June 13, 2021
What new privacy legislation from the Golden State may mean for your third-party contracts.

We may only be halfway done with 2021, but already, legal teams like ours are thinking about and preparing businesses for 2023. The California Consumer Privacy Act (CCPA), passed into law just a few years back, has already brought about sweeping changes to the way businesses process and protect data, and the California Privacy Rights Act (CPRA) is hot on its heels with modifications and expansions aplenty that go into effect January 1, 2023. Tupac Shakur’s “California Love” introduced a generation to the wild, Wild West, but as businesses and their contractors acclimate to the new expectations and responsibilities of the CPRA, it may get wilder still. Setting the specific regulations aside for another day, let’s focus here on the future impact of the CPRA on your third-party agreements and what your legal team should be doing now to prepare.
Contractor Expansion
The CPRA is expanding on the contracting requirements for businesses that sell, share, or disclose personal information to now include “contractors” and “third parties”, in addition to “service providers” (which are currently covered under the CCPA). These third-party contractors, including sub-contractors where relevant, of the business will soon need to contractually agree to comply with the CPRA requirements, too. Current third-party agreements will need to be amended and templates updated.
Your CPRA-compliant contracts will need to address:
- The type of data and specific usage of data that the contractor may process. Outline specifically the data to be processed (bought/sold/shared/stored), the purpose for that processing, and that the data is only to be used for the specific permitted purpose.
- The contractor’s privacy policy. Contractors should have a formal privacy policy or standard operating procedures in place to evidence their compliance with CPRA in processing consumers’ personal data. Due diligence on your part to identify procedures in place and verify that they are followed may be tedious now, it will be worth it in the long run and may save you a lot of green.
- The ability of the contractor to segregate consumer data from client to client. The third-party contractor needs to be able to keep the data you share with them, or the data they collect on your behalf, separate from the data processed via other contractual relationships. Work with your IT team and legal team to fully understand the contractor’s storage/processing systems and accurately describe any requirements in the contract.
- Warranties that the contractor is compliant with CPRA requirements. Getting a party to offer up any warranties these days is a challenge, but the CPRA requires that contractors certify that they understand and will comply with the regulations. This requirement flows through to sub-contractors, as well.
- What happens if they are no longer compliant during the term of the agreement. Notification, termination, and damages provisions need to be in place to outline the steps to be taken when a contractor is no longer able to comply with CPRA and the remedies available under contract. With new legislation comes new enforcement procedures and legal precedent; whenever possible, it’s best to flush out the details in the contract to mitigate risk and expense down the road.
- Indemnification provisions to protect you in case of a claim. Typical indemnification language seeks to protect your business from the failures, negligence, and misconduct of third-parties, but you will want to add specific language concerning damages, including fines, associated with CPRA-compliance issues.
- Sufficient Insurance. Proof of coverage for your contractors gives you peace of mind that your indemnification claims may actually get paid. Policies types may include business cyber, personal and advertising injury, information security, or privacy liability. The contract should reflect a breakdown of the coverage limits, the types of claims/damages covered, the renewal dates of the policy(ies), proof of coverage, and notification/termination procedures in place if the coverage is cancelled or non-renewable.
The Path Forward
In most cases, an addendum can be prepared by your legal counsel to incorporate these new or refined terms into your current agreements, and standard templates for future contracts should be updated, as well. The content of these provisions is crucial to adequately protect your business and advance your goals within the parameters of the CPRA. With fines being levied on a per consumer basis, a seemingly minor oversight could mean the end for a once thriving business. Contact your legal counsel to assess whether these regulations may impact your business and, if so, create an action plan to have you CPRA-ready.
________________________________________________________________
This blog was written by Hunter Business Law Attorney Haley Lemon.
DISCLAIMER: This blog is for educational purposes only and does not offer nor substitute legal advice. Additionally, this blog does not establish an attorney-client relationship and is not for advertising or solicitation purposes. Any of the content contained herein shall not be used to make any decision without first consulting an attorney. The hiring of an attorney is an important decision not to be based on advertisements or blogs. Hunter Business Law expressly disclaims any and all liability in regard to any actions, or lack thereof, based on any contents of this blog.