Aventiv Technologies Chief Compliance Officer Russ Berland illustrates the importance of a “define the relationship” arrangement between businesses and their vendors.
On January 1, 2020, the California Consumer Privacy Act (CCPA), which applies to how businesses deal with California consumers’ personal information, became law. If a company is subject to the CCPA, one of many tasks they must accomplish is to amend their agreements with all of their vendors who handle any personal information the company collects. In other words, they must further define the relationship (DTR) with their vendors.
When I was in college, my friends talked about having to have a DTR with their dating partners. I was too nerdy to date in college, so it never came up for me. But according to my friends, a DTR is a conversation in which two people who are dating decide to set some expectations and boundaries around their relationship. Many of my guy friends said they did not view this as a fun experience. As a nerd, one of my favorite DTRs is the 31-page relationship agreement between California couple Sheldon and Amy in “The Big Bang Theory.”
Some of the sections in Sheldon and Amy’s DTR are “Section 4: Booboos and Ouchies: Amy must help Sheldon when he has a small injury” and “Section 5: Hand Holding – holding hands is only allowed under the following circumstances: A: Either party is in danger of falling off a cliff, precipice or ledge; B: Either party is deserving of a hearty handshake after winning a Nobel Prize.”
Apparently, a written relationship agreement served Amy and Sheldon by sustaining their relationship for eight seasons of “The Big Bang Theory.” Similarly, it is time to have a DTR with your vendors about how they deal with your customers’ personal information.
This DTR has some requirements under California law. First, it must be in writing.[1] The relationship companies want to have under the CCPA is a service provider, which has fewer requirements, rather than a third party, which triggers lots of requirements.
The biggest distinction between a service provider and a third party is that the service provider’s agreement, like Sheldon and Amy’s, is in writing. And a service provider’s agreement (aka contract) must say they will be exclusive – they will exclusively use your personal information for the things you tell them to do with it, and they cannot do anything else with it. They may not sell it and they may not retain, use or disclose any personal information you have provided to them except in the way you tell them in your agreement.[2] They may not gossip, hoard, take advantage of or trade your personal disclosures unless you tell them that they can. If you send them that special text in the middle of the night, they cannot post it on Instagram the next day unless you say it’s okay. And who is going to say that’s okay?
When it comes to your consumers’ personal information, you vendor needs to “keep it in your pantry,” as singer Lyle Lovett says. Your vendor may only use the personal Information you give them to the extent it is necessary to perform the “business purpose” for which you hired them. The CCPA says it’s okay to use personal information to cover a business’s operational needs, which includes activities like auditing, detecting security incidents, fulfilling orders, conducting transactions, processing payments and things like that.[3]
The agreement cannot just be made up; it has to actually reflect the relationship between you and your vendor. And just to make sure that everyone means it when they sign the agreement, everyone has to say in the agreement that they have read and understand the requirements of the agreement and the CCPA.[4] The Agreement must be enforceable. Just like when Amy violated the relationship agreement with Sheldon:
Sheldon: It pains me to say it, but I think some form of penalty is in order, so as to discourage this type of behavior in the future.
Amy: I suppose that’s fair. What do you suggest?
Sheldon: In a perfect world, I’d lock you in a stockade in the public square. That probably requires a permit.
Amy: I could not be allowed to go to the opening of the next Star Trek movie.
Sheldon: Oh, that seems overly harsh. I mean, you gave in to a human weakness, you didn’t kill a man.
In real life, relationships that are not defined can be awkward. So, in this DTR between you and your vendor, the CCPA only has a few simple requirements. If you bake those into your written agreement, you should comply with that part of the CCPA. And your vendor can be your own service provider rather than some random third party. There are a lot more things to cover under the CCPA, like privacy notices, individual rights management, do not sell buttons, security minimums … but we can save those for another article.
For now, let’s hope – like Sheldon and Amy – your written relationship agreement with your vendor helps you define the relationship as a service provider under the CCPA.
[1] Cal. Civ. Code § 1798.140(v).
[2] Cal. Civ. Code § 1798.140(w)(2)
[3] Cal. Civ. Code § 1798.140(d)
[4] Cal. Civ. Code § 1798.140(w)(2)