Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

The Practical Guide to the California Consumer Privacy Act: Part 8 The Obligation to Monitor Service Providers

September 11, 2018

The California Consumer Privacy Act of 2018 (“CCPA”) is arguably the most comprehensive - and complex - data privacy regulation in the United States.  The CCPA was designed to emulate the European General Data Protection Regulation (“GDPR”) in many respects.  As a result, United States companies that thought that they were not subject to the GDPR are now laser focused on the requirements of the CCPA and rushing to verify that their practices comply with the statute.  While the CCPA was drafted with an eye toward the GDPR, it also differs from that regulation in many respects.  As a result, companies that just finished their push to come into compliance with the GDPR now also must redirect their attention toward the CCPA.

Quick Overview

The CCPA allows businesses to share personal information with third parties or service providers for business purposes so long as there is a written contract that complies with the CCPA. Among other things, the CCPA prohibits any agreement or contract provision that seeks to waive or limit a consumer’s rights under the CCPA.

Comparison to Other Privacy Laws

Similar to the CCPA, the GDPR imposes certain requirements when a company uses a service provider. Both the CCPA and the GDPR require companies to contractually limit the service provider’s uses of personal information and to ensure the same restrictions that apply to the company will flow down to the service provider. 

To Do List

To comply with the CCPA companies should:

  • Review existing agreements with service providers to identify potential gaps.
  • Identify instances in which you may be using a service provider that has access to information about Californians and with whom you do not currently have agreements in place.
  • Update agreements with service providers to ensure that they meet the new requirements of the CCPA.

How We Can Help

Companies across the globe have retained BCLP to draft service provider agreements, or review their service provider agreements to spot anything that might be considered out of compliance with legal or regulatory requirements. 

Cross References

CCPA Provisions

GDPR Provisions

Cal. Civil Code 1798.140(v), (w)

Cal. Civil Code 1798.145(h)

Cal. Civil Code 1798.192

Recital 81

Article 28