Practitioners’ Corner: CCPA Contracting, Part 2
In CCPA Contracting, Part 1, we explored whether it is necessary for a business to create a service provider relationship via contract. In Part 2 of this series, we take the next step after deciding to create a service provider relationship: drafting the contract.
Step 1: Decide How to Structure Changes to the Contract
The CCPA applies to “businesses,” “service providers,” and “third parties.” When you plan to engage a vendor as a “service provider,” you can do so in three ways: (1) if it is a new vendor relationship, you can build the necessary elements into your contract; or (2) if you have an existing vendor relationship, you can update your agreement with an amendment or addendum (of course, such updates need to be agreed to and signed by both parties). Creating an addendum with new terms can be advantageous in the event you need to update multiple vendor relationships because you can send the same language to many service providers at once without having to worry about the nuances of the structure of the original contract.
Step 2: Ensure the Contract Has the Elements Required by the CCPA
As we explained in Part 1 of this series, whether to create a service provider relationship is your choice. When you set up a service provider relationship, the service provider can no longer be considered a third party, so you do not have to stop disclosing data to the service provider if a consumer exercises their opt-out right.
The applicable contract requirements come from the combination of the definitions of “service provider,” “third party,” “sell,” and “business purpose.” To be a “service provider” (Cal. Civ. Code § 1798.140(v)), the entity must process personal information on behalf of a business for a business purpose pursuant to a written contract, and the contract must prohibit the entity from retaining, using, or disclosing it for a purpose other than the business purpose(s) specified by the business. “Business purpose” (§ 1798.140(d)) means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.” The definition of “sell” (§ 1798.140(t)) reinforces the definition of service provider because it states that in order to be a service provider, the service provider must not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
While it is not explicitly stated, the definition of “third party” (§ 1798.140(w)) informs the substance of the contract because it explains what a third party is not, so the definitions of service provider and third party should be read together for completeness.
The written contract should:
1. Include a certification made by the service provider receiving the personal information that the service provider understands the restrictions of being a service provider and will comply with them.
2. Prohibit the service provider from (1) selling the personal information; or (2) retaining, using, or disclosing the personal information: for any purpose other than for the specific purpose(s) of performing the services specified in the contract, outside of the direct business relationship between service provider and the business, or as otherwise permitted by the CCPA.
3. Instruct the service provider not to further collect, sell, or use the personal information of the consumer (that is disclosed to it by the business) except as necessary to perform the business purpose.
Step 3: Add Other Data Protection Terms as Context Requires
Businesses that do not have strong data protection terms in their service provider contracts might consider executing new or updated terms to address foreseeable issues such as:
- The circumstances in which the service provider can engage subcontractors.
- The business’s expectations regarding confidentiality and security of personal information.
- When and how the service provider should delete personal information.
- A process for responding to governmental inquiries that either party receives.
- A process by which the service provider informs the business of consumers’ requests to exercise their rights so that the business can choose how to respond.
- Auditing the service provider’s compliance.
- Provisions that enable lawful data transfer across borders.
GDPR practitioners will recognize these issues: they are all elements of Articles 28 (processors) and 44-50 (international transfers). In fact, the CCPA’s restrictions on a service provider’s ability to use and disclose personal information are similar to a processor’s obligation to act only according to the instructions of the controller.
Step 4: Consider Creating a Playbook for Contract Negotiation
Businesses can have many service provider relationships, which could mean updating a significant number of contracts. Not all service providers will readily accept template language, especially if you choose to leverage this opportunity to create holistic data protection terms.
Drafting a playbook with at least one fallback position for each element of the contract will help you to respond more consistently, especially if you have added terms that are not strictly required by the CCPA.
Finally, get started now—do not wait for next year or underestimate the amount of time it will take to identify which service providers should receive updated contracts, draft the updated contract, distribute it, receive responses, negotiate, and sign.