Our March 2023 article “On the Road to Implementing the California Consumer Privacy Act” (Part 1) highlighted steps credit unions should take to expand their privacy programs upon the final regulations implementing the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA Amendments), being approved. The CPRA Amendments will require significant changes to a credit union’s vendor contracts, even if the existing contracts were updated to comply with the CCPA. Enforcement begins July 1, 2023, so credit unions should begin the process of updating their vendor contracts to include the CCPA/CPRA statutory required contract provisions. This Part 2 highlights the CPRA Amendments and final regulations regarding vendor contracts.
Are all vendors treated the same under the CCPA/CPRA?
No. Under the CPRA Amendments there are three categories of vendors; however, all vendor contracts require statutory contract provisions which differ depending on the category of vendor:
Service providers – process personal information for the credit union for a credit union business purpose.
Contractors – anyone to whom the credit union makes available personal information for either a credit union business purpose or a contractor’s business purpose.
*Personal information transferred to a service provider or contractor is not considered a “sale,” so the consumer does not have opt-out rights so long as the statutory contract provisions are included in the vendor contract.
Third party – anyone who is not a service provider or contractor or who is not a business that collects personal information from an intentional interaction with the consumer as part of their current interaction with the business.
*Personal information transferred to a “third party” is considered a “sale” so the consumer has opt-out rights and there are statutory contract provisions for third party vendor contracts.
What are the minimum statutory contract requirements?
Below summarizes the minimum statutory contract requirements for service providers, contractors, and third parties. A credit union can add contract provisions without changing the vendor’s category, provided the minimum requirements are met. In addition, the CCPA/CPRA contains direct obligations for service providers, contractors, and third parties and it would be prudent to include those obligations in vendor contracts as well as other protective language.
Minimum contract agreements from service providers, contractors, and third parties:
Additional minimum contract agreements from service providers and contractors:
Additional minimum contract agreement from contractors:
Additional minimum contract agreement from third parties:
First step in updating vendor contracts
Credit unions must first know what category a vendor falls into in order to update the vendor contract. This requires carefully examining how personal information is transferred to, and used by, a vendor. Most vendor contracts will be suitable for a separate addendum that is specific to the CCPA/CPRA contract requirements.
The breadth of the CCPA/CPRA changes the game for credit unions and their vendors in the handling of consumer personal information. Due to the complexity of this law, ensuring vendor contract compliance should include advice from the credit union’s legal counsel.
Article by Janet Jones, partner at Moore, Brewer & Wolfe.