CPRA, an Introduction
The California Privacy Rights Act (CPRA) was overwhelmingly approved by California residents in November 2020, and is aimed at enhancing the existing California Consumer Privacy Act (CCPA). The CPRA builds on and amends the CCPA by increasing consumers’ privacy rights. In November 2022, the California Privacy Protection Agency (CPPA) finally began enforcing most CPRA provisions. Because service providers must comply with CCPA and CPRA requirements, they need to set clear procedures to manage their compliance with this rapidly moving legal framework.
Like its predecessor, the CCPA, the primary goal of the CPRA is to protect individuals’ personal information collected by businesses in California through the online collection of information . It is more comprehensive than the CCPA in the sense that it expands consumers’ rights with a concern for other individual qualities, beginning with four new consumer rights in addition to four from the CCPA. These are the right to correction, the right to limit use and disclosure of sensitive personal information (SPI), the right to equitable and reasonable processing, and the right of no retaliation for exercising privacy rights. The two additional consumer rights under the CPRA are discussed in the sections below. In addition, the CPRA establishes three new data protection rights: the right to data portability, the right of action in the event of a data breach, and the right to not discriminate.
The CPRA also renames the CCPA’s "California Attorney General" as the "California Privacy Protection Agency" (the "Agency") and gives new enforcement responsibilities to the Agency.
What is a Service Provider under CPRA?
A "service provider" is generally defined a "contractor to whom a business makes available a consumer’s personal information for a business or commercial purpose pursuant to a written contract that prohibits the contractor from retaining, using, or disclosing the personal information for any purpose other than the specific purpose for which the information was shared." In the CPRA’s context, the service provider must only use personal information "on behalf of the business." As an example, if a company provides an app or service that requires the collection of the user’s contact information (or other personal information), that company is a service provider for purposes of the CPRA. If a company collects contact information from its customers via a web form and uses a cloud-based email marketing tool to market to those customers, that company is still a service provider. If the marketing tool does not require the provision of contact information, that service provider may not technically be subject to the complex CPRA disclosure requirements for service providers, but the need for a contract that ties those service provider requirements to the company’s disclosure requirements is just as important to ensure compliance with the CPRA.
Beyond contractual requirements to protect the data and only use it for purposes described in the contract, the CPRA clarifies the following obligations for service providers: The bar for determining the existence of a service provider contract under the CPRA is low, and the protections and benefits for both parties are substantial.
Core CPRA Requirements for Service Providers
Service providers must comply with several key requirements under the CPRA in relation to their handling of personal information received from a business (client). First, service providers may only "retain, use, and disclose" personal information to perform the services specified in their contract with the business. Service providers are prohibited from using such information for any purpose outside of the scope of that contract. As we noted in our earlier post, the final text of the CPRA states that service provider agreements must specify that the limitations on collections, use, retention, and disclosure of personal information will be maintained by the service provider for as long as they are retained. Some CPRA compliance experts have suggested that service providers should be required to maintain such limitations for as long as they maintain the personal information. However, it should not be necessary or expected to contract away data protection laws or encourage the view that service providers are not bound by any data protection laws when they are licensed or permitted to use the personal information.
In addition, while a service provider can contractually authorize another service provider to use the personal information in order to perform services on behalf of a business (client), it may not further disclose the personal information to a separate third-party entity without the express authorization of the business or client (in other words, a "CDPA" – contract for the sale or disclosure of personal information), or as otherwise permitted by the CPRA (e.g., if authorized by the individual). This requirement impacts disclosures for purposes of aggregated and deidentified information, as discussed above.
Unlike processors under GDPR Article 28, companies under CPRA are not expressly prohibited from "engaging" another entity to provide services. There is nothing in the above requirements that expressly prohibit the engagement of another service provider. However, businesses should consider whether it would be appropriate, or required, to restrict a service provider from engaging another service provider.
In addition, a service provider must ensure that any authorized third-party subprocessor it "engages" to perform a portion of its business obligations or services pursuant to a contract with the business upholds the same restrictions on its use of personal information as set out in the contract with the business.
Contractual Requirements with Service Providers
A Deeper Dive into Contractual Obligations with Service Providers
As noted in our Introduction, if a business sells personal information to a third party, under CPRA Section 1798.100(b), it must enter into a contract specifying that the service provider or contractor is receiving the information only for the purpose of processing that information on behalf of the business, and that it will not collect, retain, use or disclose the personal information for any other purpose. The business is required to determine that the service provider contract does not violate this requirement. Again, the CCPA (and now the CPRA) is often a "reasonable" standard. What this means is that a business must take reasonable steps to ensure that it is complying with contractual requirements imposed on its service providers. For example, it would not be unreasonable for a business to ask its service provider for a certification that it will comply with restrictions in the contract; but it would be unreasonable for the business to require its vendor to install persistent surveillance mechanisms on its employees to track compliance with the contractual terms. The CPRA wants to ensure that the business takes the necessary steps to avoid "willful blindness" of the activities of its service providers when it comes to possible disclosure(s) of personal information to unintended recipients, e.g., if the service provider is using a cloud computing environment, the business should confirm that the service provider has adequate security measures in place to avoid the accidental exposures of consumer data (e.g., by encrypting certain types of data at rest). The CPRA tries to accomplish this by requiring the contract to include the following terms: For service providers: For contractors: For service providers: For contractors: Similar requirements are included in many existing vendor contract templates, so these contractual obligations should not be surprising or overly burdensome to either businesses or their vendors. The important thing is to become familiar with the CPRA requirements, and to understand them as part of the normal contract termination and renewal process. In the case of a new vendor/contractor, the contract should be reviewed from the perspective of the CPRA.
Data Minimization and Purpose Limitation
Among the CPRA’s many disclosures, it continues the trend from the GDPR of requiring data minimization and purpose limitation from service providers. Indeed, a "service provider" under the CPRA is only one "that processes information on behalf of a business pursuant to a written contract between the business and the service provider," and only "[f]or purposes of performing business purposes for the business as provided by regulation." The CPRA has a litany of purposes: auditing consumer interactions; detecting security incidents; debugging functionality; short- or long-term transient use; performing services on behalf of a business; verifying and maintain quality or safety; undertaking internal research for technological development and demonstration; and undertaking activities to verify or maintain quality or safety .
These requirements are both significant in a service provider context because they add a new layer of compliance obligations to contracts that will likely be added onto existing contracts. A secondary effect of these requirements is that they will allow parties to argue for restrictive contractual terms that limit their exposure under other aspects of the CPRA. For example, when a party is a service provider to a business, if that service provider believes that the business’s disclosure of a consumer’s personal information goes beyond the limitations of purpose, then the service provider can rely on its contractual limitations with the business to defend against potential liability under the CPRA. Therefore, service agreements are going to take on new, substantive roles that go beyond the limited scope of liability avoidance and should be taken as such.
Consequences for Violation
Service providers are a critical link in the personal information value chain. Just as businesses that sell goods and services to California consumers are subject to CPRA’s extraterritorial reach, so too are the service providers who process or manage this data. To that end, service providers will face both civil and administrative penalties for failure to comply with the CPRA.
Civil Case Penalties
The three civil enforcement agencies under the CPRA have significant penalties at their disposal: $2,500 for each unintentional violation and $7,500 for each intentional violation. It is important to know that the categories of provocative conduct justifying elevated penalties for intentional violation are comprehensive and drawn broadly. For example, intentional failure to cure a violation may include acts that fall short of affirmative action but nonetheless show indifference or carelessness to consumer privacy rights.
Administrative Penalties
In addition, the California Attorney General – tasked with creating a private right of action under the CPRA – has sought legislative authority to impose administrative penalties for CPRA violations and, as of this writing, is still pursuing that goal. Specifically, the Attorney General seeks to create a $2,500 penalty for unintentional violation and $7,500 for intentional violation for administrative enforcement of the CPRA.
These administrative penalties would create an alternative to private enforcement. They would be nexus-based, falling within the Attorney General’s gatekeeping enforcement threshold criteria. These penalties would be complementary to the private right of action created by the final regulations under the CPRA and would apply to same types of violations: procedural and substantive. These penalties would be in addition to the $100 to $750 civil penalty created by statute for each incident of consumer data breach.
Ways to Ensure Compliance
Service providers should begin by completing a data audit, that includes examining: the types of personal information it processes on behalf of California customers, how it processes the information, and for what purposes. If it already maintains such information, it should work with its counterpart within the business to determine what CPRA requirements will likely apply. It typically only takes service providers a couple days to get a gauge on how an existing relationship works, and the types of personal information it receives in connection with that relationship. Then, if there are any potentially significant issues that require further analysis or action, it can address them proactively with its client (or client could do the same with the service provider). Service providers also should promptly assess whether their existing contracts with clients are compliant and, if not, commence renegotiating the contracts. This requires reviewing CPRA requirements, as well as provisions included in contracts designed to help the parties comply with the CPRA. For example, such a provision would require the service provider and client to notify each other of a suspected security breach of personal information. Contracting for compliance can pave the way for identifying and resolving many potential issues. In terms of ensuring CPRA compliance, and to set themselves up for success, service providers gradually should expand the data audit by examining the personal information they receive from all sources, how they use it, for what purposes they use it, and, most importantly, for how long they retain the information. This is because the CPRA and CCPA impose stricter rules on the retention of personal information. A key step in the auditing process is to identify what categories of personal information the business is actually retaining and its plans for deletion, particularly when (i) information is retained longer than necessary or practicable for its original purpose, (ii) retention is inconsistent with a business purpose limitation, or (iii) the business has fulfilled its retention obligations. Most businesses retain some personal information through third-party service providers. Thus, in addition to what they retain, businesses with service providers should start the thoughtful analysis of what their service providers are retaining, for what purposes, and for how long.
Conclusion: The Potential Future of Data Privacy Laws
While the CPRA is likely to be implemented in California within the next couple of years, there is no doubt that this won’t be the last time legislation is enacted around the issue of data privacy. With more and more individuals becoming conscious about how their information is being collected and used and at what cost, there are no signs of data privacy regulations slowing down. And as a result, even though businesses may be preparing for the landmark CPRA – treading carefully with data processing activities and scrutinizing their relationships with data service providers – it’s imperative to keep in mind the next round of legislation that is currently being discussed and may come into effect a few years down the road. Complying with one round of data privacy laws requires not only substantial investment , time, resources, and effort, but also maintaining a proactive approach through ongoing updates to policies and the careful implementation and monitoring of compliance procedures to ensure the effectiveness of a company’s compliance program. The prospect of future legislation puts significant pressure on businesses to stay a step ahead – yet another challenge to deal with while trying to maintain business as usual.