓[11] ✓[12]

Additional Requirements

8. Compliance with applicable obligations.  Agreement requires that the service provider provide the level of privacy protections required under California law.

X ✓[13]

9. Obligates service provider to notify business of non-compliance.  Agreement requires that a service provider notify the business if the service provider determines that it can no longer meet obligations under California law.

X ✓[14]

10. Subcontractor notification.  A service provider must notify a business if it engages another person or company to assist it in processing personal information.

X[15] ✓[16]

11. Subcontracting flow down obligations.  Service provider must flow down contractual obligations to sub-processors.

X ✓[17]

[1] Cal. Civil Code § 1798.140(v) (Oct. 2020).

[2] Ca. Civil Code § 1798.140(ag)(B), (C).

[3] Cal. Civil Code § 1798.140(v) (Oct. 2020); CCPA Regulation 999.314(c)(1).

[4] Cal. Civil Code § 1798.100(d)(1), 140(ag)(1)(B), (C).

[5] Cal. Civil Code § 1798.100(d)(5).

[6] Cal. Civil Code § 1798.100(d)(3).

[7] While the CCPA did not include an express requirement that a contract prohibit a service provider from selling or sharing personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business.  See Cal. Civil Code § 1798.14(v) (October 2020).

[8] Cal. Civil Code § 1798.140(ag)(1)(A).

[9] Cal. Civil Code § 1798.140(v) (Oct. 2020).

[10] Cal. Civil Code § 1798.140(ag)(1)(B), (C).

[11] While the CCPA did not include an express requirement that a contract prohibit a service provider from combining personal information from multiple clients, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business.  See Cal. Civil Code § 1798.14(v) (October 2020).

[12] Cal. Civil Code § 1798.140(ag)(1)(A).

[13] Cal. Civil Code § 1798.100(d)(2).

[14] Cal. Civil Code § 1798.100(d)(4).

[15] While the CCPA did not include an express requirement that a contract require a service provider to notify the business if another person or entity would be assisting in the processing of personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business.  See Cal. Civil Code § 1798.14(v) (October 2020).

[16] Cal. Civil Code § 1798.140(ag)(2).

[17] Cal. Civil Code § 1798.140(ag)(2).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume X, Number 332
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Henry Greenberg, Greenberg Traurig Law Firm, Albany, Healthcare Litigation Attorney
Shareholder

A former Counsel to the New York State Attorney General, General Counsel to a major New York State agency and federal prosecutor, Hank Greenberg has handled numerous high-profile matters. He concentrates his practice on civil litigation, criminal and civil investigations, health law matters, and regulatory and administrative law.

From 2007 to 2010, Hank served as Counsel to former New York State Attorney General Andrew M. Cuomo. In that capacity, he worked on some of the agency's most significant litigation and public policy initiatives. He also...

518-689-1492
Advertisement
Advertisement