June 26, 2019
Although the CCPA is not due to go into effect until January 1, 2020, businesses should take the necessary steps to ensure full CCPA compliance well ahead of that date. By way of background, the California Consumer Privacy Act (“CCPA”) is a consumer-friendly privacy law that mirrors the EU’s General Data Protection Regulation (“GDPR”) in many respects. One such point of similarity is that both statutes impose on obligation on businesses to ensure that their respective service providers and other third-party partners refrain from exploiting the personal information that is shared with them.
The CCPA defines “service provider” as any entity “that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract.” Further, the CCPA contains an expansive definition of “personal information,” which includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” In light of the foregoing, companies should begin the process of: 1) revising service provider agreements on a going-forward basis; and 2) amending existing service provider agreements to ensure that their service provider partners are contractually obligated to refrain from using consumer information for prohibited commercial purposes.
Should I Amend My Service Provider Agreements for CCPA Compliance Purposes?
Service Provider CCPA Compliance Considerations
The CCPA requires that businesses impose a contractual obligation on service providers and vendors which prohibits them from exploiting consumer information that is provided to them. Specifically, businesses must prohibit service providers from retaining, using or disclosing consumer personal information “for any purpose other than the specific purpose of performing the services specified in the contract.” This prohibition includes, but is not limited to, using or disclosing such personal information for a commercial purpose. In addition to the foregoing, businesses are also required to make appropriate disclosures of the purpose(s) for which data is shared with vendors in their respective privacy policies.
Liability for Service Providers Under the CCPA
If a business’s service provider agreements are properly drafted, that business will likely not be found to have violated the CCPA if one of its service providers uses consumer information in a manner that is not permitted under the CCPA (provided such business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a transgression). Given the importance of properly drafted service provider agreements (generally, and more specifically, from a CCPA compliance perspective), it is essential that businesses consult with experienced counsel now to commence the process of amending existing agreements and revising agreements to be used with new service provider partners.
If you are interested in learning more about this topic or require assistance in connection with CCPA compliance for your business, please e-mail us at firstname.lastname@example.org, or call us at (212) 246-0900.
The material contained herein is provided for informational purposes only and is not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar blog posts:
Comparing the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR)
Privacy Policies and the California Consumer Privacy Act (CCPA)