The CCPA and CPRA: Risks and Obligations with Third Parties

Jun 23, 2021 Published Article

With an increase in cyber breaches in recent years, businesses working with third parties (defined by the California Consumer Privacy Act (“CCPA”) as people or organizations that are neither: (1) a business that collects personal information from consumers under the CCPA nor (2) a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract with stipulations included) incur the risk of various data security issues, based on interactions with entities outside of the business’s direct control.  Such risks can expose businesses to potential liability and extensive litigation. To prevent this, businesses must take active steps to secure personal information that third parties may access and ensure that their affiliation with third parties is in compliance with the requisite standards under the CCPA and California Privacy Rights Act (“CPRA”).

CCPA’s Impact on Third Parties

The CCPA sets forth categories of third parties, referred to as “third-party vendors” and “service providers.”  A service provider is a person or entity that processes personal information on behalf of a business.  If the business discloses a consumer’s personal information to a party, the contract governing the party’s use of personal information must prohibit the person from: (1) selling the personal information; (2) retaining, using, or disclosing the personal information for a purpose other than for performing the services specified in the contract; and (3) retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. The third party receiving a consumer’s personal information must certify their understanding of the aforementioned requirements and willingness to comply with them.

The CPRA’s Impact on Third Parties

In addition to the two categories of third parties set forth in the CCPA, the CPRA (which passed in November 2020 and will become fully operative on January 1, 2023) added “contractor” to the list of entities.  The CPRA defines a contractor as a third party to whom a business makes consumer’s personal information available for a business purpose.  Contractors are still required to enter into a written contract and meet the requirements set forth under the CCPA relating to the protection of consumers’ personal information.

The Importance of CCPA- and CPRA-Compliant Contractual Language

Both the CCPA and CPRA set forth various necessary parameters for language used in contracts between businesses and third parties.  For example, the CCPA requires that contracts state that a service provider (1) cannot sell personal information or disclose it for any purpose other than the specific contractual purchase; (2) cannot collect, sell, or use the consumer’s personal information except as necessary to perform the business purpose; and (3) certifies that it understands the restrictions of being a service provider and will comply with them. Companies subject to these laws must ensure that they are in compliance by meeting the detailed language set forth in the CCPA and CPRA.

What You Should Do Now

Due to the recent increase in cyber threats, it is more important than ever for businesses to minimize security risks when interacting with third parties and ensure that they are compliant with the CCPA and CPRA’s requirements when working with third parties.  Businesses should be aware of the evolving cyber threats that their network may be at risk for and train employees on preventative measures relating to the business’s interactions with outside entities.

How Newmeyer Dillion Can Help

Our team can help assess your business and assist in creating a plan to minimize data risks from third-party entities. We also have an extensive network of technical experts to assist your business in achieving appropriate cybersecurity protections.  Our team can also assist by drafting the appropriate contractual language to satisfy the CCPA and CPRA.

Our Data Privacy & Security Task Force attorneys are available for consultation by contacting our office at 949-854-7000.