Friday, November 27, 2020
As mentioned in Q 204, the CCPA requires {that a} service supplier agree to a few substantive restrictions involving the retention, use, and disclosure of non-public data. The CPRA ostensibly expands upon the three substantive contractual restrictions by referring to 9 extra provisions that must be included inside a service supplier settlement. The next chart compares the substantive service supplier contractual provisions beneath the CCPA with people who will probably be required by the CPRA starting January 1, 2023:
Requirement
CCPA
CPRA
Retention Restrictions
1. Delete or return information. Settlement should require {that a} service supplier delete or return information on the finish of an engagement
(i.e., not retain information).
✓[1]
✓[2]
Use Restrictions
2. Use Restrictions. A service supplier can solely course of private information per a enterprise’s directions (i.e., not use it for one thing apart from to carry out providers beneath the settlement or enhance the standard of providers).
✓[3]
✓[4]
3. Cease unauthorized use. Settlement permits the enterprise to, upon discover, take cheap and acceptable steps to cease and remediate unauthorized use of non-public data.
X
✓[5]
4. Grants enterprise cheap rights. Settlement grants the enterprise the appropriate to take “cheap and acceptable steps” to assist make sure that the service supplier “makes use of” private data per the enterprise’s authorized obligations. For instance, these would possibly embrace cheap audit rights.
X
✓[6]
5. Combining private data from a number of purchasers. Settlement prohibits a service supplier from “combining the private data” that it receives from one enterprise with the private data that it receives from one other enterprise (or collects from its personal interplay with shoppers), besides if it pertains to a enterprise objective recognized by rules to be adopted by the California Privateness Safety Company.
X/✓[7]
✓[8]
Disclosure Restrictions
6. Disclosure Restrictions. Settlement prohibits disclosing private data apart from to carry out providers specified within the contract.
✓[9]
✓[10]
7. Prohibition towards promoting or sharing. Settlement prohibits service supplier from promoting private data or sharing private data for the aim of cross-context behavioral promoting.
X/✓[11]
✓[12]
Further Necessities
8. Compliance with relevant obligations. Settlement requires that the service supplier present the extent of privateness protections required beneath California regulation.
X
✓[13]
9. Obligates service supplier to inform enterprise of non-compliance. Settlement requires {that a} service supplier notify the enterprise if the service supplier determines that it could actually now not meet obligations beneath California regulation.
X
✓[14]
10. Subcontractor notification. A service supplier should notify a enterprise if it engages one other individual or firm to help it in processing private data.
X[15]
✓[16]
11. Subcontracting stream down obligations. Service supplier should stream down contractual obligations to sub-processors.
X
✓[17]
[1] Cal. Civil Code § 1798.140(v) (Oct. 2020).
[2] Ca. Civil Code § 1798.140(ag)(B), (C).
[3] Cal. Civil Code § 1798.140(v) (Oct. 2020); CCPA Regulation 999.314(c)(1).
[4] Cal. Civil Code § 1798.100(d)(1), 140(ag)(1)(B), (C).
[5] Cal. Civil Code § 1798.100(d)(5).
[6] Cal. Civil Code § 1798.100(d)(3).
[7] Whereas the CCPA didn’t embrace an specific requirement {that a} contract prohibit a service supplier from promoting or sharing private data, it did embrace a requirement {that a} service supplier not “disclos[e]” private data for any objective apart from for the particular objective of performing these providers specified by a enterprise. See Cal. Civil Code § 1798.14(v) (October 2020).
[8] Cal. Civil Code § 1798.140(ag)(1)(A).
[9] Cal. Civil Code § 1798.140(v) (Oct. 2020).
[10] Cal. Civil Code § 1798.140(ag)(1)(B), (C).
[11] Whereas the CCPA didn’t embrace an specific requirement {that a} contract prohibit a service supplier from combining private data from a number of purchasers, it did embrace a requirement {that a} service supplier not “disclos[e]” private data for any objective apart from for the particular objective of performing these providers specified by a enterprise. See Cal. Civil Code § 1798.14(v) (October 2020).
[12] Cal. Civil Code § 1798.140(ag)(1)(A).
[13] Cal. Civil Code § 1798.100(d)(2).
[14] Cal. Civil Code § 1798.100(d)(4).
[15] Whereas the CCPA didn’t embrace an specific requirement {that a} contract require a service supplier to inform the enterprise if one other individual or entity can be aiding within the processing of non-public data, it did embrace a requirement {that a} service supplier not “disclos[e]” private data for any objective apart from for the particular objective of performing these providers specified by a enterprise. See Cal. Civil Code § 1798.14(v) (October 2020).
[16] Cal. Civil Code § 1798.140(ag)(2).
[17] Cal. Civil Code § 1798.140(ag)(2).
©2020 Greenberg Traurig, LLP. All rights reserved. Nationwide Legislation Assessment, Quantity X, Quantity 332