The CCPA requires that a service provider agree to substantive restrictions involving the retention, use, and disclosure of personal information. While the CCPA does not mandate that a business include any other provisions in an agreement with a vendor, in order for the business to comply with its own obligations under the CCPA it must “push down” certain other obligations such as an obligation that the vendor cooperate with the business in accessing information about California consumers, or that a vendor selectively and irrevocably delete data if requested by the business.
As each of the substantive restrictions that define a “service provider” under the CCPA are also required for processors under the GDPR, many GDPR-drafted data processing addenda are sufficient to classify a vendor as a service provider. Some GDPR-drafted data processing addenda, however, contain scope limitations pursuant to which the addendum purports only to apply to data that is governed by the GDPR, or data that relates to individuals that are physically present in Europe. Where a DPA contains such a scope limitation at a minimum it would need to be amended to ensure that its scope is broad enough to capture California residents.