California: Operationalising CPRA - vendors and vendor management
In November 2020, California voters passed the California Privacy Rights Act of 2020 ('CPRA'), which amended the existing California Consumer Privacy Act of 2018 ('CCPA') passed by the California legislature in 2018 and which became effective on 1 January 2020. The CPRA went into effect on 1 January 2023 (with a look-back period to 1 January 2022), and enforcement of the new provisions of the CPRA will be effective 1 July 2023. The CPRA amends the CCPA in many significant ways, including how businesses must address their vendor relationships.
Part one of this series, Operationalising CPRA, discussed how the CPRA changes consumer rights and part two of this series explored the scope of the CCPA as amended by the CPRA. In part three, Diana Iketani Iorlano, Founder and Managing Attorney, Iketani Law Corporation, focuses on some of the considerations for businesses in regards to vendors.
There are two primary considerations for businesses to operationalise the CPRA with respect to vendors (regardless of whether the vendor is located in California or not): (i) ensuring that vendor contracts comply with the CCPA; and (ii) conducting cybersecurity audits when using vendors for processing personal information that 'presents a significant risk to consumers' privacy or security'. Both of these will be discussed below. In addition, we list a number of best practices related to vendor management that businesses should implement prior to the start of the CPRA enforcement.
The CPRA charged the California Privacy Protection Agency ('CPPA') with developing regulations to implement the CCPA. The CPPA started the rulemaking process in July 2022 and worked diligently to issue the revised CCPA regulations. The CPPA divided the rulemaking process into groups, focusing first on: (i) updating existing CCPA regulations to harmonise them with CPRA amendments; (ii) operationalising new individual rights and concepts to implement the law; and (iii) reorganising and consolidating requirements set forth in the law to make the regulations easier to follow and understand.
The CPRA establishes three categories of recipients of personal information - service providers, contractors, and third parties - and sets forth requirements that must be addressed contractually when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.
Since the CPRA only dictates the substance, but not the form of these contracts, parties could address the requirements through the use of a data processing addendum – i.e., a separate agreement or addendum to a contract – or they could incorporate the requirements into their underlying contract, most commonly referred to as a master service agreement. Businesses should also be aware of contractual requirements from data privacy laws of other jurisdictions – most notably other US states, the EU, and the UK – and be sure to integrate those requirements into their contracts.
As a result, the CCPA, as amended by the CPRA, requires written agreements when a business: (i) discloses personal information to a service provider; (ii) discloses personal information to a contractor; or (iii) sells or shares personal information to a third party. It is critical to understand these terms and properly apply them to the parties' underlying relationship.
'A person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer's personal information for a business purpose' (§1798.140(ag) of the California Civil Code ('Cal. Civ. Code'))
'A person to whom the business makes available a consumer's personal information for a business purpose' (§1798.140(j) of the Cal. Civ. Code)
An entity that is not: (i) 'the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer's current interaction with the business under' the CPRA; (ii) a service provider to the business; or (iii) a contractor (§1798.140(ai) of the Cal. Civ. Code)
A transfer of personal information to a third party is likely a sale1 or a share2 under the CPRA
Cross-context behavioral advertising
'The targeting of advertising to a consumer based on the consumer's personal information obtained from the consumer's activity across businesses, distinctly branded websites, applications, or services, other than the business, distinctly branded website, application, or service with which the consumer intentionally interacts' (§1798.140(k) of the Cal Civ. Code)
General requirements (service providers, contractors, and third parties)
Under §1798.100(d) of the Cal. Civ. Code, contracts between a business and a service provider, contractor, or third party must:
specify that the personal information is sold or disclosed by the business only for limited and specified purposes;
- obligate the third party, service provider, or contractor to comply with applicable obligations under the CCPA and obligate those persons to provide the same level of privacy protection as is required by the CCPA;
- grant the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business' obligations under the CCPA;
- require the third party, service provider, or contractor to notify the business if it determines that it can no longer meet its obligations under the CCPA; and
- grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information.
Requirements for service providers or contractors
For a business to provide personal information to a service provider or contractor, it must be done for a business purpose pursuant to a written contract. The CCPA lists the following business purposes in §1798.140(e) of the Cal. Civ. Code:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent that the use of the consumer's personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, non-personalised advertising shown as part of a consumer's current interaction with the business, provided that the consumer's personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer's experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioural advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
Under Section 7050(a) of the CPRA, service providers and contractors are permitted to use personal information received from businesses for additional purposes, including:
- to retain and employ another service provider or contractor as a subcontractor;
- for internal use by the service provider or contractor to build or improve the quality of its services even if this business purpose is not specified in the written contract required by the CCPA and these regulations, provided that the use does not use the personal information to perform services on behalf of another person; and
- to prevent, detect, or investigate data security incidents or protect against malicious, deceptive, fraudulent, or illegal activity, even if this business purpose is not specified in the written contract required by the CCPA and these regulations.
Contracts between businesses and service providers or contractors must meet the following requirements, unless expressly permitted by the CCPA or regulations:
- Prohibit the service provider or contractor from selling or sharing personal information.
- Identify the specific business purpose(s) for which the service provider or contractor is processing personal information and specify that the business is disclosing the personal information only for the limited and specified business purpose(s) set forth within the contract. The business purpose must be described in specific terms.
- Prohibit the service provider or contractor from retaining, using, or disclosing the personal information for any purpose other than the business purpose(s) specified in the contract.
- Prohibit the service provider or contractor from retaining, using, or disclosing the personal information for any commercial purpose other than the business purposes specified in the contract.
- Prohibit the service provider or contractor from retaining, using, or disclosing the personal information outside the direct business relationship between the service provider or contractor and the business. For example, a service provider or contractor is prohibited from combining or updating personal information received from the business with personal information that it received from another source or from its own interaction with the consumer.
- Require the service provider or contractor to comply with the CCPA and regulations, including providing the same level of privacy protection as required of businesses. For example, the contract may require the service provider or contractor to cooperate with the business in responding to consumers' requests made pursuant to the CCPA, and to implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorised or illegal access, destruction, use, modification, or disclosure.
- Grant the business the right to take reasonable and appropriate steps to ensure that the service provider or contractor uses the personal information in a manner consistent with the business's obligations under the CCPA and regulations. Reasonable and appropriate steps may include ongoing manual reviews and automated scans of the service provider's system and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.
- Require the service provider or contractor to notify the business after it determines it can no longer meet its obligations under the CCPA and regulations.
- Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate the service provider or contractor's unauthorised use of personal information. For example, the business may require the service provider or contractor to provide documentation that verifies that it no longer retains or uses personal information of consumers that have made a valid request to delete with the business.
- Require the service provider or contractor to enable the business to comply with consumer requests made pursuant to the CCPA or require the business to inform the service provider or contractor of any consumer request made pursuant to the CCPA that they must comply with and provide the information necessary for the service provider or contractor to comply with the request.
In addition, if a service provider or contractor engages a subcontractor in providing services to the business, it must notify the business of that engagement and enter into a contract with that other entity.
A contractor must certify in the contract that it understands and will comply with these additional requirements, while service providers are not required to do so.
Requirements for third parties
Contracts between businesses and third parties must meet the following requirements, unless expressly permitted by the CCPA or regulations:
Identify the limited and specified purpose(s) for which the personal information is made available to the third party. The purpose must be specific and not described in generic terms, such as referencing the entire contract generally.
Specify that the business is making the personal information available to the third party only for the limited and specified purposes set forth in the contract and require the third party to use it only for those limited and specified purposes.
- Require the third party to comply with all applicable sections of the CCPA and regulations, including providing the same level of privacy protection as required of businesses by the CCPA and regulations.
- Grant the business the right to take reasonable and appropriate steps to ensure that the third party uses the personal information in a manner consistent with the business's obligations under the CCPA and regulations. For example, the business may require the third party to attest that it treats the personal information in the same manner that the business is obligated to treat it under the CCPA and these regulations.
- Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorised use of personal information made available to the third party.
- Require the third party to notify the business after it determines it can no longer meet its obligations under the CCPA and regulations.
Finally, the regulations state that whether a business conducts due diligence of its service providers, contractors, or third parties' factors into whether the business has reason to believe that those entities are using personal information in violation of the CCPA and regulations. For example, a business that does not enforce the terms of the contract nor exercise its rights to audit the service provider's, contractor's or third parties' systems might not be able to rely on the defence that it did not have reason to believe that those entities intended to use the personal information in violation of the CCPA and regulations at the time the business disclosed the personal information to those entities.
In addition to creating contractual requirements for vendors, the CPRA also introduces the concept of a cybersecurity assessment and charged the CPPA with developing regulations around the assessment in §1798.185(a)(15) of the Cal. Civ. Code. Specifically, the CPPA is charged with issuing regulations requiring businesses whose processing of personal information presents significant risk to consumers' privacy or security to perform an annual cybersecurity audit that is 'thorough and independent' and to submit a risk assessment to the CPPA on a regular basis.
While the CPRA does not define what constitutes a 'significant risk to consumers' privacy or security', it does state that factors to be considered when making this determination 'shall include the size and complexity of the business and the nature and scope of processing activities'. In other jurisdictions, significant risk to consumer privacy often includes processing involving sensitive personal information, profiling or automated decision-making, and the sale of personal information for targeted advertising purposes.
The CPRA requires that the cybersecurity assessment identify 'whether the processing involves sensitive personal information' and identify and weigh 'the benefits resulting from the processing to the business, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, with the goal of restricting or prohibiting the processing if the risks to privacy of the consumer outweigh the benefits resulting from processing to the consumer, the business, other stakeholders, and the public'.
Vendor risk management
In addition to the legal requirements listed above, there are a number of best practices related to vendor risk management that businesses may implement for CCPA compliance. Specifically, with respect to vendors, businesses should implement the following internal procedures:
Create a vendor risk management procedure. Businesses should centralise and document processes and procedures for dealing with vendors, including having a list/database of vendors, a standard company data processing addendum for engaging vendors, and processes for evaluating vendor performance on a regular basis. Establish a contract management process to ensure that new/updated privacy terms are added to vendor agreements when necessary or when up for renewal.
- Create a process for onboarding new vendors, including creating a privacy and information security onboarding assessment or questionnaire. Businesses should work with their IT departments or consultants to develop questions that probe and analyse whether a vendor that they are looking to do business with:
- employs the required administrative and technical measures to protect personal data of consumers from unauthorised access or infiltration;
- maintains good privacy practices internally;
- keeps personal information confidential; and
- can process data subject requests as needed for compliance with the CCPA.
- Conduct and maintain regular data mapping (also known as data inventories). Whether using data privacy technology/platform or an internal mechanism, such as a spreadsheet, businesses should, if they have not already done so, conduct a comprehensive data mapping of their organisations' personal data systems. Such a mapping should include, among other things:
- sources of data;
- processing activities, generally categorised by business function (HR, legal, marketing, operations, IT, etc.);
- location of data assets (e.g., computers, servers, file drawers, cloud storage);
- data elements (e.g., contact information, financial information, sensitive personal information, biometric information, consumer profiles, etc.);
- data subjects (consumers, B2B customers, employees, beneficiaries, emergency contacts, vendors, etc.);
- retention periods; and
- who has/what entities have access to personal information.
Data inventories should be an organisation-wide process and should be updated at least annually. Some third-party privacy tools and platforms may integrate with software systems to provide real-time communication and automated data inventory.
- Establish a process to fulfil consumer requests that includes procedures to send data subject requests downstream to vendors as well as receive them from vendors. Larger companies may consider using privacy rights automation tools to handle a larger volume of consumer requests or to document compliance in accordance with CCPA requirements.
Vendor management is a critical component of the CCPA, and businesses should determine how to implement the legal requirements and best practices expeditiously and efficiently for compliance with the law. Organisations should also note that the CCPA is only one among other data privacy laws that impose vendor management requirements on them; other US state privacy laws and applicable international laws and regulations, such as GDPR, may have similar but sometimes different requirements. Organisations should therefore develop a comprehensive privacy program that addresses the laws in the various jurisdictions in which they operate.
Diana Iketani Iorlano Founder and Managing Attorney
Iketani Law Corporation, Los Angeles
1. 'Sell' means 'selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for monetary or other valuable consideration'. §1798.140(ad) of the Cal. Civ. Code. 2. 'Share' means 'sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged'. §1798.140(ah) of the Cal Civ. Code.