- 1798.100 – Consumers right to receive information on privacy practices and access information
- 1798.105 – Consumers right to deletion
- 1798.110 – Information required to be provided as part of an access request
- 1798.115 – Consumers right to receive information about onward disclosures
- 1798.120 – Consumer right to prohibit the sale of their information
- 1798.125 – Price discrimination based upon the exercise of the opt-out right
Is a Service Provider Responsible if its Client Violates the CCPA?
In order to be considered a “service provider” for the purposes of the CCPA, a vendor must be bound by a written contract that prohibits it from:
- retaining the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,”
- using the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title,” or
- disclosing the personal information “for any purpose other than for the specific purpose of performing the services specified in the contract . . . or as otherwise permitted by this title.”
If a service provider negotiates an agreement with a client that contains the three provisions above, the CCPA states that the service provider will “not be liable” in the event that it’s client fails to fulfil the client’s obligations as a “business” under the Act. So, for example, a service provider should not be liable if its client fails to post a privacy notice, inaccurately describes its sharing practices, or fails to disclose that it has transferred personal information to the service provider.
Is there an obligation to monitor service providers under the CCPA?
The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA. Among other things, the CCPA prohibits any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA.
Comparison to Other Privacy Laws
Similar to the CCPA, the GDPR imposes certain requirements when a company uses a service provider. Both the CCPA and the GDPR require companies to contractually limit the service provider’s uses of personal information and to ensure the same restrictions that apply to the company will flow down to the service provider.
To Do List
To comply with the CCPA companies should:
- Review existing agreements with service providers to identify potential gaps.
- Identify instances in which you may be using a service provider that has access to information about Californians and with whom you do not currently have agreements in place.
- Update agreements with service providers to ensure that they meet the new requirements of the CCPA.
How We Can Help
Companies across the globe have retained BCLP to draft service provider agreements, or review their service provider agreements to spot anything that might be considered out of compliance with legal or regulatory requirements.
|Cal. Civil Code 1798.140(v), (w)
Cal. Civil Code 1798.145(h)
Cal. Civil Code 1798.192