Privacy & Data Management Blog

The proposed Consumer Privacy Protection Act (“CPPA”) is intended to replace the Personal Information Protection and Electronic Documents Act. The current text of the CPPA introduces the new concept of “service providers,” and may require organizations to take a different approach to their vendor and service provider agreements.

See our previous blogs about the CPPA’s proposed privacy management program requirements and changes to consent requirements.  

Service Providers Under the CPPA is a Broader Category Than You Might Think

The CPPA defines a service provider as an organization, including a parent corporation, subsidiary, affiliate, contractor or subcontractor that provides services for, or on behalf of, another organization to assist the organization in fulfilling its purposes. Under the CPPA, your organization ought to have appropriate agreements addressing privacy and security as between related companies, as well as vendors and service providers.

Beware: the Obligations are on Organizations Transferring Information

The CPPA requires organizations to ensure that any service providers that they transfer personal information to are in compliance with the CPPA and provide an equivalent level of protection. This “equivalent protection” obligation, as well as any associated penalties for noncompliance, applies only to the organization that transfers personal information. Organizations should ensure that any service providers they work with are under contractual obligations to provide the required level of protection.

Practically speaking, a simple commitment that the service provider will “comply with applicable laws” may not be satisfactory. This is because service providers are not necessarily required to comply with significant portions of the CPPA in respect of the personal information they receive.

Limited Obligations on Service Providers Receiving Information

Only if a service provider collects, uses, or discloses personal information for a purpose other than the purposes for which the information was transferred to it, then the service provider will be subject to the “equivalent protection” obligation.

Service providers must always use safeguards that are commensurate to the sensitivity of the personal information that they handle. They must also report to the primary organization that controls the organization in the event of a security breach.

Will Your Organization Get Enough Information to Satisfy Breach Reporting Obligations?

The primary organization with control over personal information typically has the responsibility to assess and report an incident. The CPPA probably does not include enough specificity for your organization to get the information it needs from service providers to fulfill these requirements, so appropriate contractual terms will probably be necessary. Primary organizations also have an obligation to keep records of all security breaches involving personal information under their control, so the service provider ought to be contracted to do that where appropriate.

Will Your Organization be able to Address Individual Rights?

Following an individual’s request, organizations must be able to provide access to or correct personal information. The CPPA adds a further requirement that organizations dispose of, and ensure that service providers dispose of, the individual’s personal information. Because the CPPA does not place corresponding obligations on service providers, organizations should consider including these requirements in their contracts.

How Can Organizations and Service Providers Prepare?

a) Review and build out company processes, procedures, and policies to ensure compliance with CPPA standards.

This process will not look the same for all organizations. As your organization prepares for the CPPA, look at the personal information that your organization collects and ensure that (1) the level of protection your organization provides is proportionate to the sensitivity of the information, (2) your organization establishes safeguards that consider the quantity, distribution, format, and method of storage used for the information, (3) your organization’s security safeguards adequately protect against loss, theft, and unauthorized access, disclosure, use, copying, and modification, and (4) you have included reasonable measures to authenticate the identity of the individual to whom the personal information relates.

Once you have reviewed the security safeguards that your organization will use, build out the processes within the organization and map out how it will work. Documenting these processes will support the Privacy Management Program requirements.

b) Conduct a personal information transfer audit.

Take stock of all service providers that you have transferred personal information to, or all organizations that you have received personal information from. Once you have compiled a list, review and amend the relevant contracts to ensure that you are in compliance with your organization’s obligations under the CPPA. Implement a system to internally track all the service providers that your organization transfers information to, or organizations that you receive personal information from, to ensure that future audits of such agreements can be conducted quickly and easily.

c) Establish organizational guidelines for efficient contract reviews and negotiations.

Organizations should consider creating internal guidance that can be referenced during contract negotiations to ensure that agreements with service providers will meet the “equivalent protections” obligation. This checklist should include obligations that the CPPA imposes directly on service providers, such as providing adequate safeguards, as well as obligations imposed indirectly on service providers through organizations, such as incident reporting and keeping records of security breaches.

If your organization has any questions about service providers, other obligations under the CPPA or data privacy generally, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.