In this third post of our ongoing series, we examine key takeaways for companies in light of the recently released draft CPRA regulations. Today’s focus is on contractual requirements. (Visit here for information about collection and notice under the draft regulations, and here for information about choice.)

The contractual requirements in the draft regulations do not mirror the statute and add entirely new obligations. For example, the draft regulations prescribe a new, five-day time period in which a service provider, contractor, or third party must notify the business if they determine they can no longer comply with the CPRA’s requirements. The draft regulations also require contracts with service providers to identify the specific business purposes and services for which personal information will be processed and prohibit generic descriptions of such purposes, such as referencing the entire contract generally.

The draft regulations state that failure to meet the prescriptive requirements means that the recipient is not a service provider or contractor under the CCPA. This means that any such transfer would be deemed a “share” subject to the right to opt out of sharing. Businesses must also conduct due diligence on service providers, contractors, and third parties to take advantage of the CPRA statute’s liability shield for compliance failures of the service provider, etc. without the business’s knowledge.

Putting it into practice. While the draft regulations may undergo many updates between now and CPRA’s January 1, 2023 effective date, there are certain things companies can do today. This includes analyzing these new requirements for contracts and analyzing existing service provider relationships to identify possible gaps.