The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q: Are businesses required to put “Data Processing Addendum” in place by January 1, 2019?
Some law firms reported that the CCPA required businesses to update their vendor agreements before 2019 (i.e., by December 31, 2018) in order to avoid having to characterize the transfer of personal information to vendors as “selling personal information” when the CCPA goes live on January 1, 2020. Their rationale was that Section 1798.130(a)(4)(B) of the CCPA requires that a company “[i]dentify by category . . . the personal information of the consumer that the business sold in the preceding 12 months” (i.e., going back to January 1, 2019) and that the CCPA’s broad definition of the term “sell” might encompass many service providers.
While the CCPA broadly defines the term “sell” as including disclosures of personal information “for monetary or other valuable consideration” it is doubtful that the definition would extend to most vendors for four reasons.1
First, when a business discloses information to a service provider it typically does not do so to receive “monetary” consideration – to the contrary in most situations the business must provide monetary consideration to a service provider, not the other way around. While one might argue that the business is receiving “other valuable consideration” (in the form of services), there is a strong argument that the business is not receiving the other valuable consideration in return for the personal information that it provides; rather the “other valuable consideration” is being provided in return for payment to the service provider.
Second, the CCPA states that a business that shares information with a service provider in order to have a business purpose performed is not “selling” the information if “the service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.”2 Put differently if a vendor is prohibited from using the personal information for its own purposes that a business provided then the transmission is not considered a “sale.” This dovetails with the CCPA’s definition of “service provider” which requires that the vendor agree to three substantive restrictions involving the retention, use, and disclosure of personal information. As a practical matter the vast majority of vendor agreements already contain a restriction that personal information can only be used to provide service. As a result, for many (if not most) service provider agreements little change would be needed. Furthermore, for those areas in which a vendor may be using information for their own purposes (e.g., to improve a product or service generally) there is insufficient guidance concerning how the CCPA will be interpreted to know definitively whether such uses would cause the transfer of data to fall within the definition of a “sale.”
Third, if the business has already negotiated a data processing addendum with the vendor for the purposes of the GDPR, that addendum should fulfill all of the requirements within the CCPA to classify the vendor as a “service provider:”
|Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions.||üArt. 28(3)(a)||ü§ 1798.140(v)|
|Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality.||üArt. 28(3)(b)||ü§ 1798.140(v)|
|Delete or return data. Service provider will delete or return data at the end of the engagement.||üArt. 28(3)(g)||ü§ 1798.140(v)|
Fourth, assuming that a vendor could be characterized as providing valuable consideration to a business “for” the personal information that it receives (i.e., that it is being sold the personal information), and assuming that the vendor’s contract does not, as of January 1, 2019, have a clear contractual use limitation, nothing within the CCPA prevents businesses and vendors from negotiating contractual addendum in 2020 with retroactive effect.
The net result is that a vendor agreement would only have to be revised by December 31, 2018, if all of the following conditions was met: (1) the vendor pays its client for personal information (or provides some other valuable consideration in exchange for personal information), (2) the existing services agreement permits the vendor to use the information for its own purposes, (3) the vendor did not enter into a data processing addendum that complies with Article 28 of the GDPR, and (4) there is a high likelihood that the vendor will refuse in 2019 to amend its service provider agreement to retroactively clarify use, disclosure, and retention restrictions. The universe of vendors that fit those four characteristics is extremely small.
1. CCPA Section 1789.140(t)(1).
2. CCPA, Section 1798.140(t)(2)(C).