No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Meeting Contract Requirements for the CCPA

Define the Relationship as a Service Provider

by Russ Berland
January 8, 2020
in Data Privacy
orange accept button at bottom of terms and conditions agreement

Aventiv Technologies Chief Compliance Officer Russ Berland illustrates the importance of a “define the relationship” arrangement between businesses and their vendors.

On January 1, 2020, the California Consumer Privacy Act (CCPA), which applies to how businesses deal with California consumers’ personal information, became law. If a company is subject to the CCPA, one of many tasks they must accomplish is to amend their agreements with all of their vendors who handle any personal information the company collects. In other words, they must further define the relationship (DTR) with their vendors.

When I was in college, my friends talked about having to have a DTR with their dating partners. I was too nerdy to date in college, so it never came up for me. But according to my friends, a DTR is a conversation in which two people who are dating decide to set some expectations and boundaries around their relationship. Many of my guy friends said they did not view this as a fun experience. As a nerd, one of my favorite DTRs is the 31-page relationship agreement between California couple Sheldon and Amy in “The Big Bang Theory.”

Some of the sections in Sheldon and Amy’s DTR are “Section 4: Booboos and Ouchies: Amy must help Sheldon when he has a small injury” and “Section 5: Hand Holding – holding hands is only allowed under the following circumstances: A: Either party is in danger of falling off a cliff, precipice or ledge; B: Either party is deserving of a hearty handshake after winning a Nobel Prize.”

Apparently, a written relationship agreement served Amy and Sheldon by sustaining their relationship for eight seasons of “The Big Bang Theory.” Similarly, it is time to have a DTR with your vendors about how they deal with your customers’ personal information.

This DTR has some requirements under California law. First, it must be in writing.[1] The relationship companies want to have under the CCPA is a service provider, which has fewer requirements, rather than a third party, which triggers lots of requirements.

The biggest distinction between a service provider and a third party is that the service provider’s agreement, like Sheldon and Amy’s, is in writing. And a service provider’s agreement (aka contract) must say they will be exclusive – they will exclusively use your personal information for the things you tell them to do with it, and they cannot do anything else with it. They may not sell it and they may not retain, use or disclose any personal information you have provided to them except in the way you tell them in your agreement.[2] They may not gossip, hoard, take advantage of or trade your personal disclosures unless you tell them that they can. If you send them that special text in the middle of the night, they cannot post it on Instagram the next day unless you say it’s okay. And who is going to say that’s okay?

When it comes to your consumers’ personal information, you vendor needs to “keep it in your pantry,” as singer Lyle Lovett says. Your vendor may only use the personal Information you give them to the extent it is necessary to perform the “business purpose” for which you hired them. The CCPA says it’s okay to use personal information to cover a business’s operational needs, which includes activities like auditing, detecting security incidents, fulfilling orders, conducting transactions, processing payments and things like that.[3]

The agreement cannot just be made up; it has to actually reflect the relationship between you and your vendor. And just to make sure that everyone means it when they sign the agreement, everyone has to say in the agreement that they have read and understand the requirements of the agreement and the CCPA.[4] The Agreement must be enforceable. Just like when Amy violated the relationship agreement with Sheldon:

Sheldon: It pains me to say it, but I think some form of penalty is in order, so as to discourage this type of behavior in the future.

Amy: I suppose that’s fair. What do you suggest?

Sheldon: In a perfect world, I’d lock you in a stockade in the public square. That probably requires a permit.

Amy: I could not be allowed to go to the opening of the next Star Trek movie.

Sheldon: Oh, that seems overly harsh. I mean, you gave in to a human weakness, you didn’t kill a man.

In real life, relationships that are not defined can be awkward. So, in this DTR between you and your vendor, the CCPA only has a few simple requirements. If you bake those into your written agreement, you should comply with that part of the CCPA. And your vendor can be your own service provider rather than some random third party. There are a lot more things to cover under the CCPA, like privacy notices, individual rights management, do not sell buttons, security minimums … but we can save those for another article.

For now, let’s hope – like Sheldon and Amy – your written relationship agreement with your vendor helps you define the relationship as a service provider under the CCPA.

 


[1] Cal. Civ. Code § 1798.140(v).

[2] Cal. Civ. Code § 1798.140(w)(2)

[3] Cal. Civ. Code § 1798.140(d)

[4] Cal. Civ. Code § 1798.140(w)(2)


Tags: California Consumer Privacy Act (CCPA)Contract Management
Previous Post

Getting to the Bottom of Whistleblower Complaints

Next Post

Final Reflections on 15 Years

Russ Berland

Russ Berland

Russ Berland is a seasoned leader who creates value in an organization by leading high-performance teams in law, compliance and risk management. He works with innovative, multinational organizations and has achieved measurable and timely results in the areas of law, compliance, strategic planning, international business and risk management. As an engineer and former federal court law clerk, he achieves business objectives and solves problems via deep experience, innovation with sound judgment and effective and efficient management of people, resources and costs. Russ is Chief Compliance Officer of Aventiv Technologies in Dallas, Texas.

Related Posts

Worried About FTC Crackdown on Noncompetes? Start With Assessing Your Existing Contracts.

Worried About FTC Crackdown on Noncompetes? Start With Assessing Your Existing Contracts.

by Robert Milligan
February 22, 2023

A proposal by the FTC to ban noncompete agreements in employment has been widely criticized by business groups, with the...

ftc noncompetes the scream

No Need to Scream: How to Protect Your Business in the Face of the FTC’s Proposed Noncompete Ban

by Parker Poe
February 22, 2023

The FTC has a plan it says would empower workers with an additional $300 billion in wages per year. While...

minidata_b

Honey, I Shrunk the Data: How to Keep Customer Info on a Need-to-Know Basis

by Parker Poe
November 30, 2022

It may be tempting to hoard the data you have gathered on your customers, but an increasing number of regulations...

cpo and ciso

Allies in Privacy, Security & Compliance: Why Closer Collaboration Between CPOs and CISOs Benefits Everyone

by Maria D'Avanzo
September 28, 2022

As a former chief privacy officer (CPO) of a publicly traded commercial real estate services firm, Maria D’Avanzo worked in...

Next Post
illustration of business team on interconnected cogs

Final Reflections on 15 Years

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT