Contractual Requirements for Vendor Contracts under the CCPA

February 2023

1. Background

It may be time to scrutinize your data maps and data processing agreements. With the recent modifications to the California Consumer Privacy Act that the California Privacy Rights Act (collectively, CCPA) ushered in, the protections afforded to personal information now flow downstream from businesses to service providers, contractors, and third parties. 

Generally, disclosures made by a business to another entity trigger CCPA’s opt-out rules (e.g., requiring placement of a “Do Not Sell or Share My Personal Information” link on your homepage), unless an exception applies. One such exception is the disclosure of personal information to service providers or contractors for a business purpose. Broadly speaking, a business purpose is the use of personal information in furtherance of the services for which the personal information was disclosed. However, such disclosures are subject to contractual terms, as specified by CCPA. Without such contractual terms, the disclosures are considered a sale and/or sharing to a “third party” and thus trigger the consumer opt-out rights.

An added benefit of having the statutorily required contractual terms in place is limiting your business’s liability for a breach or violation caused by a service provider, contractor, and even with respect to a third party- as long as the business does not know (and should not know) that the service provider, contractor, or third party intends to violate the CCPA. In such a case, the service provider, contractor, or third party would be liable for the breach of personal information, not the business.

In turn, it is important to understand the distinctions between service providers, contractors, and third parties because the contractual terms and obligations will turn on such classification.

2. Definitions

The CPRA defines service providers, contractors, and third parties as follows:

• Service providers are entities that process personal information on behalf of a business for a business purpose, such as cloud data storage or website hosting providers.
• Contractors are entities that perform work for or provide services to a business, and that may receive or have access to personal information in the course of performing that work or providing those services.
• Third parties are entities that are not service providers or contractors, but receive personal information from a business for business or commercial purpose, for their own purposes, including for marketing or advertising.

For the purpose of distinguishing between these disclosures, service providers and contractors are fairly similar, whereas a third-party is primarily an entity to which personal information is sold or shared. A service provider is defined as a “person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer's personal information for a business purpose pursuant to a written contract…..” and a contractor is a “person to whom the business makes available a consumer's personal information for a business purpose, pursuant to a written contract….” Third parties are neither of these, but would include entities that purchase personal information from a business or entities that receive the personal information for their own advertising or cross-contextual behavioral advertising purposes.

3. General Requirements

Contracts between a business and a service provider, contractor, or third party must include terms that:

1. Specify that the personal information is sold or disclosed by the business only for limited and specified purposes.
2. Obligate the third party, service provider, or contractor to comply with applicable obligations under the CCPA and obligates those persons to provide the same level of privacy protection as is required by the CCPA.
3. Grant the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under the CCPA.
4. Require the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under the CCPA.
5. Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

There are additional requirements for contracts between a business and a service provider or contractor, including certain prohibitions on the usage of personal information. Specifically these contracts must include terms that prohibit:

1. Selling or sharing personal information;
2. Retaining, using or disclosing the personal information or any purpose other than for the business purposes specified in the contract for the business
3. Retaining, using, or disclosing the information outside of the direct business relationship; and
4. Combining personal information from different sources – an area also subject to future regulations.

Further if the contract is between a business and contractor, the contractor must certify that it understands and will comply with these restrictions.

It is worth noting, that service providers are permitted to use personal information for their own limited internal purposes set forth in the CCPA and its regulations, including “to build or improve the quality of [the service provider’s] services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.” For example, a car rental business may use a consumer’s driver’s license for the purpose of testing that its internal text recognition software accurately captures license information used in car rental transactions.

A business considering implementing these contracts will also need to address information security measures, data breaches, consumer requests, and limitations of liability. They must also take steps to ensure that service providers, contractors, and third parties protect personal information in accordance with the law. Given the potential civil penalties and private rights of action for a violation of the CCPA, businesses must take care to address their contractual requirements with all of their vendors.

Please reach out to us if you need any assistance in implementing these contracts or have other privacy concerns related to your business.

For more information, please contact Chiara Portner and Kenny Gutierrez.