The California Privacy Rights Act (CPRA), effective January 1, 2023, adds "contractors" to the list of entities that a business may entrust with customer data. So what is a "contractor?" And how are "contractors" different from other entities described by California privacy law, such as "service providers" or "third parties?"
As it turns out, the answer is surprising. Contractors are nearly identical to service providers, with just two differences: contractors are not data processors; and contractors must make a contractual certification in CCPA contracts. Moreover, contractors are not even new entities, and were already described in existing California privacy law.
Origins of "Contractors" in CCPA
To help explain the origins of the new contractor classification, we start with the California Consumer Privacy Act (CCPA). Under the CCPA, now in effect, each disclosure of personal information from a covered business to another entity is regulated, either via consumer opt out preferences or via contractual restrictions. Altogether, there are three potential data flows described in the CCPA: business to third party, business to service provider, and business to a person who is not a third party. We describe each in turn:
- Business to Third Party: First, when a business discloses personal information to a third party, this constitutes the "sale" of personal information (unless an exception applies, such as in the context of an intentional disclosure). The CCPA grants consumers the right to opt out of such sales of their personal information to prevent these data flows.
As an example, selling a marketing list to a third party or sharing profile information with an adtech partner in most cases would be considered a sale of personal information to a third party.
- Business to Service Provider: Second, when a business discloses personal information to a service provider, no "sale" occurs and there is no right of consumers to opt out. The requirements for the recipient to be a service provider are that (1) the service provider processes personal information on behalf of the business, and (2) the service provider agrees to retain, use, or disclose the personal information only for business purposes specified in a written contract.
Service providers provide technical, professional, and other business support to the business. For example, a service provider might offer various services such as cloud-based servers or software, consulting, or e-commerce fulfillment services.
- Business to a Person Who Is Not a Third Party: Finally, there is a rarely discussed third option in the CCPA. The CCPA states that any recipient of personal information that agrees to certain enhanced contractual terms is not a third party. This third category requires that the recipient agree to contractual terms that mirror service provider contractual terms, along with three additional terms: (1) to refrain from selling the personal information, (2) to refrain from retaining, using, or disclosing the information outside the direct business relationship between the recipient and the business, and (3) to certify that the recipient understands the above contractual restrictions.
This third option is significant to avoid the "sale" of personal information. If the recipient is not a third party, then a sale can only occur if the recipient is a "business" under CCPA. In many cases, the recipient will not be a business either, typically because the recipient does not determine the purposes and means of processing the personal information.
As an example, if an authorized reseller furnishes a manufacturer with a list of new orders for fulfillment, and the manufacturer agrees to use the list only to fulfill orders, the manufacturer is not a third party. Because the manufacturer does not determine the purposes and means of processing the personal information it receives, the manufacturer is not acting as a "business." No sale occurs.
Similarly, if an identity verification service sends personal information to a company to assist that company with confirming the identity of an applicant for service, and the company agrees contractually to limit its use and disclosure of the information for business purposes, the recipient is not a third party or business and no sale occurs from the identity verification service to the business.
Here's a summary of the entities that may receive personal data under the CCPA:
| Criteria | Third Party 1798.140(w) |
Service Provider 1798.140(v) |
Person Is Not a Third Party 1798.140(w)(2) |
| Sale? |
|
|
|
| Processor Terms |
|
|
|
| Contractual Terms |
|
|
|
"Contractors" in CPRA
When CPRA becomes effective on January 1, 2023, the new law will incorporate these same classifications of entities that receive personal information.
- Third Party: A third party continues to be a recipient of sales of personal information. A third party that offers cross context behavioral advertising can now be the recipient of "sharing" of personal information, as well.
- Service Providers: Service providers remain entities that process personal information on behalf of a business pursuant to a written contract. CPRA clarifies, however, that a service provider may receive the personal information either directly from or on behalf of the business.
Service providers now inherit terms that only applied to a person who is not a third party in the CCPA. These terms require service providers to agree to (1) refrain from selling personal information and (2) refrain from retaining, using, or disclosing the information outside the direct business relationship between the service provider and the business.
- Contractors: The new term "contractor" refers to a person to whom the business makes available a consumer's personal information for a business purpose and pursuant to a written contract. This classification largely mirrors CCPA's classification of a person who is not a third party. In particular, similar to CCPA, contractors are still required to certify their understanding and compliance with contractual restrictions.
One key difference, however, is that CPRA makes clear that a contractor is never the recipient of a "sale" or "sharing" of personal information under CPRA. Classification as a contractor means there is not a "sale" of personal information.
Additionally, for both service providers and contractors, CPRA adds three new contractual terms:
- Combination of Personal Information: CPRA adds new contractual restrictions that limit how personal information from a business may be combined with personal information received from other businesses or directly from consumers. Further guidance on this issue is expected as part of the CPRA rulemaking process.
- Contract Compliance Monitoring: CPRA adds an obligation on businesses to monitor contractors and service providers for compliance with CPRA contract terms.
- Sub-processor Obligations: CPRA indicates that service providers and contractors must enter into similar CPRA contracts with any sub-processors that handle personal information, and provide notice to the business of each sub-processor.
The following chart summarizes these obligations, with comparisons to CCPA:
| Criteria | CCPA Service Provider 1798.140(v) |
CPRA Service Provider 1798.140(ag) |
CCPA Person Is Not a Third Party 1798.140(w)(2) |
CPRA Contractor 1798.140(j) |
| Sale? |
|
|
|
|
| Processor Terms |
|
|
|
|
Common Contractual TermsIn CCPA & CPRA |
|
|
|
|
| New CPRA Contractual Terms |
|
|
|
|
As reflected above, the contractor classification is not new or significantly different from the service provider classification. When compared with a service provider, the only differences are that contractors (1) do not process data on behalf of the business, and (2) certify compliance with contractual restrictions.
Accordingly, in determining which types of contract terms to have in place in various data flow scenarios, it is possible that contractor terms will be used in a more limited way where the recipient of data is not processing personal information on behalf of a data owner.
Here are some examples:
- Sharing customer identifiers in certain product fulfillment use cases.
- Agreements involving joint operations on data.
- Integration agreements to enable independently-performed services on behalf of a common customer.
- Data services offered to a business with restrictions on use of the data for limited business purposes.
In these scenarios, the parties to the transaction may be able to leverage the "contractor" classification to avoid a "sale" of personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.