Keypoint: Starting in 2023, organizations that are subject to one or more of the laws will need to enter into contracts with recipients of personal information/data that address numerous statutory requirements.
This is the eighth article in our ten-part weekly series comparing key provisions of the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and Virginia Consumer Data Protection Act (VCDPA). With the operative dates of these laws drawing near, we are exploring important distinctions between them. If you are not already subscribed to our blog, consider subscribing now to stay updated.
In this article, we examine how the three laws treat data processing agreements (DPAs). The CPRA, VCDPA and CPA require, in certain situations, businesses/controllers to enter into contracts with entities to whom they transfer personal information. The CPRA establishes three categories of recipients – service providers, contractors, and third parties – and sets forth a baseline set of requirements that must be contractually addressed when businesses sell or share personal information to a third party or disclose it to a service provider or contractor for a business purpose. The CPRA requires additional contractual provisions when the transfers are made to service providers or contractors.
In comparison, the VCDPA and CPA require contracts when a controller transfers personal data to processors. The VCDPA and CPA generally align their requirements although there are differences as discussed below. There also are many differences as compared to the CPRA’s requirements.
Ultimately, organizations that are subject to one or more of these laws will need to determine how to address these new requirements. Notably, the laws do not dictate the form of these agreements, only the substance. As such, parties could address the requirements through the use of a specific data processing agreement – i.e., a separate contractual document or addendum to a contract – which practice has become common in recent years. Alternatively, parties could integrate the requirements into the four corners of their underlying agreement. For our purposes, we group these two alternatives together under the phrase DPAs.
In addition, organizations that are subject to multiple laws will need to find a practical and efficient way to integrate the differing requirements into contracts. This process is made more complex if consideration must be given to complying with other laws – for example, the EU’s General Data Protection Regulation (GDPR). Drafters also should consider the fact that other states are likely to create similar (but perhaps not identical) requirements in coming years.
The below analysis is divided into two parts. First, we provide a discussion and analysis of the statutory provisions of the three laws. We then discuss other relevant provisions organizations may wish to consider when drafting and negotiating DPAs.
Part I – Analysis of Statutory Requirements
In the below section, we provide an overview of the various statutory requirements set forth in the CPRA, CPA and VCDPA on this issue. In addition to the below, we prepared a chart comparing these statutory provisions.
California Privacy Rights Act (CPRA)
The CPRA requires agreements when a business (1) discloses personal information to a service provider, (2) discloses personal information to a contractor, or (3) sells or shares personal information to a third party. Before analyzing the contractual requirements for each situation, it is important to understand these terms and properly apply them to the parties’ underlying relationship.
The CPRA defines “service provider,” in relevant part, as “a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose.”
“Contractors” is a new category of data recipients that was not in the CCPA. The CPRA defines a “contractor,” in relevant part, as “a person to whom the business makes available a consumer’s personal information for a business purpose.”
Third party is defined by what it is not. A third party is an entity that is not (1) “the business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business under” the CPRA, (2) a service provider to the business, or (3) a contractor.
As noted, a business must sell or share personal information to third parties. The CPRA defines “sale” similar to how the term was defined in the CCPA. For a further analysis of this term, see our prior article in this series.
The term “share” is new to the CPRA. It means “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.”
Cross-context behavioral advertising means “the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
General Requirements (Service Provider, Contractor, and Third Party)
The following provisions must be included in agreements between a business and a service provider, contractor, or third party:
- Specifies that the personal information is sold or disclosed by the business only for limited and specified purposes.
- Obligates the third party, service provider, or contractor to comply with applicable obligations under the CPRA and obligates those persons to provide the same level of privacy protection as is required by the CPRA.
- Grants the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider, or contractor uses the personal information transferred in a manner consistent with the business’ obligations under the CPRA.
- Requires the third party, service provider, or contractor to notify the business if it makes a determination that it can no longer meet its obligations under the CPRA.
- Grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.
Additional Service Provider or Contractor Requirements
As a starting point, for a business to provide personal information to a service provider or contractor, it must be done for a business purpose. Although the exact contours of “business purposes” will be subject to regulations coming later in 2022, the CPRA lists several business purposes:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for these purposes.
- Debugging to identify and repair errors that impair existing intended functionality.
- Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
- Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- Providing advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
- Undertaking internal research for technological development and demonstration.
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.
In addition to the above requirements, DPAs between businesses and service providers or contractors must prohibit the service provider or contractor from:
- Selling or sharing the personal information
- Retaining, using, or disclosing the information outside of the direct relationship between the business and the contractor or service provider
- Retaining, using, or disclosing the personal information for any other purpose than specified in the contract between the business and contractor or service provider.
- Combining personal information the service provider or contractor receives from the business with consumer personal information it collects on its own interaction with consumers, subject to further rulemaking on this issue.
If the DPA is between a business and contractor, the contractor must certify that it understands and will comply with these four additional requirements. This does not apply to service providers.
It should be noted that CCPA regulation § 999.314 allows service providers to use personal information received from businesses for additional purposes. Those purposes include using personal information for internal use “to build or improve the quality of [the service provider’s] services, provided that the use does not include building or modifying household or consumer profiles to use in providing services to another business, or correcting or augmenting data acquired from another source.” Another permitted purpose is to detect security incidents or protect against fraudulent or illegal activity.” Businesses will need to monitor whether this regulation changes during the California Privacy Protection Agency rulemaking process.
The DPA also must require service providers and contractors to comply with the CPRA and provide the same level of privacy protections the business is required to provide under the law. If the contractor or service provider engages any other person or entity to assist with the processing of personal information, it must notify the business of that engagement and enter into a DPA with that other entity.
Finally, subject to agreement with the contractor or service provider, the DPA may outline audit mechanisms the business may conduct to ensure compliance with the DPA. These include, but are not limited to, ongoing manual reviews, automated scans, regular assessments, audits, or other technical and operational testing.
Virginia Consumer Data Protection Act (VCDPA)
As contrasted with the CPRA, the VCDPA (and CPA) only have one category of recipients called processors. Processor is defined as “a natural or legal entity that processes personal data on behalf of a controller.” Processing is defined as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.”
The VCDPA requires DPAs when a controller uses a processor to process consumer’s personal data. The VCDPA requires that DPAs identify the controller’s instructions for processing data, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, and the rights and obligations of the parties. The DPA also must include confidentiality requirements for individuals accessing personal data, provisions necessitating the deletion or return of personal information at the end of the processing, and the ability for the controller to reasonably request information that demonstrates the processor’s compliance with the VCDPA.
Notably, the VCDPA requires that processors either allow reasonable assessments by the controller or the controller’s designated assessor or have the processor arrange for a qualified and independent audit to assess the processor’s policies and technical and organizational measures in support of its obligations under the VCDPA.
Finally, if the processor retains a subcontractor to assist with the processing, the processor must ensure that there is a DPA in place that meets the VCDPA’s requirements.
Colorado Privacy Act (CPA)
The CPA contains the same requirements as the VCDPA with three exceptions.
First, the CPA requires processors to offer controllers an opportunity to object to the use of subcontractors. The CPA does not state whether this opportunity to object can be done on a general basis (e.g., stating that the processor will use cloud storage providers) or specific basis (e.g., stating that the processor will use AWS).
Second, the parties are required to implement appropriate technical and organizational security measures and “establish a clear allocation of the responsibilities between them to implement the measures.” It is worth noting that a similar obligation also appears in C.R.S. § 6-1-713.5, which provides that if a covered entity discloses personal identifying information to a third-party service provider, it must require that third-party service provider to implement and maintain reasonable security procedures and practices that are “[a]ppropriate to the nature of the personal identifying information disclosed to the third-party service provider” and “[r]easonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.”
Third, the CPA sets out similar auditing requirement as the VCDPA but states that if the processor chooses to conduct an independent audit with the controller’s consent, then it must be at the processor’s expense and occur at least once a year.
Part II – Other Provisions
In addition to the topics discussed above, parties should consider addressing the following issues in DPAs.
Information Security Measures
The extent to which a DPA addresses information security is typically subject to negotiation and the context of the transaction, such as the nature of the personal data at issue and/or the industry involved in the transaction. Some DPAs may only state that recipients will properly protect information whereas other DPAs may require the implementation of specific security measures, certifications, or third-party audits.
Data breach notification statutes typically require data recipients to provide notice to controllers in the event that the recipient suffers a data breach. DPAs can be used to flesh out this requirement such as defining a specific time frame for providing notice, how notice must be provided, and the contents of the notice. The parties also can address liability and indemnification issues arising out of breaches.
The parties can use DPAs to describe the type of assistance recipients will provide to businesses/controllers in responding to consumer requests. This can include provisions on how a recipient will respond to a consumer request made directly to it, how quickly recipients will respond to a business/controller’s request for information, and whether there is any cost involved with that response.
In addition to the above issues, drafters should consider addressing (1) limitations of liability, (2) the process for handling a change in law (especially given the constant flux of privacy law); (3) the order of priority as between the DPA and the underlying agreement; and (4) customary contractual terms such as definitions, termination, and effective date.
Entities that are subject to federal and/or international laws will need to take other considerations into mind such as cross-border data transfer requirements. For example, entities subject to GDPR will need to consider Article 28 requirements and potentially account for cross-border data transfer issues. For more information on those issues see our prior blog posts here and here.