Preparing For The CPRA Part 3: New Contractual Requirements For Data Transfers
Preparing For The CPRA Part 3: New Contractual Requirements For Data Transfers

[This is the third in a series of blog posts on how businesses should prepare for the California Privacy Rights Act which will enter into force on January 1, 2023]

When the California Privacy Rights Act (“CPRA”) takes effect on January 1, 2023, it will bring changes to several key areas of privacy law.  AALRR has already covered changes regarding (a) employee data here; and (b) data retention requirements here

Another significant change will be the expansion of contractual requirements regarding transfers of personal information.  The CPRA builds on the California Consumer Privacy Act’s (“CCPA”) previous requirements by creating a new category of entities and significantly expanding what contracts governing data transfers must include.

Previous CCPA Requirements:

The CCPA set out three categories of entities: businesses, service providers, and third parties.  In general, under the CCPA, a “business” is an entity that collects personal information from California residents, while “service providers” and “third parties” are entities that process or receive personal information from businesses.  Under the CCPA, unless an exception applies, a transfer of personal information to a third party for monetary or other valuable consideration constitutes a “sale” and requires the business to provide the consumer with notice of that sale and provide the consumer with the right to opt out.  Transfers to “service providers” do not trigger the right to opt out. 

Under the CCPA, to qualify as a service provider-business relationship, the transfer of personal information must be pursuant to a written contract that prohibits the service provider from “retaining, using, or disclosing the personal information for any purpose other than for the specific purposes” identified in the contract or as otherwise permitted by the CCPA.  On the other hand, the CCPA essentially defined a “third party” in the negative as an entity that does not collect the personal information and also does not qualify as a service provider. 

New CPRA Category:

The CPRA adds a new category: “contractors,” which are defined as entities to which businesses “make available” personal information or which “use” personal information (compared with service providers which are defined as processing personal information from or on behalf of a business).  Under the CPRA, agreements with contractors are subject to a few additional requirements, which are discussed below.

New CPRA Contractual Requirements:

The CPRA also requires any business that sells or shares personal information with a third party or that discloses personal information with a service provider or contractor to ensure that the governing contract:

(1) obligates the receiving entity to comply with the CPRA and provide CPRA-required levels of privacy protection;

(2) specifies that the personal information is sold/shared or disclosed only for limited and specified purposes;

(3) grants the business rights to take reasonable and appropriate steps to ensure that the receiving entity uses the personal information in a manner consistent with the CPRA;

(4) requires the receiving entity to notify the business if it can no longer meet its obligations under the CPRA;

(5) grants the business the right, upon notice, to take reasonable steps to stop and remediate unauthorized use of personal information by the receiving entity; and

(6) states that the receiving entity is prohibited from: (a) selling or sharing the personal information; (b) retaining, using or disclosing the personal information for any purpose other than the purpose specified in the contract; (c) retaining, using or disclosing the personal information outside of the direct business relationship specified in the contract; and (d) combining the personal information received with personal information received from another business or that it collects itself (unless such combination is necessary for certain business purposes identified in the implementing regulations). 

If a service provider or contractor engages a sub-processor, it is required to notify the business and enter into a contract with the sub-processor that meets the above requirements.

Additionally, a contractor must: (1) certify that it understands the above requirements and (2) permit the business to monitor its compliance with the contract through ongoing reviews, automated scans and regular assessments or audits, at least once every twelve months.  

Is My Business a Covered Business Subject to the CCPA/CPRA?

All businesses that (1) conduct business in California for the profit or financial benefit of their shareholders or owners, (2) collect consumers’ (i.e., California residents) personal information, and (3) that meet any of the following three thresholds are a covered business:

  • Has annual gross revenues in excess of $25 Million; or
  • Annually buys, receives, sells, or shares for commercial purposes the personal information of 50,000 (or 100,000 after January 1, 2023) or more consumers, households, or devices; or
  • Derives 50% or more of its annual revenues from selling or sharing consumers’ personal information.

Covered businesses also include companies and individuals that control or are controlled by a business that satisfies the above requirements and have common branding (e.g., name, service mark, trademark, etc.) with a business that satisfies the above requirements.


The CPRA’s expanded contractual requirements will require businesses to evaluate (and likely modify) any contractual agreement that governs the transfer of data.  AALRR is ready and able to help with this process and or any questions you may have.  Please contact the authors of this article or your trusted adviser at AALRR to discuss next steps or questions.

This AALRR presentation is intended for informational purposes only and should not be relied upon in reaching a conclusion in a particular area of law. Applicability of the legal principles discussed may differ substantially in individual situations. Receipt of this or any other AALRR presentation/publication does not create an attorney-client relationship. The Firm is not responsible for inadvertent errors that may occur in the publishing process. 

©2022 Atkinson, Andelson, Loya, Ruud & Romo


Other AALRR Blogs

Recent Posts

Popular Categories



Back to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.