Practitioners' Corner: CCPA Contracting, Part 1

Practitioner’s Corner is a monthly focus on topics of interest to in-house counsel in the implementation of their privacy programs.

In CCPA Contracting, Part 1, we explore whether it is necessary for a business to create a service provider relationship via contract. In Part 2 of this series, we take the next step after deciding to create a service provider relationship: drafting the contract.

You could start by diving right into the relevant definitions and obligations, but we urge you to take a step back. Ask yourself: do I need to establish a service provider relationship in the first place?

The CCPA allows consumers to opt out of a business’s “sale” of personal information to a third party. When consumers exercise that right, they effectively cut off the flow of their personal information between the business and the third party. Businesses can avoid this outcome in certain cases by executing a contract with the third party, making it the business’s “service provider” and immunizing the relationship and data flows from the consumer’s opt-out choice.

The trade-off is that service providers are restricted from “retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business,” meaning that it is more difficult for service providers to freely use personal information.

The question is whether creating the service provider relationship is necessary in every situation. The CCPA does not compel businesses and service providers to contract when they exchange personal information between them, unlike the controller-processor relationship in the General Data Protection Regulation (GDPR).

Some situations unquestionably call for service provider contracts because the consequence of an opt-out choice is unacceptable to the business. For example, if you use a cloud service provider to store personal information, a consumer’s opt-out choice would, in effect, prevent you from storing that consumer’s personal information with that cloud service provider. Giving individual consumers control in this manner is likely untenable from a technical system architecture perspective and may actually jeopardize the security of the data.

Here is another consequential scenario: savvy CCPA lawyers will know that two entities in the same corporate group are considered a single “business,” if they control or are controlled by one another and they share common branding. This means that, if two entities in the same corporate group exchange personal information, but are not similarly branded, that exchange could be a “sale.” In this case, having an intra-group service provider contract is critical because it prevents a potentially significant business interruption.

In other cases, you may find it acceptable not to create a service provider relationship because the costs of creating that relationship outweigh the benefits. For example:

• Your service does not depend on a transfer of personal information to a third party.
• You have alternative arrangements that can be used in the event of a consumer’s opt-out choice.
• You expect that consumers will seldom exercise their opt-out choice, so the impact of consumer opt-out requests is lessened.
• It is not feasible for the service provider’s uses of personal information to be constrained by contract.

In addition to these factors, you should also consider whether your existing contracts have language that is compatible with the CCPA’s requirements for creating the service provider relationship.If the recipient of personal information is effectively a service provider already, you may not need to take further action. Alternatively, updating your contracts for CCPA compliance may not present significant challenges.

Your decision whether to transform third parties into service providers is unique to your circumstances. As with all CCPA compliance efforts, that decision begins with knowing your data flows. In Part 2, we will discuss the language that must be present in CCPA service provider contracts if you decide to create them.