The Service Provider Relationship Under the CCPA
A service provider under the CCPA is a person "that processes information on behalf of a business," and contracts with the business to perform such processing. The CCPA defines "to process" as "to collect, store, use, dislose, analyze, align, combine, delete, or transfer." This definition is very broad, covering practically any conceivable processing activity.
Because of the broad processing definition, however, "service provider" is still an important designation, drawing a potentially significant line between complying and non-complying with the CCPA. "Processing" in this context refers to the narrower concept of the "service provider" contract requirements. This concept does not cover the broader requirements of the CCPA , such as consumer rights or other obligations of businesses that go beyond the scope of a contract (to the extent the general CCPA obligations apply).
Furthermore, the data processing and other obligations not raised in the context of the contract requirements may still be applicable to businesses that contract with a "service provider" as defined above, but that do not conclude that their CCPA obligations are narrowed or limited because of the contractual relationship. The CCPA regime appears to leave some flexibility for "service providers," which may not actually be "service providers" under the CCPA, but that would be treated as "service providers" as the definition under the CCPA, and some or all of the business’s obligations under the CCPA, depending on the relationship.
Key CCPA Service Provider Contract Requirements
There are several mandatory contractual requirements pursuant to the CCPA that businesses must include when engaging a service provider. The inclusion of these contractual obligations, which we have separated into (1) data usage-related, (2) privacy-related, and (3) compliance-related, will not only help serve as a "due diligence" mechanism for CCPA compliance for both parties but will also begin to flesh out more generally what constitutes a "reasonable" data processing agreement under CPRA § 129.
Data Usage-Related
Nothing in this Service Provider Agreement (the" Agreement") allows the Service Provider to retain, use, or disclose the Personal Information or Service Provider Client Data provided to it by the Business or by or on behalf of any individual, household, or other user of the Business’s products and services (collectively, "Data"). The Service Provider shall collect, retain, use, and disclose Data solely for the purpose of undertaking the Services for the Business under this Agreement, unless required by applicable law or requested by a necessary state or federal agency or authority, and shall not do so for any other purpose. Nothing herein prohibits the Service Provider from conducting deidentified and/or aggregated research, analytics, and reporting, provided that all such activities comply with applicable law, including without limitation, the rules and procedures of the CPRA and any rules thereunder. Service Provider’s use of Data to evaluate or improve the Services or to develop and improve internal products and services is expressly prohibited. If the Service Provider uses a third party to assist it with performing the Services, the Service Provider shall remain responsible for compliance with this Agreement.
Privacy-Related
The Service Provider shall contractually obligate all third-party Sub-Processors (as defined below) processing Data to comply with the requirements of this Agreement and to only process Data for the limited purposes set forth in this Agreement. The Service Provider shall be liable for any breaches by such third-party processors of the processing activities under this Agreement and for the remediation of any such breach. Whenever the Service Provider receives Private Information from the Business or from any individual, household, or other user of the Business’s products and services, the Service Provider shall: Service Provider may not engage any Sub-Processor without the prior written consent of the Business and under terms no less protective than this Agreement. Any contract with an authorized Sub-Processor shall require that Sub-Processor to protect the security and confidentiality of Data in a manner comparable to the protections required by this Agreement.
Compliance-Related
Nothing in this Agreement is intended to limit the Business’s rights set forth under the CPRA, including its right to require the Service Provider to assist it with complying with CPRA requirements. The Service Provider will co-operate with the reasonable request of the Business in carrying out its obligations under the laws and regulations applicable to the business’s activity and by which it is governed. In particular, the Service Provider agrees to assist the Business in complying with its obligations imposed under the CPRA with respect to requests by individuals, households, or other users for exercising their rights under the CPRA including access to, rectification or erasure of, information, restriction on processing, restriction on use of personal information, data portability and withdrawal of consent. The Service Provider must maintain records to demonstrate its compliance with this clause. This must include: all transparent information released to the individual household or other user pursuant to the CPRA; all correspondence between the Service Provider and the Business; all correspondence between the Service Provider and individuals, households, or other users of the Business’s products and services. The Service Provider must allow the business to audit these records and provide copies upon request at no cost to the Business.
Drafting Service Provider Contracts Under the CCPA
Effective service provider contracts are vital to compliance with the CCPA. These contracts must outline the service provider’s obligations with respect to categories of personal information that are disclosed. Conveying specific requirements in a contract will help to mitigate risk for companies subject to the CCPA by downloading contractual obligations to the service provider. However, contracts are not the end all be all of a company’s contractual obligations to a consumer. Although service provider agreements are an important part of any covered entity’s CCPA compliance efforts, they must not be the only consideration in treating personal information with care.
Below is a list of some essential elements of a CCPA compliant service provider contract: Like other aspects of the CCPA, service provider contracts will continue to evolve as enforcement actions and regulations governing the use of personal information continue to be developed. These contracts only apply to service providers so any contracts regarding or governing a third party vendor that does not meet the definition of a service provider do not have to comply with the CCPA’s contract requirements.
Impacts of the CCPA on Service Provider Contracting
In addition to the significant financial and reputational risks associated with non-compliance with the CCPA, non-compliance with contractual CCPA requirements may have legal and financial repercussions for both businesses and service providers. These repercussions can include:
1. Enforcement Actions by the California Attorney General
The California Attorney General (AG) may enforce a business’s failure to comply with its contractual CCPA requirements. A "business" includes any legal entity that is subject to the CCPA. While the AG has not pursued enforcement actions against businesses for failure to comply with their contractual CCPA obligations, California Civil Code section 1798.199 requires the Attorney General to provide notice if it is aware of a failure to comply, and provides 30 days for a business to cure the failure after receiving such notice. If the business has not cured the failure within the 30-day time period, or has not attempted to cure in good faith, the AG may bring an enforcement action. This jurisdiction does not appear to extend to a "service provider," which is defined in the regulations as a natural person or legal entity that processes personal information on behalf of a business and does so pursuant to a contract that prohibits the use of that personal information for any purpose other than providing the services specified in the contract.
2. Private Right of Action Under Cal. Civ. Code § 1798.100 et seq.
Subject to the limitations and statutory damages stated herein, consumers may bring a private right of action under Cal. Civ. Code section 1798.150 when an unencrypted or unredacted personal information "is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . " This section of the CCPA, however, expressly limits the private right of action to a business’s breach of a consumer’s nonpublic, unencrypted or unredacted personal information. As such, this section does not provide a private cause of action for a service provider’s failure to comply with contractual CCPA requirements. In regard to the collection of a service provider’s obligations related to incidents of unauthorized access to personal information, the Attorney General will look at factors including, but not limited to, whether the service provider (a) has any contractual or legal obligations regarding the security of the personal information received from or on behalf of the business and (b) has evaluated whether it is reasonably likely that the business is unprepared to fulfill its obligations under either the CCPA or its relevant contract with the service provider. If so, the Attorney General may pursue enforcement actions against the business for work not performed by the service provider.
3. Limitations on Potential Expectations of Indemnification
The terms of a service provider’s contract with a business may be relevant to questions of indemnification by the business resulting from any actions brought by the AG pursuant to its enforcement authority in the CCPA. Businesses may contemplate in their contracts that a service provider will indemnify the business for any violations resulting from their performance of the contract. However, the AG may not look favorably upon this type of contractual arrangement, limiting potential expectations for damages recoverable by a business in the event of an enforcement action.
Comparison between the CCPA and Other Privacy Laws
The service provider contract requirements in the CCPA are slightly different from the contract requirements in other major data privacy regimes, but for the most part they are not. The CCPA uses the term "service provider," which is a defined term with a limited set of permissible business arrangements. This is compared to other major laws, such as the GDPR, which uses a different term – "processor" – yet has an equivalent set of contract requirements. For example, under both the GDPR and the CCPA, the same types of clauses are required in contracts with their respective "processors" and "service providers." These include: Under both laws, the fundamental project between a business and its service provider does not change based on the use of different terms. The CCPA refers to "selling" information, while the GDPR refers to "disclosing" information; however, the underlying essential project remains the same. Therefore, while it may be important to understand the subtle differences between the privacy laws, in this instance, the compliance obligations are almost identical. As noted earlier, lists of acceptable contractual clauses under the CCPA include those that are similar to standard contractual clauses or European Union-approved controller-processor model clauses, the obligations are virtually identical between the GDPR and CCPA, but the requirements for service provider contracts under the CCPA do not mirror exclusively the GDPR controller-processor model clauses. There are other regions, like the Asia-Pacific region, that share conceptual similarities to the GDPR, but promote variations of standard contractual clauses similar to the GDPR. The key is to know the contract requirements and whether they differ by region when a business is considering doing business globally.
Changes on the Horizon for Compliance Under the CCPA
Given that the CCPA has only been in effect for a short period of time, many compliance issues remain unanswered, though arguably all eyes are on the California Attorney General’s (CAG) office for the next big steps for enforcement and clarity. In the near-term, there is a high likelihood that amendments will be made, and it is important for businesses and their respective service providers to consider the future and how they will address it. There is also a question of whether the CAG will adopt a "soft touch" approach and delay enforcement until more clarity is provided, or whether it will vigorously enforce the law – including against businesses and service providers that do not have compliant contracts – regardless of whether the CAG has provided clear guidance. The best course of action is to think ahead and consider what changes might happen in the future so that your business will be in a position to be in full compliance with the law. The CAG has stated that it will continue to issue guidance in the months to come, which we will provide updates on as they become available, but for now, there are a few important points to keep in mind:
- Amendments to the CCPA. There is at least one bill currently pending in the California legislature that would amend certain parts of the CCPA. It is unclear whether this bill will become law. However, if it does, it likely means that there will be further amendments in the future. In the long term, there is a very real possibility that the law as written may simply not work and require revisions . We advise that you pull and analyze your contract clauses in relation to the CCPA so that any necessary amendments can be made in the next legislative session – as it is probably safe to say that there will be more changes coming. The CAG will likely also provide updates to clarify ambiguous areas of the law. We further expect to see some updates and new requirements based on the California Privacy Rights Act (CPRA) that is being proposed by the ballot initiative in November 2020 – which will provide for more restrictions than the CCPA, though will have a broader application and likely be less strictly interpreted.
- Best practices from other states. As was the case with data breach laws, the GDPR and others, once one state adopts a new standard, it is only a matter of time before other states follow suit. For businesses, this means that it might be better to implement a solution that complies with multiple regimes, rather than bringing in piece-meal solutions as new states adopt regulations similar to the CCPA. Several states are already poised to adopt laws similar to the CCPA, including Washington, New York, Massachusetts and Minnesota. Other states are considering a broader privacy framework that would extend across all 50 states.
- Enforcement of the CCPA. Most states have yet to adopt an enforced regime for their respective privacy laws, relying instead on lawsuits and private actors to regulate privacy within their borders. As such, there is still a good chance that CCPA enforcement will be handled primarily through private lawsuits.