Implementation Notes: CPRA Draft Regulations and the Impact on Third-Party Agreements

The latest draft of CPRA regulations (released on November 3, 2022) includes new requirements for agreements with service providers, contractors, and third parties that retain, use, or disclose Personal Information (“PI”). The draft regs specify that agreements must:

  • Identify the limited and specific purpose for which the PI is made available to the third party;
  • Bind the third party to use of the PI only for the specific purposes documented in the agreement;
  • Bind the third party to compliance with all relevant sections of the CCPA/CPRA, including consumer rights such (e.g., the right to opt out of the sale/sharing of data); and
  • Require the third party to take reasonable steps to ensure the PI is being used in line with CCPA/CPRA obligations as reflected in the contract. (Note that the business can require that the third party attest to its compliance with CCPA/CPRA obligations.)

Without these terms, a third party is not authorized to “collect, use, process, retain, sell, or share” PI of California residents under the agreement.

In order to prepare for the January 1st effective date of the new CCPA/CPRA requirements, business should take immediate steps to review contracts with parties processing personal information of California residents and determine whether updates are necessary to meet new requirements. For existing contracts with CCPA/CPRA compliance gaps, addenda with updated requirements will likely need to be provided to the parties for execution prior to the end of the year.

Specific steps to consider in order to be prepared for January 1st include:

  • Privacy Contractual Provisions: Draft template privacy provisions that meet CCPA/ CPRA requirements for new contracts and a template addenda for existing contracts requiring updates.
  • Identify & Update Contracts: Identify contracts under which California resident PI is processed. Review current terms and prepare addenda (leveraging templates) to existing contracts.
  • Notify Third Parties: Send addenda to identified in-scope third parties. Inform these parties that the addendum is necessary for compliance with CCPA/CPRA regulations effective January 1.
  • Notify Contracting Group: Be certain that your internal contracting team in informed of requirement to use updated privacy terms for third parties processing personal information of California residents.


Submit a Comment

Your email address will not be published. Required fields are marked *

Lindsay Farbent

Posted on

November 11, 2022
Privacy Consultant, JD CIPP/US