California Privacy Rights Act for Employers: Vendor Contracting Requirements

This is the fourth in a series of articles about the implications of the California Privacy Rights Act for employers.

The impending January 1, 2023 effective date of the California Privacy Rights Act (CPRA) has created a lengthy list of compliance tasks for human resources (HR) departments.  Among other things, HR will need to help perform an audit of the personal information collected from the company’s workforce members (“HR data”) to assist with the creation of the CPRA’s required “notice at collection,” and oversee the development of a workflow process to facilitate the company’s response to workforce member’s requests to exercise their CPRA rights.  Yet, HR is not the only corporate department with a CPRA “to do” list.  In addition to working with HR on each of the previously mentioned tasks, in-house legal teams and procurement teams have the responsibility of overseeing the task that is the focus of this article: preparing and implementing a CPRA-compliant addendum for the company’s service agreements with vendors that handle HR data.

This article explains the CPRA’s contracting requirements and provides an overview of the considerations for employers when drafting and negotiating CPRA privacy addenda with vendors that have access to the company’s HR data.  

The CPRA Imposes New Contracting Requirements on Employers

The CPRA’s contracting requirements are another example of the broad range of compliance obligations employers are faced with under the CPRA, in comparison to its predecessor the California Consumer Privacy Act (CCPA).  Under the CCPA there has been little reason for an employer to update its service agreements with entities that store or process its HR data. The CCPA does not require specific provisions in agreements with service providers.  The statute does give companies an incentive to include certain provisions in these agreements, however.  The definition of sale effectively excludes arrangements with service providers that include certain language in the contract.  Therefore, including this language in the contract greatly reduces the risk that a company’s transfer of personal information to a vendor would be deemed a sale, with the potential key result that the company would not need to comply with the right to opt out of sales that the CCPA grants to consumers. By not including the permissible CCPA vendor contracting language, a business’s transfer of personal information to a service provider could be deemed a sale, which could in turn obligate the business to provide notice of the sale and a mechanism for individuals to opt out of the transfer of their information to the third party. 

For employers, however, this CCPA requirement does not present a material risk because employees do not have a right to opt out of any sale of personal information under the CCPA.  As a result, even if an employer’s transfer of HR data to a service provider were to be deemed a sale based on the absence of language within the service agreement, such a finding would not trigger additional compliance obligations for the employer.

The CPRA changes that analysis.  The CPRA’s contracting requirements specifically apply to a disclosure of personal information to a service provider or a contractor1 that has access to an employee’s personal information for a business purpose, pursuant to a written contract.  While the CCPA required the inclusion of language as a preventative measure (i.e., to avoid the service provider falling within the CCPA’s definition of a “third party”), the CPRA imposes an affirmative obligation upon employers to include specific provisions within their service agreements with service providers and contractors that will receive HR data.  As discussed next, these provisions extend past restricting the vendor’s ability to sell personal information received from a business.  Employers therefore will not have much latitude under the CPRA to avoid distributing a CPRA-compliant addendum to service providers or contractors that handle their HR data.

CPRA-Required Provisions Employers Must Add to Service Agreements

The CPRA requires an employer to include the following within its agreements with service providers:

  1. Language specifying the purposes for which employee HR data can be used by the service provider;
  2. Language prohibiting the service provider from selling or sharing the HR data;
  3. Language prohibiting the service provider from retaining, using, disclosing the HR data other than for the purposes specified in the service agreement;
  4. Language prohibiting the service provider from using or disclosing the HR data outside the parties’ direct business relationship;
  5. Language prohibiting the service provider from combining the HR data with personal information received from another party or directly from the individual unless permitted by regulation;
  6. A provision “flowing down” the employer’s privacy protection obligations under the CPRA to the service provider;
  7. A provision granting the employer the right to take “reasonable and appropriate steps” to ensure that the service provider is using the HR data in a manner consistent with the employer’s CPRA obligations;
  8. Language requiring the service provider to notify the employer of an inability to comply with the CPRA;
  9. A provision granting the employer the right to take “reasonable and appropriate steps” to stop and remediate unauthorized use of the HR data; and
  10. A provision requiring the service provider to inform the employer if any subcontractors are used to process the employer’s HR data.

When an employer is using a contractor, the CPRA imposes two additional contracting requirements.  Contractors that receive HR data must also:

  • Certify that they understand and will comply with each of the above-listed provisions;
  • Agree to permit the employer to monitor the contractor’s compliance with the contract through measures including, but not limited to, manual reviews, regular assessments, annual audits, and technical testing at least once every 12 months.

Additional Provisions Employers Should Consider

Although the CPRA presents a long list of contracting requirements, the list is by no means all-encompassing.  A number of important CPRA compliance issues that should be addressed by employers are not delineated within the CPRA as mandatory contracting terms, yet employers should be aware of these issues when preparing CPRA addenda.  One example is the issue of responding to CPRA rights requests.  The CPRA gives employees the rights to request the deletion of their data, to correct their data, and “to know” the data collected by the employer.  In order to respond to these requests employers will likely need the assistance of service providers that process and store their HR data.  Responding to an employee’s data deletion request provides a good illustration.  An employer that receives a data deletion request should take steps to ensure not only that data is deleted from the employer’s internal systems, but also from the systems of the service providers that store the employee’s data on the employer’s behalf.  The CPRA imposes a 45-day deadline on the employer’s response to data rights requests,2 and so it is of critical importance that the employer and the service provider are aligned on the time frame for a response.  The service provider’s delay could lead to the employer facing the scrutiny of the California Privacy Protection Agency.  The converse is also true: if the service provider receives a request that should have been directed to the employer, the service provider should strive to redirect the request to an identified email address at the employer as soon as possible.

The CPRA’s data retention requirement provides another good example of an issue that should be contemplated by employers when preparing CPRA addenda.  The CPRA puts the onus on employers to maintain retention schedules for personal information collected from workforce members and provide information on retention periods within the CPRA-required notice at collection.  Implementing retention schedules necessarily requires an employer to develop workflow processes with its vendors to verify the deletion of workforce member data in accordance with the employer’s retention / destruction schedule.  Employers would be well served to ensure that these issues, and other CPRA compliance tasks that implicate a service provider, are considered when drafting a company’s CPRA-addendum.

Practical Tips

The process of drafting and negotiating CPRA-required contractual provisions with vendors could create a significant amount of work for in-house lawyers in 2022.  Fortunately, there are steps that in-house legal departments and procurement teams can take now to help streamline the work to be performed:

  1. Perform an “internal audit” to identify the company’s external vendors: The first step for employers often is to identify those service providers that will be used to process, store or will merely have access to the personal information of the employer’s California-based workforce members as of January 1, 2023.  Once those entities are identified, the employer can begin to determine the scope of its CPRA addendum campaign.
  1. Work with HR and internal stakeholders to outline the process for responding to rights requests & requesting the destruction of workforce member data:  Before preparing a CPRA addendum, employers must give thought to the processes that will need to be addressed within the agreement.  As discussed above, responding to CPRA data rights requests and ensuring the timely destruction of data are two processes that should be addressed.  Employers should try to ensure that such provisions, which are not mandated by the CPRA, are contemplated before putting pen to paper.   
  1. Coordinate with service providers:  As in-house lawyers that negotiated GDPR data processing agreements in 2018 well know, many of the larger service providers will prepare their own privacy addendum and make it available on their website.  Once employers have a list of the service providers and vendors that will process the personal information of California workforce members as of January 1, 2023, employers can consider which of these service providers can be de-prioritized as likely to provide their own agreement. 

See Footnotes

1 The CPRA defines a service provider as “a person that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract …”  Cal. Civ. Code § 1798.140(ag)(1).  A contractor is defined as “a person to whom the business makes available a consumer’s personal information for a business purpose, pursuant to a written contract with the business.”  Id. at (j)(1).

2 The CPRA permits this deadline to be extended by 45 days under certain circumstances.  See Cal. Civ. Code § 1798.145(h)(1).

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.