California: Overview of Vendor Privacy Contracts
1. Governing Texts
- California Consumer Privacy Act of 2018 (as amended) ('CCPA'), under §§1798.100 to 1798.199 of Title 1.81.5. of Part 4 of Division 3 of the California Civil Code ('Cal. Civ. Code' as amended by the California Privacy Rights Act of 2020 ('CPRA'), (consolidated version available here) (collectively the 'CCPA as amended')
- California Consumer Privacy Act Regulations ('the CCPA Regulations'), under §§999.300 to 999.341 of Chapter 20 of Division 1 of Title 11 of the California Code of Regulations ('CCR')
- §§1798.80 to 1798.84 of Title 1.81. Part 4 of Division 3 of the Cal. Civ. Code ('the Data Security Law')
- Student Online Personal Information Protection Act ('SOPIPA'), under §§22584 to 22585 of Chapter 22.2. of Division 8 of the California Business & Professions Code ('Cal. Bus. & Prof. Code')
- Financial Information Privacy Act ('FIPA'), under §§4050 to 4060 of Division 1.4. of the California Financial Code ('FIN')
1.2. Regulatory authority guidance
The California Attorney General has not released any guidance in relation to vendor privacy contracts.
1.3. Regulatory authority templates
Data controller: There is no definition of data controller. Instead, the CCPA uses the term 'business' which is defined as (Cal. Civ. Code §1798.140(d)):
'(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners that collects consumers' personal information or on the behalf of which that information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers' personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers' personal information.
(2) Any entity that controls or is controlled by a business as defined in paragraph (1) and that shares common branding with the business. "Control" or "controlled" means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. "Common branding" means a shared name, servicemark, or trademark.'
Under SOPIPA, an 'operator' is defined as 'any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes. It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner' (Cal. Bus. & Prof. Code §22577(c)).
Under FIPA, a 'financial institution' is defined as 'any institution the business of which is engaging in financial activities as described in §1843(k) of Chapter 17 of Title 12 of the United States Code ('U.S.C.') and doing business in this state. An institution that is not significantly engaged in financial activities is not a financial institution. The term 'financial institution' does not include any institution that is primarily engaged in providing hardware, software, or interactive services, provided that it does not act as a debt collector, as defined in §1692a of Subchapter V of Chapter 41 of Title 15 of the U.S.C., or engage in activities for which the institution is required to acquire a charter, license, or registration from a state or federal governmental banking, insurance, or securities agency' (FIN §4052(c)).
Data processor: There is no definition for 'data processors'. However, the CCPA uses the similar term 'service provider', which is defined as 'a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business' (Cal. Civ. Code §1798.140(ag)).
In addition, under the CCPA Regulations, 'a business that provides services to a person or organization that is not a business, and that would otherwise meet the requirements and obligations of a 'service provider' under the CCPA and the Regulations, shall be deemed a service provider' (CCR §999.314(a)).
Under FIPA, a 'nonaffiliate third party' is defined as 'any entity that is not an affiliate of, or related by common ownership or affiliated by corporate control with, the financial institution, but does not include a joint employee of that institution and a third party' (FIN §4052(e)).
3. Contractual Requirements
3.1. Are there requirements for a contract to be in place between a controller and processor?
The CCPA provides that a service provider can only process information on behalf of a business and receive a consumer's personal information for a business purpose pursuant to a written contract (Cal. Civ. Code §1798.140(ag)).
A business purpose is defined as 'the use of personal information for the business's or a service provider's operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected' (Cal. Civ. Code §1798.140(e).
In terms of service providers, a business purpose may include maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business (Cal. Civ. Code §1798.140(e)(5)).
The Data Security Law establishes that 'a business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party […] shall require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure' (Cal. Civ. Code §1798.81.5.(c)).
Under SOPIPA, operators may only disclose personal information in certain cases, including to service providers under a contract (Cal. Bus. & Prof. Code §22584(E)).
Under FIPA, non-public personal information may be released by a financial institution to an affiliate or a nonaffiliated third party in order for the affiliate or nonaffiliated third party to perform business or professional services, such as printing, mailing services, data processing or analysis, or customer surveys, on behalf of the financial institution, provided that, among other things, there is a written contract between the affiliate or nonaffiliated third party and the financial institution (FIN §4056(b)(9)).
Finally, under FIPA, when a financial institution and an affinity partner (defined as an organization or business entity that is not a financial institution) have an agreement to issue a credit card in the name of the affinity partner, the financial institution will be permitted to disclose to the affinity partner in whose name the card is issued certain information pertaining to the financial institution's customers who are in receipt of the affinity card. In addition to other requirements, the financial institution must 'have a contractual agreement with the affinity partner that requires the affinity partner to maintain the confidentiality of the nonpublic personal information and prohibits affinity partners from using the information for any purposes other than verifying membership, verifying the consumer's contact information, or offering the affinity partner's own products or services to the consumer' (FIN §4054.6(c)(2)).
3.2. What content should be included?
The contract must prohibit the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by the CCPA, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business (Cal. Civ. Code §1798.140(ag)).
Under the CCPA Regulations, service providers cannot retain, use, or disclose personal information obtained in the course of providing services, except (CCR §999.314(c)):
- to process or maintain personal information on behalf of the business that provided the personal information or directed the service provider to collect the personal information, and in compliance with the written contract for services required by the CCPA;
- to retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and these regulations;
- for internal use by the service provider to build or improve the quality of its services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source;
- to detect data security incidents or protect against fraudulent or illegal activity; or
- to comply with federal, state, or local laws, a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities, cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law, or exercise or defend legal claims.
Under SOPIPA, disclosure of personal information to service providers from operators must contractually (Cal. Bus. & Prof. Code §22584(E)):
- prohibit the service provider from using any covered information for any purpose other than providing the contracted service to, or on behalf of, the operator;
- prohibits the service provider from disclosing any covered information provided by the operator with subsequent third parties; and
- require the service provider to implement and maintain reasonable security procedures and practices.
Under FIPA, contracts between financial institutions and the affiliate or nonaffiliated third party must prohibit the affiliate or nonaffiliated third party from disclosing or using the non-public personal information other than to carry out the purpose for which the financial institution disclosed the information, as set forth in the written contract (FIN §4056(b)(9)(B)).
In addition, a financial institution may market its own products and services or the products and services of affiliates or nonaffiliated third parties to customers of the financial institution as long as (FIN §4053(e)):
- nonpublic personal information is not disclosed in connection with the delivery of the applicable marketing materials to those customers except as permitted by FIN §4056; and
- in cases in which the applicable nonaffiliated third party may extrapolate nonpublic personal information about the consumer responding to those marketing materials, the applicable non-affiliated third party has signed a contract with the financial institution under the terms of which:
- the nonaffiliated third party is prohibited from using that information for any purpose other than the purpose for which it was provided, as set forth in the contract; and
- the financial institution has the right by audit, inspections, or other means to verify the nonaffiliated third party's compliance with that contract.
4. Data Subject Rights Handling & Assistance
4.1. Are processors required to assist controllers with handling of data subject requests?
The CCPA provides that, 'a business that receives a verifiable consumer request from a consumer to delete the consumer's personal information […] must delete the consumer's personal information from its records and direct any service providers to delete the consumer's personal information from their records' (Cal. Civ. Code §1798.105(c)).
In addition, the CCPA Regulations provide that 'if a service provider receives a request to know or a request to delete from a consumer, the service provider shall either act on behalf of the business in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider' (CCR §999.314(e)).
Moreover, service providers 'shall not sell data on behalf of a business when a consumer has opted-out of the sale of their personal information with the business' (CCR §999.314(d)).
Under SOPIPA, service providers must be contractually obliged to implement and maintain reasonable security procedures and practices, including deleting a student's covered information if the school or district requests deletion of data under the control of the school or district (Cal. Bus. & Prof. Code §22584(b)(4)(E)).
For further information, see California – Data Subject Rights.
5. Processor Recordkeeping
5.1. Are processors required to keep records of their processing activities?
Service providers are not allowed to retain, use, or disclose personal information obtained in the course of providing services, except for the cases outlined in section 3.2. above.
While there are few provisions directly requiring processing records to be kept by vendors, there are several more general recordkeeping obligations. These include documentation requirements for businesses under the CCPA as well as registration procedures for data brokers and within certain sectors.
6. Security Measures
6.1. Are processors required to implement specific security measures? If so, what measures must be implemented?
Under the Data Security Law, nonaffiliated third parties must be contractually required 'to maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure' (Cal. Civ. Code §1798.150(a)(1)).
SOPIPA provides that personal information can be disclosed to service providers when they, among other things, are contractually required to implement and maintain reasonable security procedures and practices (Cal. Bus. & Prof. Code §22584(b)(4)(E)). Service providers must implement and maintain reasonable security procedures and practices appropriate to the nature of the covered information, and protect that information from unauthorized access, destruction, use, modification, or disclosure (Cal. Bus. & Prof. Code §22584(d)).
7. Breach Notification
7.1. Are processors under an obligation to notify controllers in the event of a data breach? If so, are there timeframe and content requirements?
Under the Data Security Law, 'a person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of the breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person' (Cal. Civ. Code §1798.82(b)).
For further information, see California – Data Breach.
8.1. Are subprocessors regulated? If so, what obligations are imposed?
Service providers may retain and employ another service provider as a subcontractor, where the subcontractor meets the requirements for a service provider under the CCPA and the CCPA Regulations (CCR §999.314(c)(2)).
9. Cross-Border Transfers
9.1. Do transfer restrictions apply to processors? If so, what restrictions and what exemptions apply?
Not applicable. For more information see California - Data Transfers.
10. Regulatory Assistance
10.1. Are processors required to assist controllers with regulatory investigations?
The CCPA provides that obligations that are imposed on businesses do not restrict a business's ability to, among other things, 'cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law' (Cal. Civ. Code §1798.145(a)(3)).
11. Processor DPO / Representative
11.1. Are processors required to appoint a DPO / representative?
Not applicable. For more information see California - Data Protection Officer Appointment.
12. Supervision & Monitoring
12.1. Are controllers obliged to supervise or monitor processors' compliance with the law and contract?
The CCPA provides that a business that discloses personal information to a service provider will not be liable under this Title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the Title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider will likewise not be liable under this Title for the obligations of a business for which it provides services as set forth in this Title (Cal Civ. Code §1798.120(c)).
Under FIPA, the financial institution has the right by audit, inspections, or other means to verify the nonaffiliated third party's compliance with a contract (FIN §4053(e)).
Authored by OneTrust DataGuidance.
DataGuidance's Privacy Analysts carry out research regarding global privacy developments, and liaise with a network of lawyers, authorities and professionals to gain insight into current trends. The Analyst Team work closely with clients to direct their research for the production of topic-specific Charts.