Ed. Note: This is the second installment in a year-long series the WLF Legal Pulse is hosting of “frequently asked questions” on two California laws aimed at protecting the privacy of digital personal data. The author of the posts, David Zetoony of Greenberg Traurig LLP, authored a book on the laws for the American Bar Association from which this and future FAQs are excerpted. We thank the American Bar Association for granting us permission to share them with our readers.

******

Data privacy has become one of the greatest areas of risk and concern for business.  It is also quickly becoming a heavily regulated field with the adoption in Europe of the General Data Protection Regulation (GDPR) in 2016 and the adoption in California of the California Consumer Privacy Act (CCPA) in 2018 and the California Privacy Rights Act (CPRA) in 2020.  Some states, such as Colorado and Virginia, have already followed California in enacting data privacy regulation; many others are considering it.

The ABA recently published a Desk Reference Companion to the CCPA and the CPRA, a book authored by Mr. Zetoony. The book is designed to help in-house counsel understand the intricacies of California’s complex privacy regulations by providing answers to 516 of the most frequently asked questions from business.  The following excerpt was reproduced with the permission of the ABA.¹

This month’s question is: 

Will the CPRA require that businesses impose additional contractual requirements on service providers?

The CPRA expanded upon the three substantive contractual restrictions required of service providers by the CCPA by referring to additional substantive prohibitions imposed upon service providers.  In addition to these substantive prohibitions which are used to define which entities constitute service providers, the CPRA requires other contractual provisions be included within a service provider agreement (although the absence of such provisions do not convert a service provider to a business).  The following chart compares the substantive service provider contractual provisions under the CCPA with those that will be required by the CPRA beginning January 1, 2023:

Notes

  1. The full book may be purchased on the ABA’s website at shopABA.org.
  2. Cal. Civ. Code § 1798.140(v) (West 2020).
  3. Cal. Civ. Code § 1798.140(ag)(1)(B), (C) (West 2021).
  4. While the CCPA did not include an express requirement that a contract prohibit a service provider from combining personal information from multiple clients, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.14(v) (West 2020).
  5. Cal. Civ. Code § 1798.140(ag)(1)(A) (West 2021).
  6. Cal. Civ. Code § 1798.100(d)(2) (West 2021).
  7. Cal. Civ. Code § 1798.100(d)(4) (West 2021).
  8. While the CCPA did not include an express requirement that a contract require a service provider to notify the business if another person or entity would be assisting in the processing of personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.14(v) (West 2020).
  9. Cal. Civ. Code § 1798.140(ag)(2) (West 2021).
  10. Cal. Civ. Code § 1798.140(v) (West 2020).
  11. Cal. Civ. Code § 1798.140(ag)(1)(B), (C) (West 2021).
  12. While the CCPA did not include an express requirement that a contract prohibit a service provider from combining personal information from multiple clients, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.14(v) (West 2020).
  13. Cal. Civ. Code § 1798.140(ag)(1)(A) (West 2021).
  14. Cal. Civ. Code § 1798.100(d)(2) (West 2021).
  15. Cal. Civ. Code § 1798.100(d)(4) (West 2021).
  16. While the CCPA did not include an express requirement that a contract require a service provider to notify the business if another person or entity would be assisting in the processing of personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.14(v) (West 2020).
  17. Cal. Civ. Code § 1798.140(ag)(2) (West 2021).
  18. Cal. Civ. Code § 1798.140(ag)(2) (West 2021).