On the Road to Implementing the California Consumer Privacy Act: Part 2

Our March 2023 article “On the Road to Implementing the California Consumer Privacy Act” (Part 1) highlighted steps credit unions should take to expand their privacy programs upon the final regulations implementing the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA Amendments), being approved.  The CPRA Amendments will require significant changes to a credit union’s vendor contracts, even if the existing contracts were updated to comply with the CCPA.  Enforcement begins July 1, 2023, so credit unions should begin the process of updating their vendor contracts to include the CCPA/CPRA statutory required contract provisions.  This Part 2 highlights the CPRA Amendments and final regulations regarding vendor contracts.

Are all vendors treated the same under the CCPA/CPRA?

No.  Under the CPRA Amendments there are three categories of vendors; however, all vendor contracts require statutory contract provisions which differ depending on the category of vendor:

Service providers – process personal information for the credit union for a credit union business purpose.

Contractors – anyone to whom the credit union makes available personal information for either a credit union business purpose or a contractor’s business purpose.

*Personal information transferred to a service provider or contractor is not considered a “sale,” so the consumer does not have opt-out rights so long as the statutory contract provisions are included in the vendor contract.

Third party – anyone who is not a service provider or contractor or who is not a business that collects personal information from an intentional interaction with the consumer as part of their current interaction with the business.

*Personal information transferred to a “third party” is considered a “sale” so the consumer has opt-out rights and there are statutory contract provisions for third party vendor contracts.

What are the minimum statutory contract requirements?

Below summarizes the minimum statutory contract requirements for service providers, contractors, and third parties.  A credit union can add contract provisions without changing the vendor’s category, provided the minimum requirements are met.  In addition, the CCPA/CPRA contains direct obligations for service providers, contractors, and third parties and it would be prudent to include those obligations in vendor contracts as well as other protective language.

Minimum contract agreements from service providers, contractors, and third parties:

1. Comply with the CCPA as applicable to its own business operations and activities.
2. Personal information is transferred only for the limited and specified purposes stated in the contract. (The purpose cannot be generally stated and other requirements apply. For service providers and contractors, the purpose must be one of the eight approved business purposes stated in the CPRA Amendments.)
3. Provide the same level of privacy protection as required by the credit union and as required by the CCPA.
4. Grant the credit union the right to ensure the personal information transferred is being used consistent with the credit union’s obligations under the CCPA.
5. Grant the credit union the right to stop and remediate the unauthorized use of personal information.
6. Allow the credit union to monitor compliance with the contract and CCPA requirements.
7. Notify the credit union if it determines that it can no longer meet its obligations under the CCPA.

Additional minimum contract agreements from service providers and contractors:

1. Will not sell or share any personal information.
2. Will not retain, use, or disclose any personal information for any purpose, including for a commercial purpose, other than for the specific business purpose(s) stated in the contract.
3. Will not retain, use, or disclose any personal information outside of the direct business relationship with the credit union.
4. Assist the credit union with responding to consumer rights requests under the CCPA.

Additional minimum contract agreement from contractors:

1. Certify that they will comply with the CCPA.

Additional minimum contract agreement from third parties:

1. Certain agreements related to collecting personal information through a website.

First step in updating vendor contracts

Credit unions must first know what category a vendor falls into in order to update the vendor contract. This requires carefully examining how personal information is transferred to, and used by, a vendor.  Most vendor contracts will be suitable for a separate addendum that is specific to the CCPA/CPRA contract requirements.

The breadth of the CCPA/CPRA changes the game for credit unions and their vendors in the handling of consumer personal information.  Due to the complexity of this law, ensuring vendor contract compliance should include advice from the credit union’s legal counsel.