Earlier this month, the California Consumer Privacy Act became effective with many companies scrambling to become compliant with the law. While there are many ambiguities in the law and the California Attorney General is still finalizing his draft regulations, companies are continuing to create their legal frameworks to comply with the law nonetheless. Part of this compliance framework is the data processing addendum (“DPA”).
The data processing addendum concept was introduced when the General Data Protection Regulation (“GDPR”) was passed into law in Europe in 2016. Since the GDPR became effective in May 2018, the DPA concept has been ingrained in the contractual framework for data processing activities done on behalf of others. While DPAs are generally required under Article 28 of the GDPR, a DPA is not necessarily required by the CCPA, but there is a growing understanding of its benefits for data processing contracts between businesses, service providers, and third-parties.
Notably, the contract requirements come from the combination of the definitions of “service provider,” “third party,” and “business purpose.” A “service provider” “processes personal information on behalf of a business…for a business purpose pursuant to a written contract…and the contract prohibits the entity from retaining, using, or disclosing” it for a purpose other than the specified business purpose(s). “Business purpose” means “the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes.” Finally, a “third party” is defined by what it is not. A “third party” is not (1) a business that “collects” personal information from a consumer; or (2) a service provider with the contractual restrictions described above and, in this paragraph, (or any other “person” with the same such contractual restrictions). Additionally, a third party will not be considered a third party if it is included in the written contract between the business and the service provider. Therefore, despite being two separate defined terms, the definitions of service provider and third party should be read together.
The written contract required by the CCPA is meant to bring down some of the business’s obligations to its service providers so that it may comply with its obligations to California consumers who exercise their rights as provided by the CCPA. Specifically, a service provider must contractually agree that it is prohibited from (i) “selling” (as defined by the CCPA) the personal information it acquires from the business and (ii) retaining, using or disclosing the personal information outside of the direct business relationship with the business or for any other purpose than what is specified in the contract. Further, the service provider must “certify” that it understands its contractual restrictions and will comply with them.
If you are a business or service provider, updating all of your service provider contracts could be cumbersome and costly. Rather, the addition of a DPA to your contract playbook could cut down on time-consuming negotiations while clearly establishing relationships that comply with new data protection regimes.
January 10, 2020
Written by Stan Sater and Jeff Bekiares
* * *