Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements.  Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action.

CaCPA’s Impact on Third Party Data Sharing

Perhaps you are thinking that your company does not “sell” information to third parties, so the opt-out right does not impact your company. CaCPA, however, broadly defines the term “sale”, and the definition covers disclosure to third parties: the term “sale” includes “releasing, disclosing, disseminating, making available, transferring or otherwise communicating . . . a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration”. Senate Bill 1121, Cal. Civ. Code § 1798.140 (t)(1) (emphasis added).  An important exception to this prohibition is sharing personal information with a service provider when:

1. it is necessary to perform a “business purpose” (as defined in the statute),
2. the business has provided notice of the using or sharing in its privacy policy, and
3. the service provider does not further collect, sell, or use the personal information other than to perform the business purpose.

Thus, to take advantage of the exception to a California resident’s opt-out right, companies must conduct a review of all service provider agreements to ensure that contracts appropriately restrict service providers from using personal data beyond the specific business purpose. In preparation for CaCPA coming into effect, companies should conduct a review of the service providers who receive personal data from the company and the agreements governing those relationships.  Where necessary, companies should begin renegotiating the data privacy and security terms in those agreements.

FTC Expectations for Third Party Data Sharing

Although the opt-out right is a new privacy right in the United States, from a compliance perspective, the new California law is largely consistent with the FTC’s ongoing enforcement efforts under Section 5 of the FTC Act and routine guidance provided to businesses.  FTC enforcement actions in recent years illustrate that the FTC expects companies will oversee third party vendors’ data practices. The FTC is willing to hold companies responsible for the actions of third parties with whom companies share data.  A company that turns a blind eye to what a vendor is doing runs the risk of an enforcement action under Section 5 of the FTC Act.

1. Ensure that service provider agreements restrict use of personal information.

Conducting due diligence on a vendor prior to entering into an agreement and negotiating appropriate restrictions on the vendor’s use of personal information is an important first step in complying with both CaCPA and Section 5 of the FTC Act.  Last month, in In the Matter of Blue Products, the FTC brought an enforcement action against Blue Products, Inc., a mobile device manufacturer who sold devices to major retailers.  Blue Products, Inc. licensed firmware from ADUPS Technology Co., LTD and installed the software on Blue Products mobile devices.  Once ADUPS software was installed, ADUPS has full administrative access and control of Blue Products, Inc.’s devices. As a result, the ADUPS software transmitted personal information about consumers to ADUPS servers without consumers’ knowledge and consent.  ADUPS had access to personal information that was not needed to perform its services for Blue Products, Inc.  The FTC found that Blue Products, Inc. had (1) failed to assess or evaluate the privacy and security practices of ADUPS prior to entering into an agreement with ADUPS, (2) failed to contractually require ADUPS to adopt and implement data security standards, policies, procedures and practices, (3) failed to limit the disclosure of consumer information to ADUPS only to the extent necessary for ADUPS to perform its services on behalf of Blue Products and not for any other purposes, and (4) failed to oversee the practices of ADUPS.  Moreover, failing to implement appropriate restrictions on ADUPS’ collection and use of personal data contradicted promises made in Blue Products’ privacy policy.

Before entering into a business relationship or upon renewal of an agreement, the preliminary work of investigating a third party’s data practices and whether appropriate limitations on the use of personal data are in place is an important first step in demonstrating reasonable security measures.

2. Ensure that service provider agreements impose data privacy and security obligations on the service provider.

A vendor’s security practices, or lack thereof, are a reflection of the adequacy of a company’s information security program. In In the Matter of GMR Transcription Services Inc., the FTC alleged that GMR Transcriptions hired a service provider to transcribe sensitive audio files, but failed to require the service provider to take reasonable security measures as part of its contract with the service provider.  Files containing highly confidential health-related information were widely exposed on the internet.  The FTC’s complaint faulted GMR Transcription for failing to include contractual provisions that would have required the service provider to adopt reasonable security measures, such as encryption.  The FTC required the company to establish a comprehensive information security program, including the information that GMR Transcription provided to service providers.

This settlement signals that the FTC considers third party service provider contracts to be within the scope of a comprehensive information security program. Including appropriate contractual obligations regarding data privacy and security is an important second step in any vendor relationship.

3. Verify that third parties are complying with contractual obligations.

Finally, a company cannot rely on a vendor’s word when it comes to compliance with the vendor’s data privacy and security obligations. While obligations in a contract are a necessary and important step, the FTC’s expectation is that a company will exercise oversight over its vendors.  The FTC has brought enforcement actions based on a company’s failure to take adequate measures to ensure that its service provider employed reasonable and appropriate measures to protect consumer information and to collect information in manner that is consistent with the service provider agreement. To minimize risk of FTC scrutiny, companies should negotiate an audit right in contracts to gain visibility into how a service provider is handling the personal data it receives from the company.

With the adoption of CaCPA, companies have further reason to conduct a review of all service provider agreements. Setting aside CaCPA compliance obligations, FTC enforcement actions over recent years also illustrate the need for ensuring that contracts include restrictions on the use of personal information, require service providers to follow appropriate data privacy and security measures, and include audit rights for the company to confirm that contractual obligations are followed.  For more guidance and tips from the FTC, please visit the FTC’s Cybersecurity for Small Business site on vendor security.