Analyzing the CPRA’s new contractual requirements for transfers of personal information

New Year’s Day 2023 will usher in many new changes for California (and, by extension, the U.S.) privacy law when the California Privacy Rights Act becomes fully operative. One significant change will be the CPRA’s expansion of contracting requirements for transfers of personal information to other entities. The California Consumer Privacy Act only requires contracts to establish service provider relationships. The CPRA will expand that requirement to include transfers to third parties and “contractors,” a new category of entities under the CPRA. It also will significantly expand what the contract must include.

Although these changes will not go into effect for another two years, businesses subject to the CPRA should be mindful that identifying applicable data transfers and negotiating agreements can be a monumental task.

CCPA contractual requirements

The CCPA created three categories of entities: businesses, service providers and third parties. Generally speaking, "businesses" are entities that collect personal information from California residents, while "service providers" and "third parties" are entities to which businesses transfer that personal information. Unless an exception applies, a transfer of personal information to a third party likely constitutes a “sale,” triggering the business’s obligation to provide the right to opt out. In comparison, transfers of personal information to service providers do not trigger the right to opt out because service providers are contractually limited in using personal information.

To qualify as a service provider relationship under Section 1798.140(v), the business’s disclosure of personal information must be pursuant to a written contract that prohibits the receiving entity “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business [i.e., the business purpose], or as otherwise permitted by [the CCPA], including retaining, using, or disclosing the personal information for a commercial purpose other than [the business purpose].”  

In practice, parties also routinely look to the definitions of “third party” and “sale” in Sections 1798.140(w) and (t)(2)(C), respectively, and incorporate those definitions into service provider contracts to avoid triggering the right to opt out.

“Third-party” is defined by what it is not. A third party is a person who is not the business that collects the personal information nor a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract provided that the contract prohibits the person from:

1. Selling personal information.
2. Retaining, using or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
3. Retaining, using or disclosing the information outside of the direct business relationship between the person and the business.

The receiving entity must also certify that it understands these contractual restrictions and will comply with them.

Similarly, the definition of “sale” states that a business does not sell personal information when it “uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if” (1) the “business has provided notice of that information being used or shared in its terms and conditions consistent with Section 1798.135” of the CCPA and (2) the “service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.”

Notably, Section 999.314(c) of the final CCPA regulations creates a list of permissible uses by a service provider that contracting parties often overlook. For example, that section states that service providers can retain and employ another service provider as a subcontractor, where the subcontractor meets the service provider requirements. The CCPA’s failure to discuss subcontracting was a glaring omission that the CCPA regulations fixed (and, which, as discussed below, the CPRA also remedies).

CPRA contractual requirements

Contractors

The CPRA adds a new category, “contractors,” which are entities to which businesses “make available” personal information. In comparison, service providers are entities that “process” personal information on behalf of a business and receive personal information “from or on behalf of the business.” These definitions are in Sections 1798.140(j) and (ag).

The comments to the initial annotated version of the CPRA ballot measure state that the new contractor category was taken from the CCPA’s third-party definition. A contractor, therefore, is any entity that receives personal information from a business and enters into a contract with the above-noted restrictions (subject to some changes/additions as discussed below). The suggestion that the contractor category already exists in the CCPA is interesting. However, the comments acknowledge that a contractor “[e]ssentially functions identically to ‘Service Provider,’ with the distinction that SP’s process [personal information] received ‘from or on behalf of a business,’ whereas contractors uses [sic] [personal information] ‘disclosed by’ a business.” That contractors and service providers are virtually identical also is reflected in the fact that CPRA’s definitions of those two terms closely track each other.

New contractual requirements

Perhaps the most notable change with respect to transfers of personal information is found in Section 1798.100. A business that collects a consumer’s personal information and “sells that personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose” must enter into an agreement with that third party, service provider or contractor that:

1. Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
2. Obligates the third party, service provider or contractor to comply with applicable obligations of the CPRA and obligates those persons to provide the same level of privacy protection as is required by the CPRA.
3. Grants the business rights to take reasonable and appropriate steps to ensure that the third party, service provider or contractor uses the personal information transferred in a manner consistent with the business's obligations under this title.
4. Requires the third party, service provider or contractor to notify the business if it decides it can no longer meet its obligations under this title.
5. Grants the business the right, upon notice, including under Paragraph (4), to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
6. As noted, this new requirement extends the duty to contract to third-party transfers, which is currently not required by the CCPA.

In addition to those five requirements, businesses wishing to establish service provider or contractor transfers will need to include additional provisions in the contract.

First, the transfer must be for a “business purpose” as defined by the CPRA. The CPRA substantially revises the definition of “business purpose” such that it will be important for businesses to review the new definition when drafting these contracts.

Second, the contract must state that the service provider or contractor is prohibited from:

1. Selling or sharing personal information.
2. Retaining, using or disclosing personal information for any purpose other than for the business purposes specified in the contract, including retaining, using or disclosing personal information for a commercial purpose other than the business purposes specified in the contract or as otherwise permitted by the CPRA.
3. Retaining, using or disclosing the information outside of the direct business relationship between the contractor and the business.

These requirements mirror and harmonize the requirements currently found in Sections 1798.140(v) and (w), as discussed above. 

Third, the contract must prohibit the service provider or contractor from combining the personal information it receives from the business with personal information it receives from or on behalf of another person or persons or that it collects from its own interaction with the consumer. However, the receiving entity will be able to combine the personal information to perform certain business purposes that will be identified in regulations adopted by the California Privacy Protection Agency.

Contractor contracts (but not service provider contracts) must also include a certification from the contractor to understand the above restrictions and comply with them. This divergent requirement is a by-product of the CPRA copying the CCPA’s language from Section 1798.140(w) to create the new definition of a contractor.

Fourth, subject to agreement with the service provider or contractor, the contract should allow the business to monitor the receiving party’s compliance with the contract through measures, including but not limited to ongoing manual reviews and automated scans and regular assessments, audits or other technical and operational testing at least once every 12 months. The slightly different wording regarding this right to monitor found in Sections 1798.140(j)(1)(C) and 1798.140(ag)(1)(D) suggests that it may be mandatory for transfers to contractors but permissive for transfers to service providers.

Finally, if the service provider or contractor engages a sub-processor or a sub-processor engages a sub-processor, the service provider or contractor is required to notify the business and enter into a contract with the sub-processor containing the above requirements.

Responding to consumer requests

Finally, although the CPRA does not require contractual provisions concerning responding to consumer requests, Sections 1798.105(c)(3) and 1798.130(a)(3)(A) contain some requirements that parties may want to incorporate into these contracts. Service providers and contractors are not required to respond to consumer requests submitted to them when acting as a service provider or contractor. However, service providers and contractors “shall” cooperate with businesses in responding to verifiable consumer requests, including deleting personal information or enabling the business to do so, and notifying their own service providers or contractors to delete the personal information. Service providers and contractors also must provide the business with the personal information in their possession that was obtained in their capacity as a service provider or contractor for the business. In addition, they must correct any inaccurate personal information.

Fazit

Although the CPRA will not become fully operative until January 2023, businesses should use the coming months to address the CPRA’s new contractual requirements to ensure that they are fully compliant by such date.

Photo by Helloquence on Unsplash