Cal. Code Regs. Tit. 11, § 7051 - Contract Requirements for Service Providers and Contractors
(a) The contract
required by the CCPA for service providers and contractors shall:
(1) Prohibit the service provider or
contractor from selling or sharing personal information it collects pursuant to
the written contract with the business.
(2) Identify the specific business purpose(s)
for which the service provider or contractor is processing personal information
pursuant to the written contract with the business, and specify that the
business is disclosing the personal information to the service provider or
contractor only for the limited and specified business purpose(s) set forth
within the contract. The business purpose(s) shall not be described in generic
terms, such as referencing the entire contract generally. The description shall
be specific.
(3) Prohibit the
service provider or contractor from retaining, using, or disclosing the
personal information that it collected pursuant to the written contract with
the business for any purpose other than the business purpose(s) specified in
the contract or as otherwise permitted by the CCPA and these
regulations.
(4) Prohibit the
service provider or contractor from retaining, using, or disclosing the
personal information that it collected pursuant to the written contract with
the business for any commercial purpose other than the business purpose(s)
specified in the contract, unless expressly permitted by the CCPA or these
regulations.
(5) Prohibit the
service provider or contractor from retaining, using, or disclosing the
personal information that it collected pursuant to the written contract with
the business outside the direct business relationship between the service
provider or contractor and the business, unless expressly permitted by the CCPA
or these regulations. For example, a service provider or contractor shall be
prohibited from combining or updating personal information that it collected
pursuant to the written contract with the business with personal information
that it received from another source or collected from its own interaction with
the consumer, unless expressly permitted by the CCPA or these
regulations.
(6) Require the
service provider or contractor to comply with all applicable sections of the
CCPA and these regulations, including--with respect to the personal information
that it collected pursuant to the written contract with the business--providing
the same level of privacy protection as required of businesses by the CCPA and
these regulations. For example, the contract may require the service provider
or contractor to cooperate with the business in responding to and complying
with consumers' requests made pursuant to the CCPA, and to implement reasonable
security procedures and practices appropriate to the nature of the personal
information to protect the personal information from unauthorized or illegal
access, destruction, use, modification, or disclosure in accordance with Civil
Code section
1798.81.5.
(7) Grant the business the right to take
reasonable and appropriate steps to ensure that the service provider or
contractor uses the personal information that it collected pursuant to the
written contract with the business in a manner consistent with the business's
obligations under the CCPA and these regulations. Reasonable and appropriate
steps may include ongoing manual reviews and automated scans of the service
provider's system and regular internal or third-party assessments, audits, or
other technical and operational testing at least once every 12
months.
(8) Require the service
provider or contractor to notify the business after it makes a determination
that it can no longer meet its obligations under the CCPA and these
regulations.
(9) Grant the business
the right, upon notice, to take reasonable and appropriate steps to stop and
remediate the service provider or contractor's unauthorized use of personal
information. For example, the business may require the service provider or
contractor to provide documentation that verifies that they no longer retain or
use the personal information of consumers that have made a valid request to
delete with the business.
(10)
Require the service provider or contractor to enable the business to comply
with consumer requests made pursuant to the CCPA or require the business to
inform the service provider or contractor of any consumer request made pursuant
to the CCPA that they must comply with and provide the information necessary
for the service provider or contractor to comply with the request.
(b) A service provider or
contractor that subcontracts with another person in providing services to the
business for whom it is a service provider or contractor shall have a contract
with the subcontractor that complies with the CCPA and these regulations,
including subsection (a).
(c)
Whether a business conducts due diligence of its service providers and
contractors factors into whether the business has reason to believe that a
service provider or contractor is using personal information in violation of
the CCPA and these regulations. For example, depending on the circumstances, a
business that never enforces the terms of the contract nor exercises its rights
to audit or test the service provider's or contractor's systems might not be
able to rely on the defense that it did not have reason to believe that the
service provider or contractor intends to use the personal information in
violation of the CCPA and these regulations at the time the business disclosed
the personal information to the service provider or contractor.
Notes
Note: Authority cited: Section 1798.185, Civil Code. Reference: Sections 1798.100, 1798.105, 1798.106, 1798.110, 1798.115, 1798.120, 1798.121, 1798.130, 1798.135, 1798.140 and 1798.185, Civil Code.
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.