You’re Not Ready for CPRA If Your Vendors Aren’t

By Wayne Matus, Rich Vestuto

Say you dutifully got your organization in good compliance with the GDPR, and then did the same for CCPA, and perhaps even for the state laws that followed from Virginia, Nevada, Colorado, Connecticut, and Utah. Great.

But none of that prepared you for the new demands of the CCPA replacement: CPRA. The new law calls for executing new contracts with all your counterparties, requiring they comply with the CPRA as well as grant you the rights and power to ensure that they complied. CPRA 1798.100 (d).

The requirement to enter a new contract is extensive, and the obligation applies to each new type of counterparty: service providers, contractors, and third parties. The new CPRA also requires that businesses enter a contract with any counterparties that use personal information regardless of whether the information is given by the business itself or obtained on behalf of the business.

When these GDPR-like requirements take effect, businesses are likely to be surprised by the consequences of failing to perform vendor due diligence or risk assessments. Right now, these requirements take effect in California on January 1, 2023, and several other state laws have similar new provisions.

California's proposed regulations give this requirement extra bite by explicitly stating that "whether a business conducts due diligence of its service providers and contractors factors into whether the business has reason to believe that a service provider or contractor is using personal information in violation of the CPRA and these regulations," via Section 7051(e).

In other words, it is not enough to simply have the required contract in place. If you do not use your obligatory contractual audit rights to audit your vendors, and there is a violation, you can be imputed with knowledge of their violations and held liable along with the third-party.

The second major change is that the CPRA has added the requirement that businesses must submit to the California Privacy Protection Agency a risk assessment regularly where processing presents a significant risk to consumers' privacy. CPRA 1798.185 (15). This begs the question: If a business fails to use its required contractual rights to audit their vendors, how can it possibly submit a risk assessment substantiating that there is no significant risk to consumers or that the risk, if it exists, is outweighed by the benefits to the consumers?

The answer is that it cannot. A business cannot possibly know that processing does not present a significant risk to a consumer's privacy without conducting an assessment. If it should turn out that a consumer is injured, and a risk assessment of the process and the vendors was not conducted, the regulatory fine will be substantially worse.

California is not alone in requiring a risk assessment. The Virginia CDPA, starting January 1, 2023, requires each controller perform a risk assessment for the sale of personal data, processing for targeted advertising, profiling, sensitive data and where there is a heightened risk of harm. VCDPA 59.1-580. Colorado has substantially the same requirement. C.R.S. 6-1-1309.

The cost of not complying with these new CPRA regulations can be significant not only to the counterparty but also to the business. None of this should come as a surprise to those who have dealt with GDPR compliance. Vodafone was fined €8.15 million (U.S. $9.72 million) for failing to monitor its vendors aggressive telemarketing tactics on its behalf. But it will surprise those who never thought GDPR-like compliance obligations would arrive in the U.S.

The pressure to meet the new deadlines and revise contracts and conduct risk assessments is building. But the good news is that there are options to amend or novate contracts in a safe, reasonable, and efficient way. By leveraging technology to repaper or draft new updated contracts, companies can avoid incurring the expenses associated with law firm hourly charges. And there are technologies available that can assist businesses perform all the new assessments required by the CPRA and several of the other state privacy laws.

Author Comments:

Where a business collects a consumer's personal information and sells that personal information to, or shares it with, a third party, or discloses it to a service provider or contractor for a business purpose, the agreement must, among other things: 

  • Specify that the personal information is sold or disclosed by the business only for limited and specified purposes;
  • Obligate the third party, service provider or contractor to comply with applicable obligations under the CPRA;
  • Obligate those persons to provide the same level of privacy protection as is required by the CPRA;
  • Grant the business rights to take reasonable and appropriate steps to help ensure that the third party, service provider or contractor uses the personal information transferred in a manner consistent with the business' obligations under the CPRA;
  • Require that the third party, service provider or contractor to notify the business if it makes a determination that it can no longer meet its obligations under the CPRA;
  • Grants the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

The views and opinions expressed are solely those of the contributor and do not necessarily reflect the official position of the ANA or imply endorsement from the ANA.


Wayne Matus is the co-founder, general counsel, and EVP at SafeGuard Privacy.

Rich Vestuto is the managing director at KROLL / Duff & Phelps.