The CCPA requires that a service provider agree to three substantive restrictions involving the retention, use, and disclosure of personal information. The CPRA ostensibly expands upon the three substantive contractual restrictions by referring to nine additional provisions that should be included within a service provider agreement. The following chart compares the substantive service provider contractual provisions under the CCPA with those that will be required by the CPRA beginning January 1, 2023:
Requirement |
CCPA |
CPRA |
Retention Restrictions |
||
1. Delete or return data. Agreement must require that a service provider delete or return data at the end of an engagement |
✓[1] |
✓[2] |
Use Restrictions |
||
2. Use Restrictions. A service provider can only process personal data consistent with a business’s instructions (i.e., not use it for something other than to perform services under the agreement or improve the quality of services). |
✓[3] |
✓[4] |
3. Stop unauthorized use. Agreement permits the business to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. |
X |
✓[5] |
4. Grants business reasonable rights. Agreement grants the business the right to take “reasonable and appropriate steps” to help ensure that the service provider “uses” personal information consistent with the business’s legal obligations. For example, these might include reasonable audit rights. |
X |
✓[6] |
5. Combining personal information from multiple clients. Agreement prohibits a service provider from “combining the personal information” that it receives from one business with the personal information that it receives from another business (or collects from its own interaction with consumers), except if it relates to a business purpose identified by regulations to be adopted by the California Privacy Protection Agency. |
X/✓[7] |
✓[8] |
Disclosure Restrictions |
||
6. Disclosure Restrictions. Agreement prohibits disclosing personal information other than to perform services specified in the contract. | ✓[9] | ✓[10] |
7. Prohibition against selling or sharing. Agreement prohibits service provider from selling personal information or sharing personal information for the purpose of cross-context behavioral advertising. | X/✓[11] | ✓[12] |
Additional Requirements |
||
8. Compliance with applicable obligations. Agreement requires that the service provider provide the level of privacy protections required under California law. | X | ✓[13] |
9. Obligates service provider to notify business of non-compliance. Agreement requires that a service provider notify the business if the service provider determines that it can no longer meet obligations under California law. | X | ✓[14] |
10. Subcontractor notification. A service provider must notify a business if it engages another person or company to assist it in processing personal information. | X[15] | ✓[16] |
11. Subcontracting flow down obligations. Service provider must flow down contractual obligations to sub-processors. | X | ✓[17] |
[1] Cal. Civil Code § 1798.140(v) (Oct. 2020).
[2] Ca. Civil Code § 1798.140(ag)(B), (C).
[3] Cal. Civil Code § 1798.140(v) (Oct. 2020); CCPA Regulation 999.314(c)(1).
[4] Cal. Civil Code § 1798.100(d)(1), 140(ag)(1)(B), (C).
[5] Cal. Civil Code § 1798.100(d)(5).
[6] Cal. Civil Code § 1798.100(d)(3).
[7] While the CCPA did not include an express requirement that a contract prohibit a service provider from selling or sharing personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civil Code § 1798.14(v) (October 2020).
[8] Cal. Civil Code § 1798.140(ag)(1)(A).
[9] Cal. Civil Code § 1798.140(v) (Oct. 2020).
[10] Cal. Civil Code § 1798.140(ag)(1)(B), (C).
[11] While the CCPA did not include an express requirement that a contract prohibit a service provider from combining personal information from multiple clients, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civil Code § 1798.14(v) (October 2020).
[12] Cal. Civil Code § 1798.140(ag)(1)(A).
[13] Cal. Civil Code § 1798.100(d)(2).
[14] Cal. Civil Code § 1798.100(d)(4).
[15] While the CCPA did not include an express requirement that a contract require a service provider to notify the business if another person or entity would be assisting in the processing of personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civil Code § 1798.14(v) (October 2020).
[16] Cal. Civil Code § 1798.140(ag)(2).
[17] Cal. Civil Code § 1798.140(ag)(2).