CCPA 2.0 and the Changing Privacy Landscape, Part VI: CPRA’s Impact On Service Providers, Contractors, and Third Parties
As detailed in our ongoing series, the passage of the California Privacy Rights Act (CPRA) promises to drastically change the privacy landscape in the Golden State, and affect the privacy compliance efforts of many businesses that service customers in California. The CPRA includes additional and expanded consumer rights compared to those that currently exist under the California Consumer Privacy Act (CCPA), and creates new requirements and obligations on those businesses that collect, share, and use data of California residents. This sixth installment in our series centers on the CPRA’s anticipated impacts on service providers, contractors, and third parties. These provisions create new obligations regarding data collection and will change how contractual obligations flow down to third parties and contractors.
Service Providers & “Sharing” of Data
The CPRA redefines and imposes new restrictions on companies that qualify as “service providers.” The CPRA defines a “service provider” as a person that processes personal information on behalf of a business and which receives personal information from a business for a business purpose, pursuant to a written contract. One of the biggest new restrictions on service providers is that they will be prohibited from “sharing” the personal information provided to them by their contract partners. Currently, data protection obligations are not statutorily required to flow down from a business to a service provider. Under the CCPA, service providers currently must be contractually bound to limit their use, retention, or disclosure of personal information to those purposes specified under contract. The CPRA will extend data protection obligations to service providers and will require businesses and service providers to enter into agreements that bind the service provider to the same level of technical and organizational protections required of the business under the CPRA. Any service provider contract must also restrict the ability of such companies to combine personal information received from the data owner with other personal information at their disposal.
Currently, the CCPA defines a sale of data as selling, renting, releasing, or otherwise making data available to a third party for monetary or other valuable consideration. The CCPA allows a consumer to “opt-out” of an entity’s “selling” their personal information, and requires the entity to inform the consumer about how their information may be “shared” with service providers and other third parties.
The CPRA, however, further delineates between “sharing” and “selling” of data. “Sharing” is now defined under the CPRA as disclosing or otherwise communicating a consumer’s personal information for cross-context behavioral advertising, or ad targeting based on information obtained about a consumer across different apps or services, whether or not for money or other consideration. This distinction creates new requirements for companies that act as “service providers” under the CCPA – i.e. they receive and use data for a specific, contractual purpose but do not otherwise “sell” the information. Under the changes made through the CPRA, any CPRA subject business that “shares” personal information for cross-context behavioral advertising or ad targeting as described above, must allow consumers to “opt-out” from such practices in the same way the CCPA currently requires a subject entity to allow consumers to “opt-out” of having their personal information sold to third parties. However, service providers will be prohibited from “sharing” personal information under the revised law.
Under the CPRA, new data handling provisions also require businesses to flow down any data collection obligations to third parties that do not otherwise constitute “service providers” or “contractors.” Any business that collects or shares personal information must enter into an agreement with each recipient of that data, stating the business purpose for the sale or sharing of information and ensuring that protections afforded by the CPRA follow the information downstream. These agreements must also allow businesses to take reasonable steps to: (1) ensure that third party recipients use shared personal information in a way that is consistent with business’s own CPRA obligations, and (2) stop and remediate unauthorized use of personal information. Third-party recipients will be obligated to comply with CPRA provisions regardless of the recipient’s domicile.
Among the CPRA’s significant changes is the addition of “contractors” as a new regulated entity classification. While a service provider is a third party that performs specifically contracted business functions and processes personal information on behalf of a business for those contracted purposes, a “contractor” is a third party to whom a business discloses personal information for a business purpose per a written contract. Similar to service providers, contractors will be contractually prohibited from “selling” or “sharing” the personal information they receive from the subject business. This new distinction will also require that contractors contractually agree to provide technical and organizational measures to protect data they receive from the subject businesses. This means that contractors will have the contractual obligation to impose higher data regulation standards and those without these measures will need to consider improving these systems and processes. In addition to the implementation of these technical and organizational standards, contractors and service providers must assist in responding to and performing any consumer requests, including data deletion. Contractors must be prepared to comply with the requirements of the CPRA regardless of whether they are included in any contractual terms.
While these changes are still far out on the horizon, some CCPA- and CPRA-subject businesses are already taking measures to flow down the new requirements of the CPRA that will take effect on January 1, 2023, to their service providers, contractors, and third-party partners. In the tech space, for example, some companies have already announced changes to their business practices that reflect the sales regulations in the CCPA and conform to the “sharing” and “selling” distinction by creating requirements for their associated apps to comply with opt-out notices.