5 • Service providers’ use of personal information is limited to, well, providing services
Although the CCPA allows businesses to transfer personal information to “service providers” without the transfer being a “sale” of the personal data, it was a little vague on what service providers could do with the personal information once they got it. The final regulations now expressly prohibit service providers from retaining, using, or disclosing personal information obtained in the course of being a “service provider” except as necessary to provide services in compliance with their written contract and for four other limited circumstances.
What’s next, California?
On November 3, 2020, California voters will get the chance to vote on the California Privacy Rights Act of 2020, a new privacy law that is similar to the CCPA but with some add-ons (think of it as “CCPA 2.0”). Among other things, the CPRA would create a new regulatory entity with a $10 million budget (the “California Privacy Protection Agency”) to replace the attorney general’s office as the regulator enforcing the CPRA. The CPRA also would grant consumers additional rights, would require businesses to enter into contracts with all entities to which the business discloses personal information, and would eliminate the CCPA’s current 30-day “cure” period.
And in good news for businesses, the CPRA would extend the CCPA’s employee and business-to-business limitations to January 1, 2023. Current polling shows that the CPRA is enjoying a 90% approval rating among California voters. (By the way, the employee and B2B exemptions enjoy widespread support. On September 2, 2020, the California legislature voted to extend the current employee and B2B exemptions to January 1, 2022, even if the CPRA is not approved by voters (AB 1281). Governor Gavin Newsom has until September 30, 2020 to sign AB 1281 into law.)