The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

If a Service Provider has already agreed to a Data Processing Addendum that complies with the GDPR, is a business required to renegotiate the contract again for the CCPA?

No.

Article 28 of the GDPR requires that a controller “bind[]” every service provider to approximately thirteen substantive provisions; it also requires that contracts with service providers contain specific disclosures concerning the type of processing that will be covered by the agreement. In order to comply with this requirement many companies put in place data processing addendum or “DPA’s” which were designed to amend master service agreements to conform to the GDPR.

The CCPA requires that a service provider agree to three substantive restrictions involving their retention, use, and disclosure of personal information. While the CCPA does not mandate that a business include any other provisions in an agreement with a service provider, in order for a business to comply with its own obligations under the CCPA it must “push down” certain obligations onto its service providers. For example, if a business is required to delete a consumer’s personal information pursuant to a right to be forgotten request, the business will be unable to comply with that requirement if its service provider is unable to selectively and irrevocably delete data. The following chart compares the requirements that the GDPR imposes upon processors with those that a business should impose upon a service provider pursuant to the CCPA. As the chart indicates, a DPA that complies with all of the GDPR requirements will also satisfy each of the CCPA’s requirements.

Requirement

GDPR

CCPA

Particulars :

1. Subject Matter. Description of the subject matter of processing.

ü

Art. 23(3)

X

2. Duration. Description of the duration of processing.

ü

Art. 23(3)

X

3. Nature and Purpose. Description of the nature and purpose of processing.

ü

Art. 23(3)

X

4. Type of Data. Description of the type of personal data to be processed.

ü

Art. 23(3)

X

5. Categories of Data. Description of the categories of data subjects about which the data relates.

ü

Art. 23(3)

X

Restrictions

6. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions.

ü

Art. 28(3)(a)

ü

§ 1798.140(v)

7. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality.

ü

Art. 28(3)(b)

ü

§ 1798.140(v)

8. Delete or return data. Service provider will delete or return data at the end of the engagement.

ü

Art. 28(3)(g)

ü

§ 1798.140(v)

Security

9. Security. Service provider will implement appropriate technical and organizational measures to secure information.

ü

Art. 28(1)

Art. 28(3)(c)

Art. 32(1)

X

10. Assisting Controller In Responding to Data Breach. Service provider will cooperate with controller in the event of a personal data breach.

ü

Art. 28(3)(f) Art. 33 – 34

X

(although other California laws apply to data breach response)

Subprocessing

11. Subcontractor selection. A service provider must obtain written authorization before subcontracting, and must inform the Company before it makes any changes to its subcontractors.

ü

Art. 28(2)

Art. 28(3)(d)

X

12. Subcontracting flow down obligations. Service provider will flow down these obligations to any subprocessors.

ü

Art. 28(3)(d) Art. 28(4)

X

13. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations.

ü

Art. 28(3)(d)

X

Data Subject / Consumer Requests

14. Responding to data subjects. Service provider will assist the Company to respond to any requests by a data subject.

ü

Art. 28(3)(e)

Art. 12 – 23

ü

§ 1798.105(c) (relating to deletion)

Miscellaneous

15. Assisting Controller In Creating DPIA. Service provider will cooperate with controller in the event the controller initiates a data protection impact assessment.

ü

Art. 28(3)(f)

Art. 35)

Art. 35-36

X

16. Audit Right. Service provider will allow Company to conduct audits or inspections for compliance to these obligations.

ü

Art. 28(3)(h).

X

17. Cross-border transfers. Service provider will not transfer data outside of the EEA without permission of Company.

ü

Art. 28(3)(a)

Art. 46

X