With an increase in cyber breaches in recent years, businesses working with third parties (defined by the California Consumer Privacy Act (“CCPA”) as people or organizations that are neither: (1) a business that collects personal information from consumers under the CCPA nor (2) a person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract with stipulations included) incur the risk of various data security issues, based on interactions with entities outside of the business’s direct control. Such risks can expose businesses to potential liability and extensive litigation. To prevent this, businesses must take active steps to secure personal information that third parties may access and ensure that their affiliation with third parties is in compliance with the requisite standards under the CCPA and California Privacy Rights Act (“CPRA”).
CCPA’s Impact on Third Parties
The CCPA sets forth categories of third parties, referred to as “third-party vendors” and “service providers.” A service provider is a person or entity that processes personal information on behalf of a business. If the business discloses a consumer’s personal information to a party, the contract governing the party’s use of personal information must prohibit the person from: (1) selling the personal information; (2) retaining, using, or disclosing the personal information for a purpose other than for performing the services specified in the contract; and (3) retaining, using, or disclosing the information outside of the direct business relationship between the person and the business. The third party receiving a consumer’s personal information must certify their understanding of the aforementioned requirements and willingness to comply with them.
The CPRA’s Impact on Third Parties
In addition to the two categories of third parties set forth in the CCPA, the CPRA (which passed in November 2020 and will become fully operative on January 1, 2023) added “contractor” to the list of entities. The CPRA defines a contractor as a third party to whom a business makes consumer’s personal information available for a business purpose. Contractors are still required to enter into a written contract and meet the requirements set forth under the CCPA relating to the protection of consumers’ personal information.
The Importance of CCPA- and CPRA-Compliant Contractual Language
Both the CCPA and CPRA set forth various necessary parameters for language used in contracts between businesses and third parties. For example, the CCPA requires that contracts state that a service provider (1) cannot sell personal information or disclose it for any purpose other than the specific contractual purchase; (2) cannot collect, sell, or use the consumer’s personal information except as necessary to perform the business purpose; and (3) certifies that it understands the restrictions of being a service provider and will comply with them. Companies subject to these laws must ensure that they are in compliance by meeting the detailed language set forth in the CCPA and CPRA.
What You Should Do Now
Due to the recent increase in cyber threats, it is more important than ever for businesses to minimize security risks when interacting with third parties and ensure that they are compliant with the CCPA and CPRA’s requirements when working with third parties. Businesses should be aware of the evolving cyber threats that their network may be at risk for and train employees on preventative measures relating to the business’s interactions with outside entities.