The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Can a business unilaterally amend a service provider agreement to incorporate requirements under the CCPA?
A business is required to impose restrictions on their service providers’ ability to use, retain, and disclose consumer personal information. Whether a business can impose a unilateral amendment upon a service provider (i.e., simply declare that the service provider must abide by each of restrictions mandated by the CCPA) largely depends upon the structure of the underlying agreement. Specifically, if the underlying agreement grants the business the right to impose unilateral changes, or the right to impose unilateral data security or privacy standards, the unilateral amendment would likely be effective. If, however, the underlying agreement requires that any amendment be done through a writing signed by both parties the unilateral amendment would likely be ineffective.
Some businesses attempt to leverage generic “compliance with law” provisions found in master service agreements to impose unilateral changes by arguing that the unilateral changes are necessary in order for the processor to comply with the CCPA. While courts have not evaluated whether that strategy would be effective, because the CCPA does not impose obligations upon service providers directly, and requires only that such obligations be imposed via contract, a court may find that a service provider would be in compliance with the “law” (i.e., statutes) that apply directly to the service provider even if the service provider did not agree to those provisions necessary for its client to comply with those aspects of the CCPA that apply directly to the client.
The ability to amend a service provider agreement unilaterally to incorporate data privacy protections may be somewhat different where the service provider (or the client) is subject to the GDPR. Unlike the CCPA, the GDPR imposes obligations directly upon processors that are subject to its jurisdiction. As a result, there is a reasonable argument that a processor that fails to incorporate restrictions into its contract is, itself, violating the GDPR. As a result, in the context of the GDPR, the effectiveness of a unilateral modification strategy depends upon the following factors:
- What law is selected within the underlying agreement? Whether a unilateral amendment can be incorporated through an existing compliance with law provision depends, in part, on the principles of contract interpretation under the law selected to govern the underlying agreement.
- What forum is selected within the underlying agreement? Whether a unilateral amendment can be incorporated through an existing compliance with law provision depends, in part, upon the court or tribunal selected to interpret the underlying agreement if a dispute were to arise.
- Does the unilateral amendment exceed the scope of the GDPR? Attempts by a controller to go beyond the precise wording of the GDPR would likely be considered ineffective by most courts or tribunals. For example, while the GDPR requires that a processor make itself available for audits, a unilateral amendment that attempts to demarcate the boundary and scope of such audits (g., who will pay for the audit, how often audits might occur, etc.) may be rejected by courts.
- Is the processor directly governed by the GDPR? If the processor is not established within the EU, it may argue that it is not directly governed by the GDPR and, therefore, a generic reference to its “compliance with law” should not be interpreted as including the GDPR.
- Does the controller have prior knowledge that the processing does not comply with the provisions of Article 28? To the extent that the controller has actual knowledge that certain aspects of the processing are not in compliance with Article 28 (g., subcontracting is already occurring, disclosed security measures are arguably deficient, inadequate instructions were provided by the controller, or the controller has provided an inadequate (or non-existent) description of the processing), some jurisdictions may refuse to enforce a unilateral amendment based upon the equitable principles of laches and estoppel.
Does the unilateral amendment attempt to restrict the jurisdictions in which the processor can transfer data? A unilateral amendment that restricts the ability of the processor to transfer (or receive) data outside of the EEA will likely be ineffective if the processor is physically based outside of the EEA, and/or if the controller had knowledge that the processing would occur outside of the EEA.