Refreshed CCPA Procurement and Compliance Guide for Your IT and Telecoms Agreements

On January 1, 2020, fireworks rang out in California, but they weren’t celebrating the New Year or New Decade.  California residents were rejoicing at the California Consumer Privacy Act taking effect, while businesses were recoiling at the same. 

The California Consumer Privacy Act (CCPA) is a 2018 law that gives California residents information about and control over use of their personal information by businesses operating in California.  California residents benefit from the CCPA while businesses bear the burden.  The burden on business was lightened in 2019 by various amendments to the CCPA, while California residents’ notice, access, opt-out, deletion and non-discrimination benefits remained largely unchanged.

The CCPA remains a work in progress.  Instead of speculating on what may come from the Attorney General and courts in 2020 and beyond, let’s see what changed in 2019, how those changes impact businesses that purchase IT and telecoms services, and review and expand upon how your IT and telecoms contracts can reduce your risks. 

CCPA Basics Refresher

The CCPA applies generally to all large businesses operating in California.  (To find out if your business is subject to the CCPA, please see the Beginner’s High-Level Guide to the CCPA).  It specifies California residents’ rights to notice of the collection of their personal information (PI), and their rights to access, delete, and prevent a business from selling or sharing that information.  Businesses’ obligations under the CCPA facilitate these rights.  The obligations are complex with numerous specific exceptions and depend heavily on lengthy and often unclear definitions. 

At a high level, a business must:

• Notice of Collection – Inform consumers, at or before collecting their PI, of the categories of personal information to be collected and the purposes for which it is being used.  A business may not collect other categories of PI until it has notified the consumer.  A consumer need not make a request; it is simply entitled to this notice.
• Right to Know – If a consumer submits a “verifiable” request, disclose specific pieces of PI collected, the categories of PI it collected or sold (which includes sharing for money or valuable consideration), the purposes for which such PI is used, and the categories of third parties to which it sold the consumer’s PI within 45 days.
• Right to Delete – If a consumer submits a “verifiable” request, delete and direct any service providers to delete the consumer’s PI within 45 days, unless the information is necessary for the business to perform certain functions.
• Do Not Sell – Notify the consumer in advance that it sells their PI so the consumer can opt-out of the sale (see Notice of Collection).  Once a consumer opts-out, not sell their PI until it receives express consent from the consumer. 
• Non-discrimination – Not discriminate against consumers that opt-out of sale of their PI.

A business that does not do these things faces an Attorney General requested court order compelling compliance and a civil penalty of up to $2,500 for each violation or $7,500 for each intentional violation.  A court order compelling compliance could put your organization, or parts of it, temporarily out of business until it complies and implementing the requirements takes time. 

Consumers cannot enforce the above requirements.  They can, however, seek damages if their “nonencrypted” and “nonredacted” PI is accessed and taken without authorization because the business did not have reasonable and appropriate security processes in place.  The consumer enforcement/private right of action does not require consumers prove actual damages; consumers get damages of at least $100 per consumer per incident.

2019 CCPA Amendments Benefit Businesses

Natural persons permanently in California or domiciled there are “consumers” whose “personal information” is protected under the CCPA.  If information is not “personal information,” the CCPA does not restrict a business’ use of the information. 

As noted above, definitions are crucial to understanding a business’ obligations.  On October 11, 2019, the CCPA’s broad definition of “personal information” was narrowed in several ways:

• PI now includes only information “that is reasonably capable of being associated with or could reasonably be linked, directly or indirectly” to a consumer. As originally passed, virtually all information a person shared with a business was likely “personal information.”  Unknown and unexpected capabilities allowing this association may exist or may in the future exist, particularly with bad actors, who may associate the information to a consumer.
• PI now excludes deidentified and aggregate consumer information if a business deidentifies the information and protects it against reidentification with a consumer as specified in the Act. Businesses that take these steps can use this information in whatever way best serves their purposes and profits.

Other amendments did not remove communications from the definition of “personal information.”  They instead relieved businesses of some CCPA obligations for specific types of communications.

Motor Vehicle.  New motor vehicle dealers and manufacturers need not comply with the Opt-Out of Sale requirements for “vehicle information or ownership information” they share for repair under warranty or recall if the business does not share, sell or use this information for any other purpose. A business remains subject to the Opt-Out of Sale obligation for any other use.

The above amendments are part of the law going forward.  The next amendments apply only until January 1, 2021. 

The (Temporary) Employee Exemption.  A business must only comply with the CCPA’s Notice of Collection obligation for PI “collected and used by the business solely within the context of”:

• a person’s role as an employee (which includes potential or former employees and owners, directors, medical staff, and contractors)
• administering benefits related to the employee, or
• having an emergency contact on file for the employee.

A business remains subject to consumer enforcement/private right of action.

The (Temporary) B2B Exemption.  A business is only obligated to comply with the Do Not Sell and Non-discrimination obligations for PI collected from a person acting as an employee of another company when used solely within the context of the business providing or receiving a product or service to or from such business or investigating whether to do so.  A business remains subject to consumer enforcement/private right of action.

As of January 1, 2021, a business is subject to all CCPA requirements for all employee and B2B PI, whether in or out of scope of their employment.

Your IT and Telecoms Supplier Contracts and CCPA Compliance

Your organization likely receives IT and telecoms services from one or more suppliers.  In providing their services to you, your suppliers receive PI such as telephone numbers, IP addresses and possibly names of persons you invite to a conference call or web conference.  These persons may be your employees, but they may also be your customers or advisers or regulators.  Your organization is responsible for your suppliers’ use of this PI consistent with your CCPA obligations – generally your Right to Know, Right to Delete, Do Not Sell, Non-discrimination and Notice of Collection obligations.

Thankfully, the CCPA recognizes your dependence on suppliers.  It provides several ways to avoid responsibility for your supplier violating the CCPA restrictions on use of the PI it receives from you.  These restrictions include the Do Not Sell obligation and the obligation not to use PI beyond those in the Notification of Collection. The CCPA also allows you to avoid sales-related obligations if your service provider follows certain rules.  To avail your organization of these benefits, your supplier contract must:

Service Providers	Others*
To shift responsibility for another entity’s use of personal information you shared – required by CCPA
	Prohibit sale of such personal information
Prohibit retention, use or disclosure: for any purpose other than for the specific purpose of performing the services specified in the contract other than as permitted under the CCPA (e.g., sales with appropriate notice and do not sell rights)	Prohibit retention, use or disclosure: for any purpose other than for the specific purpose of performing the services specified in the contract outside the direct relationship between you and your supplier
	Include a certification that your supplier has read and understands these restrictions
	* If you had reason to believe at the time of disclosure that your supplier intends to violate the restrictions, you will remain responsible for their failure to comply with the use restrictions.
To avoid being subject to “sales” related obligations when sharing information with a service provider – recommended
Prohibit any further collection, sales, or use of the consumer’s personal information except as necessary to perform services on your behalf under the contract or other activities included in your service provider’s Notices of Collection.	(For these entities, sales are prohibited)
Make your service provider responsible for any harm your organization suffers if the provider’s actions or failures cause you to violate the CCPA.
Review your limitation of liability and disclaimer of certain types of damages so your organization can collect for the harm the service provider caused your organization.

But there’s more you should add to your IT and telecoms supplier contracts. 

You need assistance to meet your Notice of Collection, Right to Know, Right to Delete, and Do Not Sell obligations. You are collecting the PI that is shared with your supplier.  Your contract should require supplier:

• To inform you of the purposes for which it will use the PI, so this purpose can be included in your Notice of Collection.
• To timely (far before your 45-day deadline):
  • Identify the relationship between the specific pieces of PI you shared with your provider and the purpose for which it was collected, when you receive a “verifiable” Right to Know request.
  • Delete the PI from its systems, when you receive a “verifiable” Right to Delete request, unless the CCPA allows the supplier to keep the PI.
    To assist in these ways, your supplier needs the information available in a readily accessible format that allows it to separate the consumer’s information from other information – an arrangement that the supplier may have so it can comply with the CCPA.
  • Advise consumers whose PI you shared to contact your organization if it receives a request to Know or Delete.
• To generally assist you with your compliance with the CCPA.
• Not to create profiles based on the PI shared or narrowly define the profiles created so they can be included in your Notice of Collection.
• To collect contact information directly from your employees.

Depending on the type of IT or telecoms service, your organization may also want the contract to require your supplier:

• To acknowledge that it receives electronic PI such as IP addresses and telephone numbers needed to provide the IT and telecoms services directly from the person availing itself of the services, and not through your organization.
• To forbid the supplier from taking any action that could lead to reidentification of a consumer from any deidentified and aggregate consumer information you share.

What to Expect from Your Suppliers

In our experience, some suppliers readily agree to most of the above contract requirements, the exception being supplier’s obligation to protect your organization against all harm suffered if the provider’s actions or failures cause you to violate of the CCPA. 

Other suppliers, however, resist strongly without involvement of counsel that understands the CCPA complexities.  They may point to the temporary employee and B2B exemptions, to a general compliance with law or confidentiality clause in the contract.  Don’t fall for it. 

As noted above, the employee and B2B exemptions expire on January 1, 2021 and apply only to communications made in the role of an employee.  Other communications must be protected this year, and all must be protected next year.  A general compliance with law provision means your supplier must meet its obligations as a business that collects and uses personal information it collects from consumers.  It does not mean your supplier will assist you so your organization can meet its CCPA obligations when collecting and using PI.  A confidentiality clause is unlikely to reflect the detailed prohibitions required by the CCPA.

Disclaimer & For More Information

The above is merely a summary with high-level contract strategies.  It isn’t legal advice.  A careful analysis of the ways in which your company and its specific practices and supplier contracts are impacted by the CCPA is imperative to avoid potentially large exposure.

For further information, please contact Deb Boehling or the LB3 lawyer or TC2 consultant with whom you regularly work.