Posternak Blankstein & Lund LLP is now Arent Fox. Read the press release

CCPA Data Processing Agreements with Vendors: Considerations for Ready-Made Forms

The California Consumer Privacy Act (CCPA) went into effect January 1, 2020 and created several rights for California residents, including the game-changing right to opt-out of the sale of personal information.

Simultaneously, it expanded businesses’ obligations on how to treat and manage consumers’ personal information. This alert covers key issues to consider when using ready-made forms during contract negotiations in light of CCPA requirements surrounding service providers.

What Does the CCPA Require for Service Providers?

The CCPA requires businesses to provide opt-out mechanisms, make disclosures in their privacy policies, register in a data broker registry for information indirectly collected, and coordinate with parties receiving such data if they engage in the “sale” of consumer information. “Sale” of information is defined to include selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating in any means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration. One exception to the “sale” is where a business contract with a service provider to assist the business with managing the personal information within its control.

To meet the definition of a “service provider” and exempt data sharing practices from the definition of a “sale,” businesses must implement certain safeguards, including a written agreement that contains a certification that the service provider understands the CCPA requirements and will comply with them.

This agreement is often referred to as a data processing agreement (or addendum if it is appended to an existing master services agreement) (DPA). Standard, ready-made DPAs may be available from either of the negotiating parties or obtained from industry groups, such as the Limited Service Provider Agreement (LSPA) released by the Interactive Advertising Bureau in 2019. Businesses may find these “ready-made” or template DPAs to have many benefits, but they also have risks when they are not tailored to the specific needs of a business.

Below are key issues to consider when using ready-made DPAs, such as the LSPA, and practical guidance to use as an example on how to apply these tips.

First, ensure that the DPA applies the most recent updates in the CCPA. Although the CCPA is already in effect, businesses should ensure that its DPA reflects the latest developments of the law. Importantly, the California Attorney General’s Regulations are now finalized. Future DPAs may need to implement additional requirements from CCPA’s successor, the California Privacy Rights Act of 2020, if it passes in the future.

Example: Certain sample documents released prior to 2020 do not incorporate the updates from more recent CCPA Proposed Regulations. For example, the LSPA still uses the 90-day look-back timeframe previously required for service providers to honor opt-out requests. However, the latest CCPA Proposed Regulation requires service providers to honor opt-outs from the date of the request.

Second, consider specific requirements associated with your businessAny ready-made forms should be reviewed to align with the business’ distinct operations and processes. For example, data subject requests must be processed within CCPA-imposed timeframes, and businesses need to flow down these timeframes to service providers and vendors. Creating a manageable internal and external response window will help all parties to provide updates within a certain time period to meet the deadline. Some businesses may have efficient systems in place, whereas others may need a majority of the timeframe to process requests. Consider discussing response windows with the IT team as well as any other key business stakeholders to address these requirements.

Example: Some ready-made documents may provide an efficient framework to address opt-out requests and processing, but businesses should consider additional provisions to address any external compliance to process a consumer’s CCPA right to delete in a timely manner.

Third, consider other data standards and laws that need to be addressed in a DPABe aware of the scope of the DPA. This is especially important as more states draft, and pass, privacy, and data security laws. Although the CCPA is a key law to address, privacy laws from all applicable jurisdictions should be considered and addressed, where appropriate.

Example: Generic Service Provider Agreements may be limited to the CCPA’s service provider requirements and may not address other law’s data breach requirements. These may include a business requiring its vendors to implement reasonable safeguards outlined in New York’s Stop Hacks and Improve Electronic Data Security Act or other international or domestic regulations.


Continue Reading