Don’t wait to implement your California Consumer Privacy Act (CCPA) compliance as it could require changes to your operations. CCPA can apply to businesses even if they do not have offices or employees in California. It can also reach activities conducted outside of California. See our prior alert here to see if CCPA applies to your business.
Any entity processing personal information of California consumers on your behalf (i.e., your vendors and service providers) must have a written contract in place including specific language. Review the steps below to help bring vendor contracts in compliance with CCPA.
Consider that “consumers” is broadly defined as a resident of California for other than a transitory purpose and could include customers, employees, business contacts and others. CCPA broadly defines “personal information” and may capture pieces of information your business had not previously treated as personal information, and consequently may reach across your vendors broadly as well.
1) Then you will be required to update them.
Do we need to amend our existing vendor contracts to comply? If you answer “yes” to all of the questions below,
- Does CCPA apply to our company?
- Does our company use or share personal information of California consumers with any service providers?
- Will the contracts be in place on or after January 1, 2020 when CCPA applies?
2) How do we amend our existing vendor contracts? Either an informal agreement or more formal amendment could work if signed by and binding on both parties.
3) What about my new vendor contracts? Keep all this in mind for them, too.
4) What language must we add to existing or new vendor contracts to comply? Include these terms:
Prohibit the vendor from retaining, using or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract for your business (including retaining, using, or disclosing the personal information for a commercial purpose other than providing such services).
CCPA broadly defines “commercial purposes” in a manner that largely restricts the vendor’s ability to use the personal information for their own benefit outside of rendering services to your business. Engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism, is not within the meaning of “commercial purposes.”
POTENTIAL TRAP FOR THE UNWARY: CCPA requires additional actions to avoid being categorized as “selling” to your vendor the personal information you use or share with your vendor - even if the vendor was merely intended to help you process the data. To avoid this trap, additional terms are required to be included in the vendor contract and you are also required to make appropriate disclosures of the business purpose for which the data was shared with the vendor in your public privacy notice. CCPA enumerates acceptable business purposes, as a concept separate and distinct from the commercial purposes mentioned above.
This overview does not substitute for considering CCPA’s requirements in their entirety.