With the enforcement of the California Consumer Privacy Act ("CCPA") commencing on July 1, 2020, many businesses should be taking a close look at their CCPA service provider agreements. By way of background, the CCPA is a consumer-friendly privacy law that applies to various entities and their respective service providers. The CCPA provides consumers with protections and choices with respect to how their personal information is collected, used and shared by businesses and other entities. Consistent with the foregoing, the CCPA requires businesses to ensure that their service providers and other third-party partners refrain from exploiting the personal information that is shared with them.

The CCPA defines "service provider" as any entity "that processes information on behalf of a business and to which the business discloses a consumer's personal information for a business purpose pursuant to a written contract." Further, the CCPA contains an expansive definition of "personal information," which includes "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."

Based on the foregoing, if they have not already done so, companies need to: 1) revise CCPA service provider agreements on a going-forward basis; and 2) draft CCPA-compliant amendments to existing agreements to ensure that their respective service provider partners are contractually obligated to refrain from using consumer information for prohibited commercial purposes.

Should I Revise My Service Provider Agreements for CCPA Compliance Purposes?

CCPA Service Provider Contractual Requirements

The CCPA requires that businesses impose a contractual obligation on service providers and vendors mandating that those entities refrain from exploiting consumer information that is provided to them. Specifically, businesses must prohibit service providers from retaining, using or disclosing consumer personal information "for any purpose other than the specific purpose of performing the services specified in the contract." This prohibition includes using or disclosing such personal information for marketing purposes, or any other commercial purpose.

Service Provider Liability and the CCPA

If a business's agreements, and amendments thereto, are properly drafted, that business will likely not be held responsible if one of its service providers uses consumer information in a manner that is not permitted by the CCPA. Given the importance of properly drafted service provider agreements (and any amendments thereto), it is essential that businesses consult with experienced counsel to ensure that all CCPA service provider requirements are properly incorporated into applicable contractual documents.

If you are interested in learning more about this topic or require assistance in connection with CCPA compliance for your business, please e-mail us at info@kleinmoynihan.com, or call us at (212) 246-0900.

The material contained herein is provided for informational purposes only andis not legal advice, nor is it a substitute for obtaining legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.

Similar blog posts:

Preparing for the July 1 CCPA Enforcement Deadline

Final CCPA Regulations Released

CCPA Record Keeping Requirements

Originally published 07 July, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.