On November 3, 2020, California voters approved Proposition 24, the California Privacy Rights Act of 2020 (CPRA). The CPRA, which will become operative on January 1, 2023, incorporates and significantly amends the existing California Consumer Privacy Act (CCPA) and expands privacy rights of California consumers as well as compliance obligations of covered businesses and their processors on par with the European Union’s General Data Protection Regulation (GDPR).
The CCPA recognizes three types of organizations subject to its provisions: businesses, service providers, and third parties. The CPRA introduces a new category of providers: contractors. The CPRA defines a “contractor” as a person to whom a business makes available consumers’ personal information for a business purpose pursuant to a written contract. A “service provider,” in turn, is defined as a person that receives from or on behalf of a business consumers’ personal information for a business purpose and processes that information on behalf of the business pursuant to a written contract. Taken together as a category, contractors and service providers are effectively “processors” as that term is defined in the GDPR.
The CPRA defines a “third party” as any person who is a not (i) a business with whom the consumer intentionally interacts and that collects personal information from the consumer, (ii) a service provider to the business, or (iii) a contractor.
The CPRA also makes notable changes to the definition of a “business purpose,” which is a threshold issue for determining whether an organization qualifies as a service provider or a contractor under the statute. For example, under the CPRA, making personal information available for cross-context behavioral advertising is not recognized as a “business purpose” but other advertising and marketing services are, subject to certain conditions.
Under the CPRA, businesses would will be required to enter into a written contract with their service providers and contractors that would prohibit them from selling or sharing personal information; retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract or outside of the direct business relationship with the business; or combining the personal information which the service provider or the contractor receives from the business with other personal information, subject to certain exceptions.
In addition, service providers and contractors will be contractually obligated to provide the same level of privacy protection as is required of the businesses and would have to notify businesses if they can no longer meet these obligations. A business will be permitted to monitor compliance with the contract through annual audits, assessments, ongoing manual reviews and automatic scans and be allowed to take steps to stop and remediate unauthorized use of personal information.
Furthermore, similarly to the GDPR, these obligations will have to pass through down the contractual chain. Thus, if a service provider engages a subcontractor to assist it in processing of the personal information for a business, it will be required to contractually bind the subcontractor to the same provisions applicable to the service provider.
In addition to contractual obligations, the CPRA imposes direct obligations on the service providers and contractors. They will be required to cooperate with businesses in responding to the consumers’ requests to access, correct or delete personal information, limit the use of sensitive personal information as instructed by the businesses, delete consumers’ personal information at the direction of the businesses, and instruct their own subcontractors to delete the information.
The CPRA also provides that service providers and contractors could be held liable for their own violations of the Act and would will be subject to the same administrative sanctions as the businesses.
With the approval of the CPRA, covered businesses need to promptly start reviewing their privacy and data management systems, programs, and practices to assess their compatibility with the Act’s legal requirements and to map out a path to compliance with these requirements. As businesses prepare for the CPRA, they need to assess relationships with their contractors within the CPRA framework, review and update their contracts consistent with the CPRA requirements, and establish processes to monitor contractual compliance.
For assistance with Consumer Deletion Requests, call Clarip today at 1-888-252-5653 or contact us.