What type of contractual provisions are included within service provider agreements in connection with consumer deletion requests?

Although the CCPA does not itself require that a service provider honor a deletion request that it receives directly from a consumer, a service provider may be contractually obligated to do so by a business.

Many businesses include a contractual provision in their agreement with a service provider requiring the service provider delete personal information that is processed on the business’s behalf at the direction of the business. A less specific “reasonable assistance” provision is also common, which obligates the service provider to reasonably assist the business in fulfilling a deletion request. Although here a service provider retains an argument that facilitating deletion when not required to do so by the CCPA may not be “reasonable assistance,” the existence of this provision signals that a business may be expecting the service provider to honor its deletion requests.

A business may assert that the contractual provisions which are required to meet the definition of “service provider,” imply that a service provider must honor a business’s deletion requests. However, the CCPA specifically allows a service provider to process personal information outside of its relationship to the service provider if such processing is “otherwise permitted by [the CCPA].” As discussed above, the CCPA permits a service provider to refuse a deletion request for a variety of reasons.2

Beyond CCPA specific provisions, a business may argue that other provisions in the agreement with a service provider require deletion of personal information at a business’s direction. If personal information fits the agreement’s definition of confidential information, the confidentiality provision may require confidential information be deleted or returned at the disclosing party’s direction. A provision where a service provider has agreed to abide by the business’s privacy policy may also create an argument that the service provider must delete personal information, depending on the drafting of the privacy policy. If a data protection agreement containing the GDPR’s required Article 28 processor provisions applies, the definition of “personal data” in those provisions may be broad enough to apply to CCPA personal information and thus require deletion.