It depends.
The CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023. Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that were put in place to satisfy the CCPA.
For example, the CCPA required that companies prohibit service providers from “disclosing the personal information” that they received “for any purpose other than for the specific purpose of performing the services specified in the contract for the business . . . .”[1] The CPRA includes the same prohibition, but also states that an agreement with a service provider should prohibit the service provider from “selling or sharing [for cross-context behavioral advertising] personal information.”[2]
To the extent that a service provider agreement, or a data processing addendum, already prohibits a service provider from “disclosing” personal information for “any purpose” other than what is specified in the agreement, and the agreement does not specify that the service provider can sell or share information for targeted advertising, it’s not clear that the agreement would need to be amended to specifically state that in addition to not disclosing personal information the service provider may not sell or share it (as selling or sharing would be a form of disclosure). To the extent, however, that an agreement that was drafted under the CCPA prohibited the general disclosure of personal information, but specified that, notwithstanding the general prohibition, a service provider could share it for cross-context advertising, the agreement might need to be amended to prohibit such disclosures in order to make clear that any transfer of information is being done on behalf of the business.
[1] Cal. Civil Code § 1798.140(v) (Oct. 2020).
[2] Cal. Civil Code § 1798.140(ag)(1)(A).