The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States. The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects. As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute. While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects. As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.
Quick Overview
The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA. Among other things, the CCPA prohibits any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA.
Comparison to Other Privacy Laws
Similar to the CCPA, the GDPR imposes certain requirements when a company uses a service provider. Both the CCPA and the GDPR require companies to contractually limit the service provider’s uses of personal information and to ensure the same restrictions that apply to the company will flow down to the service provider.
To Do List
To comply with the CCPA companies should:
-
Review existing agreements with service providers to identify potential gaps.
-
Identify instances in which you may be using a service provider that has access to information about Californians and with whom you do not currently have agreements in place.
-
Update agreements with service providers to ensure that they meet the new requirements of the CCPA.
How We Can Help
Companies across the globe have retained BCLP to draft service provider agreements, or review their service provider agreements to spot anything that might be considered out of compliance with legal or regulatory requirements.
Cross References
CCPA Provisions
|
GDPR Provisions
|
Cal. Civil Code 1798.140(v), (w)
Cal. Civil Code 1798.145(h)
Cal. Civil Code 1798.192
|
Recital 81
Article 28
|
[View source.]