Comprehensive State Consumer Data Protection Acts: Part 3 – Obligations with Regard to Processors/Service Providers and Enforcement

In this final part of our series on the comprehensive state consumer data privacy acts, we address what a business that is a controller needs to know if it engages a “processor” with whom it shares personal information or data.  Then we discuss what are the enforcement mechanisms for each of the three Acts.  Finally, we walk through the additional steps to take to make sure you are – and remain – in compliance with the Acts.

1.  Controller/business obligations with regard to processors/service providers, contractors and third-parties

If you retain an IT provider (a) with which you share personal information or (b) that processes personal data for you, you will remain the controller/business of the personal data, but your IT provider will be the processor.  In this instance, under each Act you MUST enter into a contract (or amend your existing contract) with the IT provider that does the following:

In California, Colorado and Virginia,

• Clearly sets forth instructions for processing the personal data, as well as the limited nature and purpose of the processing, the type of data to be processed, the duration of processing, and the rights and obligations of both parties;
• Requires the processor to ensure that each person processing personal data is subject to a duty of confidentiality, which in California requires the third party, service provider or contractor to comply with applicable CCPA obligations, not just confidentiality obligations; and
• Requires the processor to delete or return all personal data to the controller when the processor/business stops providing services, except where the processor is required by law to retain the personal data.

In Colorado and Virginia, your contract with the IT provider must also:

• Require the IT provider to make available to the controller upon request, all information in its possession necessary to demonstrate the IT provider’s compliance with the Act;
• Require the IT provider to cooperate with reasonable assessments by your company or its assessor. Here, with your company’s consent, the IT provider may instead obtain its own third-party assessment using industry standard controls and standards (e.g., ISO reports) and provide the third-party report to the controller;
• Require your IT provider to engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the processor’s obligations, and, in Colorado, your company must be given an opportunity to object to the proposed subcontractor; and
• If your company shares deidentified data with your IT provider, you must require it to comply with the Acts regarding such data.

In California, in addition to the requirements under this subsection (1) as outlined above, your contract must:

• Grant your company rights to take reasonable and appropriate steps to help ensure that the IT provider uses the personal information transferred in a manner consistent with your company’s obligations under the CCPA;
• Require your IT provider to notify your company if it determines that it can no longer meet its obligations under the CCPA;
• Grant your company the right, upon notice to the service provider or contractor, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information;
• Require your IT provider to notify any of its own service providers or contractors to delete personal information about the consumer that was collected, used, processed, or retained and for which your company has requested deletion;
• Require your IT provider to notify its subcontractors or third parties who may have accessed personal information from or through it, unless the information was accessed at the direction of your business, to delete the consumer’s personal information – unless this proves impossible or involves disproportionate effort;
• Prohibit your IT provider from using the sensitive personal information after it has received instructions from your company, and to the extent it has actual knowledge that the personal information is sensitive personal information, for any other purpose than those specifically identified;
• Subject to agreement with your IT provider, permit your company to monitor the IT provider’s compliance with the contract through measures, including manual reviews and automated scans and regular assessments or other technical and operational testing at least once every 12 months; and
• Prohibit selling, sharing the personal information, or using outside the specified purposes permitted by the Act and outside the direct business relationship of the parties, and from combining the personal information you provided or received with personal information collected in other contexts.

In addition to its obligations under its contract with your business, in all three states, your IT provider must:

• Assist your company in complying with its obligations under the Acts.
• Assist in the fulfillment of consumer requests to exercise their rights by appropriate technical and organizational measures.

And, in Colorado and Virginia, the IT provider must also comply with your instructions concerning the personal data and provide necessary information to enable your business to carry out its own data protection assessments.  In California, your company is not obligated to perform data protection assessments under the CCPA but is permitted to assess your IT provider’s compliance with its obligations under the CCPA.  California makes some distinctions between a “service provider” and a “contractor” and while they are similar, companies should evaluate for each relationship. 

Finally, in addition to your contract reflecting the terms noted above, we recommend your contracts prohibit sale of the personal data, and certify that the IT provider understands and agrees to comply with the requirements of the Acts.  You may also want to include a provision that requires the parties to amend the contract to build-in any mandated state obligations regarding personal data and information and to do so within a set time period of either party’s request.

2.  Enforcement and penalties

Injunctions against continued breach of the Acts are available in all three states.  Penalties in California and Virginia are up to $7,500 per violation and in Colorado up to $20,000 per violation.  Whereas the Virginia Act is enforced only by the Attorney General, the Colorado Act is enforced by both the Attorney General and District Attorney, and the California Act provides a private right of action and established a new administrative entity, the California Privacy Protection Agency (CPP Agency). Virginia and Colorado provide a cure period before the penalties apply.  In Colorado, the CPA provides that until January 1, 2025, covered entities have 60 days to cure before enforcement action can be taken.  In California, if a cure is possible, there is a 30-day cure period for a private right of action under the CCPA, where damages are the greater of actual damages or $100 and $750 per consumer/incident.  In July, the California Attorney General’s office announced that notices have been sent to a number of entities related to potential violations of the Act.  It also announced that it launched a new online consumer privacy tool that allows consumers to directly notify businesses that don’t have a clear and easy-to-find “Do Not Sell” link which triggers the 30-day cure period.  However, businesses should not get complacent – the California Privacy Rights Act eliminated the 30-day cure period (January 1, 2023).  Luckily, the CCPA as amended does give the CPP Agency some discretion regarding the time to cure.  The potential reputational risk and the penalties are significant and demonstrate the need to pay attention to these three new Acts.

3.  Your action items

So, what should you do next? 

First, determine whether you meet the threshold to be covered by each Act as we discussed earlier.

Second, determine what information you are collecting and assess why you are collecting it.  Do you need to collect it?  If not, consider stopping such collection.  If you do need to collect it, what type of information is it and does it (or the business) fall into one of the exceptions? 

Third, if you are covered and the information you collect and/or process is covered, you’ll need to set up internal procedures for dealing with consumer requests and complying with each Act’s requirements, as well as assuring that your security procedures are adequate to meet each Act’s requirements.  You’ll also need to draft and post on your website consumer disclosures as required by each Act.

In addition, you’ll need to examine all your contracts with entities which handle or collect personal data on your behalf – and most likely amend them to satisfy the requirements each Act imposes on IT provider contracts, as well as to assure IT providers’ other obligations to you are met.  If that idea sounds daunting, we understand, but encourage you to develop a contract addendum that addresses the specific requirements of the CCPA, VCDPA and CPA, but is broad enough to encompass similar requirements that may be imposed by other comprehensive state privacy acts on the horizon.  Why?  If you succeed, your company will be relieved of liability related to a service provider’s misuse of personal data if at the time of disclosure, your company did not have “actual knowledge, or reason to believe, that the [IT provider] intends[ed] to commit such a violation.”

We are happy to assist with all of these activities. 

Each Act is subject to further legislative tweaking and each Attorney General (and in the case of California the newly established CPP Agency) is required to issue enabling regulations that will provide further detail.  Watch for any such regulatory guidance as it could significantly alter your requirements and result in more deviation between the state requirements.  Also, as we mentioned, several other states are likely to follow suit with legislation of their own in the next year or so.  We’ll keep you posted!

Learn more:

• Part 1 – Factors that determine whether the Acts apply to your company, as well as the exceptions.
• Part 2 – Your obligations under the Acts, and how to comply.