The CCPA requires that a service provider agree to substantive restrictions involving the retention, use, and disclosure of personal information. While the CCPA does not mandate that a business include any other provisions in an agreement with a vendor, in order for the business to comply with its own obligations under the CCPA, it must “push down” certain other obligations such as an obligation that the vendor cooperate with the business in accessing information about California consumers, or that a vendor selectively and irrevocably delete data if requested by the business.
As each of the substantive restrictions that define a “service provider” under the CCPA are also required for processors under the GDPR, many GDPR-drafted data processing addenda are sufficient to classify a vendor as a service provider. Some GDPR-drafted data processing addenda, however, contain scope limitations pursuant to which the addendum purports only to apply to data that is governed by the GDPR, or data that relates to individuals that are physically present in Europe. Where a DPA contains such a scope limitation, at a minimum it would need to be amended to ensure that its scope is broad enough to capture California residents.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.