California Privacy Rights Act a.k.a. the Evolving and Expanded California Consumer Privacy Act 2.0 – Telecom and Technology Purchasers Get Ready
On November 3, California voters approved Prop 24, which enacted the new “California Privacy Rights Act.” This Act, a.k.a. the “CPRA,” substantially amends the existing California Consumer Privacy Act, known as the “CCPA.” The CPRA, like its predecessor, imposes obligations on businesses with regard to the “personal information” – or “PI” – they receive or develop having to do with individuals living in California. The CPRA expands the scope both of your own obligations and the obligations you must flow down to vendors from whom you buy IT or telecom services. It also expands the types of vendors to whom you must flow down these obligations.
First, some good news. The new substantive requirements of the CPRA do not become effective until January 1, 2023. Assuming you are in compliance with the existing CCPA, both in your own internal handling of PI and in the way you contract with your IT and telecom providers, you have a full two years to plan for the expansion of your obligations.
You need to plan to reopen your service agreements with any vendors who process or handle personal information on your behalf or entities to which you make available PI you receive. Obligations previously imposed only on “service providers” have been extended to apply to “contractors,” and in some cases to any “third party” with which your company shares this information for cross-contextual behavioral advertising, or to whom you sell this information.
The CPRA expressly requires certain provisions in your contracts with vendors with which you share information and third parties with whom you sell or share information.
First, the CPRA clarifies the types of downstream entities to which various obligations apply:
- “Service Provider” – an entity that processes personal information on your business’ behalf and receives the information for a business purpose (from which sale or sharing are excluded).
- “Contractor” – an entity to which your business makes PI available for a business purpose, and with which you have a written contract. A “business purpose” is either one of a list of specified business purposes of your company, or operational purposes of the service provider or contractor.
- “Third Party” – is anybody who is neither a service provider or a contractor and is also not the entity who directly collects the information from the consumer, and with whom the consumer intentionally interacts (that last one is probably meant to distinguish a “third party” from your business). As noted, third parties are relevant if you sell PI to them or share PI with them for cross-contextual behavioral advertising.
The differences between service providers and contractors remain fuzzy. The California Attorney General – and after July 1, 2022, a new California Privacy Protection Agency – is tasked under the new Act with issuing regulations to clarify and add detail to several provisions of the CPRA. Meanwhile (and even afterward) you can expect to engage in debates with your vendors as to which of these categories they fall and what obligations apply to them. To complicate matters further, a single vendor may fall into more than one category if it both processes the PI (service provider) and receives it for some other business purpose (contractor) and whether and when the provisions need to be added to the contract.
CPRA Contract Requirements
The CPRA requires a core set of obligations and prohibitions in your contracts with service providers and contractors. These obligations must also be applied to any third party to whom you sell PI, or with whom you share PI for cross-contextual behavioral advertising purposes. Including the required terms in your contracts is not optional and certain other terms are advisable to help mitigate your risks of CPRA non-compliance.
Your service provider, contractor and third party contracts must:
- Specify that you are disclosing the PI solely for your limited and specified business purposes or your service provider’s or contractor’s operational purposes (so you have to be specific about what the purposes are from among those listed in the CPRA);
- Obligate the vendor to comply with the CPRA and to provide the same level of privacy protection that the CPRA requires;
- Grant your company “appropriate rights” to help ensure that the vendor in fact uses the PI in a manner consistent with your obligations under the Act;
- Require the vendor to inform you if it determines that it can no longer meet its obligations under the Act (we’d suggest adding “or under this Agreement” since there are likely to be protections you want to build in that are not strictly required by the Act but are useful in helping you comply);
- Grant you the express right to take “reasonable and appropriate steps” to stop and remediate unauthorized use of PI, upon notice to the vendor.
Note that the third and fifth bullets above give some leeway in determining what “appropriate rights” and “reasonable and appropriate steps” you may take to protect PI (and your company). Draft these as expansively as possible, since the more rights you have the more likely you will be able to shut down misuse of PI quickly. In particular, you will want the right to stop sharing the PI pending cure, and terminate your relationship if problems are not cured. It would also be a good idea to require indemnification from the vendor for violations of these obligations, and to carve them out from any caps on or exceptions from the vendor’s lability.
Additional Service Provider and Contractor Contract Requirements
Your service provider and contractor contracts must contain a few more provisions as well. It must prohibit the service provider or contractor from:
- Selling the personal information or sharing it with a third party for cross-contextual behavioral advertising;
- Retaining, using, or disclosing the PI for any purpose other than for the specific purpose of performing the services or business purposes specified in the contract, or as otherwise permitted by the Act, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the service provider’s or contractor’s services or the business purposes specified in the contract;
- Retaining, using, or disclosing the PI outside of the direct business relationship between the service provider or contractor and your business;
- Combining the PI that the service provider or contractor receives from, or on behalf of, your business with PI that it receives from, or on behalf of, some other business or that it collects from its own interaction with the consumer (i.e., they can’t use the PI obtained from you or on your behalf to develop profiles).
Finally, the contract must obligate the service provider or contractor to notify you if it engages a subcontractor, directly or indirectly, to assist with its processing of the data, and must engage the subcontractor only with a written agreement containing all of these requirements.
Additional and Unique Contractor Contract Requirements
In addition to the requirements above, Contractor agreements must also:
- Have an express certification by the contractor that it understands the above restrictions and will comply with them; and
- Expressly permit your business to monitor the contractor’s compliance through measures such as manual reviews, automated scans, regular assessments, audits, etc.
LB3’s CPRA Contract Recommendations
The following are not required by the CPRA, but including these clauses helps you comply with CPRA.
- Service Providers and Contractors
If your business receives a verifiable consumer request to delete his or her PI, you must direct service providers and contractors – and notify third parties with whom you have shared PI for cross-contextual advertising – to delete the relevant PI you will need them to comply. Note that there is no similar flow down requirement with regard to your obligation to correct rather than delete PI. But in this latter case, you may want to include the right to correct the information (or have them correct it) so that the uncorrected information does not find its way back onto your systems.
You will also want to flow down requirements that help ensure that the vendor reacts in a timely fashion to enable you to meet your own obligations. For example, you have the obligation to delete or correct information within 45 days after receiving the request. Since it is likely that it will take a few days to communicate this to your vendor, you will need the vendor to act within, say, 30 days to be sure you are within your own time frame for compliance.
2. Third Parties
The Act requires you to comply with consumers’ “opt-out” requests to stop selling or sharing their information, subject to certain specified exceptions. You will want to be sure your third party agreement is not breached if you stop selling or sharing the affected consumer’s PI with the third party, so give yourself the express right to do so.
3. New Enforcement Agency and Increased Liability
Certain changes to the CPRA enforcement mechanisms make getting it wrong both more risky and more costly.
The newly-created California Privacy Protection Agency will be responsible for developing regulations to clarify the requirements (e.g., service provider and contractor operational requirements) by July 1, 2022 and enforcing the CPRA July 1, 2023. This differs significantly from the limited staff available in the Attorney General’s office to take such actions. Moreover, there is no longer a cure period for Agency enforcement of CPRA violations; the Agency may, however, consider a cure period.
As a reminder, the administrative penalties for non-compliance are up to $2500 for each unintentional violation and $7500 for each intentional violation.
The private right of action has also been expanded. In addition to the right to sue for a business’s failure to implement and maintain reasonable security practices and procedures, individuals may sue if their email address in combination with password or security question and answer that would permit access to the account is disclosed.
If your vendor contracts do not currently comply with the preexisting CCPA requirements, act now! You are already at risk. And while you are at it, add the clauses that the CPRA requires and LB3 recommends to your vendor contracts according to the category to which the vendor belongs. If you previously updated your existing vendor contracts and vendor form contracts to comply with CCPA, you have more time to analyze the new requirements, update your form contracts, and find an opportunity in the next year or two (extension of term, significant amendment, rate benchmarking, etc.) to add the new clauses to existing vendor contracts. If no such opportunity arrives, you will need to tell your vendor you need to add CPRA clauses. If you do not add these clauses, you will not benefit from the CPRA’s opportunities to mitigate your risks and could be burdened by penalties and private lawsuits arising from your non-compliance.
Listen to how compliance with the CCPA has gotten tougher here.