Navigating CPRA Service Provider Contract Requirements [Updated 2024]

At a glance

• With the CPPA able to enforce CPRA immediately (following a surprise overturn of the 2023 enforcement delay), companies need to make sure they're compliant with CRPA’s service provider contract requirements. 
• Though the California Consumer Privacy Act (CCPA) did outline guidelines for service provider and third parties contracts, the amendments made by the California Privacy Rights Act (CPRA) did lead to a few important changes. 
• This guide explores everything you need to know about CPRA service provider contract requirements, including important CPRA definitions and how the CCPA and CPRA differ in this context. 
• The California Privacy Protection Agency has submitted a final proposed version of the Draft Regulations, so be sure to reference that for more details.

Table of contents

• CPRA definitions
• CPRA service provider contract requirements
• Contract requirements in CPRA vs. CCPA

CPRA definitions

CCPA defined three types of entities: businesses, service providers, and third parties. CPRA added a fourth: contractors. 

To understand CPRA’s contract requirements, which apply to service providers, third parties, and contractors, it’s worthwhile to first understand what each of these terms means. 

Business

CPRA defines several criteria for what constitutes a business. But in the context of service provider contracts—a business is the entity collecting personal data from a California resident and is responsible for determining “ the purposes and means of the processing of consumers’ personal information.”  1798.140 

Basically, businesses are the ones collecting data and then determining how that data is processed.

Service provider

The CPRA defines “service provider” as the:

So if a business collects data and dictates how it will be processed, the service provider fulfills that processing on the business’s behalf. This definition differs slightly from the one found in the CCPA, though not in a way that changes the spirit of the term.

Third party

Third parties have some overlap with service providers, in that they receive consumer data from a business. But there are notable differences. In fact, CPRA largely defines third parties by what they are not, stating that a third party is not: 

• A business with whom the consumer is interacting directly
• A service provider for the business
• A contractor

A good example of a third party is an advertiser to whom a business is selling consumer data. 

Contractor

Contractor is a new entity that was added by CPRA, referring to: 

Similar to relationships with service providers and third parties, businesses must establish a written agreement with contractors outlining what that party may or may not do with the data in question. 

Contractor agreements do have additional requirements compared to service provider and third party contracts—and we’ll cover those requirements below. 

CPRA service provider contract requirements

Under CPRA, a business must contractually bind the relationship if they:

• Disclose personal data to a contractor or service provider, or 
• Sell or share personal data with a third party 

For a servicer provider contract to be CPRA compliant, the service provider, third party, or contractor must be:

• Prohibited from:
  • “selling or sharing the personal information”
  • “retaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract”
  • “retaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business”
  • combining the personal information they receive from the business with personal information received from another source (i.e. another business, person, or direct collection from the consumer)
• Define a limited, specific purpose for selling or sharing the personal data, while also ensuring this purpose falls under the CPRA’s definition of a “business purpose.” (Hint: This definition is somewhat different from the CCPA’s.)
• Maintain CPRA compliance and agree to provide appropriate privacy protections for the data under the agreement
• Allow the business to verify that they are processing data in a CPRA compliant way
• Allow the business to address unauthorized use of personal data
• Notify the business if it’s no longer able to remain CPRA compliant
• Notify the business if they are involving another person or party in the data processing and ensure that that relationship is bound by the same contractual obligations

For contractors, there are two additional contract requirements. CPRA states a contractor must: 

• State that they understand the requirements of the contract
• Allow the business to monitor and audit compliance once a year at minimum

CPRA vs. CCPA: Service provider contract requirements

There are several notable differences between CPRA and CCPA, but the updated rules for service provider contracts have one of the more immediate effects on how businesses process data.

Expanding the duty to contract to third parties

Under CCPA, third parties were not included in the language around contractual requirements—those only applied to service providers. As a result, many businesses used language that defined their external relationships as third parties, rather than as service providers. 

CPRA removed this loophole, stating that a business that “sells [...] personal information to, or shares it with, a third party or that discloses it to a service provider or contractor for a business purpose” must contractually bind that relationship. 

Adding the contractor category

CPRA added the category of “contractor”—and though many of the outcomes are the same (i.e. contractor relationships must be bound by a legal agreement), there are some operational differences between a contractor and a service provider. 

For a contractor, a business makes the personal data available for a wider variety of purposes. Whereas for a service provider, the business is contracting with that entity specifically to conduct data processing on their behalf. 

Revised definition of “business purpose”

The definition of business purpose changed under CPRA, which states: 

The CPRA full text goes on to list 8 different scenarios that can be considered a valid business purpose. 

1. Analyzing the number and quality of ad impressions
2. Working to protect the security and integrity of a consumer’s personal information
3. Debugging errors that affect necessary functionality
4. Short term use that can include non-personalized advertising (as long as the consumers data isn’t disclosed to a third party or used for profiling)
5. Providing “services on behalf of the business,” which includes servicing accounts, customer service, processing payments, and more
6. Advertising or marketing, excluding “cross-context behavioral advertising” and using personal data from consumers who opted-out
7. Internal research and development
8. Activities that support the “quality or safety” (or somehow improves) a business’s “service or device”

Extending CPRA requirements to data “sharing”

CCPA requirements only applied to the sale of personal data, creating a situation in which many businesses labeled their data transfers as sharing in order to duck CCPA requirements. To rectify this, CPRA extended nearly all of its requirements to both sale and sharing of personal data. 

CPRA defines sharing as:

This is a significant change from CCPA—one that impacts how businesses define their agreements with service providers, third parties, and contractors. 

Fulfilling privacy requests

CPRA doesn’t require businesses to include language about consumer privacy requests in their contracts with service providers. That said, there are a few contractual provisions businesses may want to include, in order to simplify their privacy request process.

The first thing to know is that service providers are not required to respond to privacy requests submitted to them directly. They are, however, required to cooperate with a business that's attempting to fulfill a consumer request. 

In practice this means that a service contractor must provide the business with any personal data collected during the term of the agreement, respond to requests for information, and delete or correct personal information upon request. 

About Transcend

Transcend is the platform that helps companies put privacy on autopilot by making it easy to encode privacy across an entire tech stack.

Transcend Data Mapping is the only solution that goes beyond observability to power your privacy program with smart governance suggestions. Get unified data management through automated scanning, data silo discovery and advanced data classification, all in a collaborative platform.

Ensure nothing is tracked without user consent using Transcend Consent, automate data subject request workflows with Privacy Requests, and mitigate risk with smarter privacy Assessments.

References

• Analyzing the CPRA’s new contractual requirements for transfers of personal information (IAPP)
• Full Text: California Privacy Rights Act (CPRA) (Transcend)
• Preparing For The CPRA Part 3: New Contractual Requirements For Data Transfers (aa/rr)
• How do the CPRA, CPA & VCDPA treat data processing agreements? (Husch Blackwell)
• The California Privacy Rights Act: A Practical Guide on the Impact of CPRA on Existing CCPA Frameworks (Troutman Pepper)