Contractual Requirements Between Covered Businesses and Service Providers Under California’s Consumer Privacy Law

January 23, 2020

It is common for title and settlement companies to share data in the process of closing a real estate transaction. However, some key definitions in the California Consumer Privacy Act of 2018 (CCPA) that went into effect at the beginning of the year are causing the companies to reassess practices and agreements as they figure out how to comply with the new privacy law.

The CCPA imposes strict requirements on the "sale" of personal information. The law’s broad definition of the term could sweep in arrangements involving a title or settlement company sharing customer data with a vendor or service provider.

The CCPA distinguishes between service providers and third parties. Steven Blickensderfer, an attorney with Carlton Fields, said there are certain advantages to be a service provider versus a third party. For instance, if a business shares personal information with a third party, that can trigger certain disclosures that must be made to the consumer.

The CCPS defines a service provider as a for-profit legal entity that processes personal information on behalf of a business pursuant to a written contract for a business purpose. Businesses may use service providers and share personal information with them. It is not considered a sale of personal information under the law if the sharing of personal information is necessary to perform a business purpose, the business has provided notice that the information is being used or shared, and the service provider does not further collect, sell or use the personal information of the consumer except as necessary to perform the business purpose.

Meanwhile, third parties must provide notice to consumers before “selling” personal information they receive to others and provide consumers an opt-out option.

Transferring personal information to a service provider does not necessarily trigger those additional obligations, according to Blickensderfer. An entity cannot simply call itself a service provider. There are certain thresholds that must be met as set forth in the statute.

  1. There must be a written contract in place between the covered business and the service provider, such as a service agreement. “The absence of any agreement or written contract is a strong indication, if not concrete proof, that the entity receiving the personal information is a third party,” Blickensderfer said.
  2. The written contract must include certain representations. The CCPA requires the written contract to state that the service provider will not retain, use, or disclose the personal information for any purpose other than for the specific purpose of performing the services set forth in the contract. Blickensderfer said “The parties must further agree to limit the collection, sale, or use of the personal information disclosed except as necessary to perform the ‘business purpose’ for which the service provider was retained. The CCPA anticipates that the ‘business purpose’ will relate to a covered business’s ‘operational’ needs, such as auditing, detecting security incidents, fulfilling orders and transactions, processing payments.” Additionally, the parties must represent that they have read and understand the CCPA’s requirements.
  3. Those representations must be accurate. A company that receives and uses personal information for reasons beyond the operational needs of the covered business will likely be considered a third party, regardless of the representations in the written contract. “Where that is unavoidable, the company must be sure to weigh the benefits of processing the personal information against the risks of being considered a third party and the costs of additional CCPA compliance,” Blickensderfer said.

Examples of services providers that title and settlement companies conduct business with include website hosting providers, title production software, independent searchers, mobile notaries and customer relationship management system.

According to the law firm JacksonLewis, a service provider that receives personal information by way of their contractual agreement and uses it in violation of the restrictions under in the CCPA can be liable for those violations. A service provider, however, is not liable for failure by a business that shares personal information with them to comply with its CCPA obligations. For example, a service provider holding personal information provided by a business is not liable for that business’s failure to comply with its obligations to delete that personal information upon a consumer’s request, JacksonLewis said.

A service provider that violates the CCPA faces similar penalties to those of a business that violates the regulation. A business or service provider that violates the CCPA can face injunctions and penalties of not more than $2,500 for each violation, and not more than $7,500 for each intentional violation, in an action brought by the California Attorney General. A business or service provider is provided 30 days after receiving written notice of noncompliance to cure the violation, before facing liability.

Contact ALTA at 202-296-3671 or [email protected].