California Consumer Privacy Act is a Game Changer for Large IT, Telecom, and Outsourcing Customers

On January 1, 2020, the California Consumer Privacy Act (the “CCPA” or “Act”) took effect.  It is a game changer for enterprise users of telecom, IT, and outsourcing services.  Although its protections are limited to California “consumers” (a statutory term that includes both a business’s customers and employees), most large enterprises have at least some customers and/or employees in California.  Moreover, because of California’s huge population and economic clout, because no comparable federal law occupies the field, and because at least some other states are likely to follow California’s lead, the new law is expected to become the de facto national standard for handling consumer and employee personal information (“PI”).  Even if no other US jurisdiction passes a similar law, many large enterprises are not going to find it cost-effective or operationally sound to adopt one set of procedures for handling California residents’ PI and a different set of procedures for PI from the rest of the country.

Any company negotiating or renewing telecom, IT, and outsourcing service agreements (which we’ll refer to generically as “tech service agreements”) should act now to reduce its exposure to CCPA liability by adding appropriate language to those agreements.  That language should not only incorporate the CCPA’s “safe harbors” but also require the vendor to cooperate with and support the enterprise’s own CCPA compliance.  The same principles apply to all enterprises with existing tech service agreements, regardless of where they are in their contract life cycles.  A relatively simple amendment to your tech service agreements could insulate you from the real possibility of civil liability or enforcement actions under this very new law.

This article is intended not as a tutorial on the CCPA as a whole but instead as a focused discussion of what enterprise customers should do under their tech service agreements to minimize their exposure under the Act.  Two groups of enterprises are directly affected:  (1) those that provide PI of their customers and/or employees directly to service providers in connection with their purchase of services; and (2) those with service arrangements in which the provider has access to, stores, or processes PI of the enterprise’s customers or employees, including storing or culling data from the content of communications (e.g., emails, text messages).  In this regard, the Act will have an impact on just about all tech service agreements that involve the sharing or use of California residents’ PI.

Several aspects of the CCPA stand out as requiring immediate attention.  First, the statutory definition of “personal information” is expansive and includes any information from which an individual person can be identified, even if identification requires cross referencing the information you have with other information (e.g., a reverse phone number look-up).  Biometric information, such as thumbprints or the sound of one’s voice, the content of communications attributable to an individual, and a person’s electronic and digital activity (e.g., websites visited, phone numbers called) are all included within the definition of PI.  Even “inferences drawn from [other PI] to create a profile about a consumer” reflecting preferences, characteristics, etc. are included.

Second, the Act creates potential liability for enterprises both directly and indirectly.  Thus, enterprises that handle California PI have specific obligations and face potential liability for their own violations of the Act, and, absent certain contractual safeguards with their vendors, can potentially be on the hook for their vendors’ mishandling of PI the enterprises provide to the vendors.  Individuals whose PI is breached because the enterprise does not have ”reasonable security procedures and practices” in place can sue for damages under the Act.  While the definition of “reasonable security procedures and practices” is not certain, it would likely be important in defending such a lawsuit to be able to show that you have included specific contractual restrictions on your service providers’ handling of PI you provide to them.

Third, the California Attorney General (“AG”) has the authority to enforce the CCPA beginning July 1, and violations can result in fines.  We expect that this enforcement will be aggressive.

Enterprise customers should be aware of and understand the legal risks the CCPA has created.  Most importantly, appropriate contractual “fixes,” are not particularly complicated.  To limit the enterprise’s statutory obligations to customers and employees regarding its handling of their PI and to minimize the enterprise’s legal and financial risks associated with sharing that PI with its vendors, the CCPA provides specific “safe harbor” contract provisions and a two- or three-page contract amendment should suffice to incorporate them.  (Of course, the precise language suitable for use in a given contract depends, of course, on the vendor, the enterprise’s existing contract, the nature of the services, the information to which the vendor will have access, and how the enterprise orders and uses the service.) But implementing these safe harbors and fulfilling an enterprise’s own compliance obligations will, practically speaking, necessitate enterprise vendors’ cooperation.  We recommend that you act quickly to open a dialogue with your vendors about adding the appropriate provisions to their tech services agreements. 

Many of the provisions and defined terms of the CCPA are open to different interpretations, and, unfortunately, no judicial or administrative body yet interpreted them in a way that could more narrowly guide enterprise customers.  The California AG has opened a rulemaking proceeding to provide greater clarity as to some of the interpretive issues, but even this proceeding will leave major questions open until actual enforcement actions start.  In the meantime, potentially affected enterprises should update their agreements to address the CCPA before the AG’s authority to enforce the Act takes effect on July 1.

Our experience negotiating the CCPA safe harbors with different service providers has been mixed.  Some are more open to tackling the issues head-on in an amendment, and others seem reluctant to admit that they are handling California PI in a manner that would expose them to obligations under the Act.  Indeed, some refuse even to admit that they receive PI from their enterprise customers or from end users of their services, much less acknowledge their enterprise customers’ need for safe harbor language. 

In an effort to evade the issue altogether, some vendors may point to a couple of temporary exemptions from the Act’s requirements for certain business-to-business communications and for PI that is in the nature of HR information from your own employees and contractors.  Both of these exemptions are narrow and are currently scheduled to expire at the end of this year.  Neither one provides a blanket exemption from all of the Act’s requirements.  The bottom line: It’s better to be proactive now and not count on temporary exemptions outlasting their expiration dates.

Vendors may complain of burdens or costs associated with the safe harbor language, but they should already have implemented safeguards to protect the PI of their own customers and employees.  The additional burden of extending these safeguards to your PI should be minimal.  Still, they may initially resist specific language as they may see it as a tacit admission that they are subject to the Act.  These reactions are best dealt with on a case-by-case basis just like any other negotiable contract term.  There is nothing for an enterprise to gain, but a lot to risk, from omitting appropriate contractual language from its service agreements. 

If you’d like more information about how you should amend your service agreements to take advantage of the statutory safe harbors and to require your service providers to support your own CCPA compliance, we urge you to contact an attorney who practices at the intersection of procurement and privacy law.  Acting now could save you from significant liability and nuisance claims in the future.