Ask SawyerBETA

Data Processing Agreement Law in California

When do I need a California data processing agreement?

You need a written DPA before disclosing personal information in these situations: - Selling or sharing personal information with a third party (any entity not a service provider or contractor) (11 CCR § 7052(a)) - Disclosing personal information to a service provider or contractor for a business purpose (Cal. Civ. Code § 1798.100(d)) - Disclosing personal information to any nonaffiliated third party not subject to California's data security requirements (Cal. Civ. Code § 1798.81.5(c))

The contract must be in place before disclosure occurs. Without it, your vendor loses service provider or contractor status protections.

What clauses must be in my California data processing agreement?

Service Provider and Contractor Contracts (11 CCR § 7051)

California mandates ten specific provisions:

Required Clause What It Must Say Legal Basis
No sale or sharing Prohibit selling or sharing personal information collected under the contract 11 CCR § 7051(a)(1)
Specific business purpose Identify the specific purpose(s) for processing; generic descriptions like "performing services" are insufficient 11 CCR § 7051(a)(2)
Purpose limitation (CCPA) Prohibit retaining, using, or disclosing for any purpose other than the specified business purpose(s) or as otherwise permitted by the CCPA 11 CCR § 7051(a)(3)
Purpose limitation (commercial) Prohibit retaining, using, or disclosing for any commercial purpose other than the specified business purpose(s), unless expressly permitted 11 CCR § 7051(a)(4)
Direct relationship limit Prohibit use outside the direct business relationship and prohibit combining personal information with other sources, unless expressly permitted 11 CCR § 7051(a)(5)
CCPA compliance and security Require compliance with all applicable CCPA sections and regulations, same level of privacy protection as the business, and reasonable security procedures 11 CCR § 7051(a)(6)
Audit rights Grant the business the right to ensure compliance through ongoing manual reviews, automated reviews, and regular assessments, audits, or testing at least once every 12 months 11 CCR § 7051(a)(7)
Notice of non-compliance Require notification if the service provider or contractor determines it can no longer meet CCPA obligations 11 CCR § 7051(a)(8)
Remediation rights Grant the business the right to stop and remediate unauthorized use upon notice 11 CCR § 7051(a)(9)
Consumer request assistance Require the service provider or contractor to enable the business to comply with consumer requests, or require the business to inform the service provider of requests and provide necessary information 11 CCR § 7051(a)(10)

Contractor certification: For contractors specifically, the contract must include "the contractor's certification that it understands the restrictions set forth in subparagraph (A) and will comply with them" (Cal. Civ. Code § 1798.140(j)(B)).

Subcontractor flow-down: Any subcontract must contain the same ten provisions (11 CCR § 7051(b)).

Third-Party Contracts (11 CCR § 7053)

For sales or sharing with third parties (entities that are not service providers or contractors), six mandatory provisions apply: specific purpose identification; use limitation to identified purposes; CCPA compliance and equivalent protection; compliance monitoring rights; remediation rights; and notification of inability to comply (11 CCR § 7053(a)(1)–(6)).

What contract terms are illegal in California data processing agreements?

Void: Any Waiver of CCPA Rights

Cal. Civil Code § 1798.192 voids any contract provision that "purports to waive or limit in any way rights under this title, including, but not limited to, any right to a remedy or means of enforcement." This includes: - Waivers of consumer rights to know, delete, correct, or opt out - Representative action waivers (class action waivers) - Limitations on remedies or enforcement mechanisms

The provision is per se void—not merely unenforceable, but "deemed contrary to public policy and shall be void and unenforceable."

Void: Exemption from Liability for Violations of Law

Cal. Civil Code § 1668 voids any contract that attempts to exempt a party from responsibility for: - Its own fraud - Willful injury to person or property - Violation of law, whether willful or negligent

This invalidates limitation of liability clauses that purport to cap exposure for CCPA violations, security breaches, or other statutory violations.

Potentially Unenforceable: Forum Selection Clauses

While forum selection clauses are generally enforceable under federal law, Cal. Labor Code § 925 prohibits employers from requiring California-resident employees to litigate California-arising claims outside California or under non-California law. Whether this protection extends to CCPA-based claims in data processing contexts remains unresolved. In Cole v. Quest Diagnostics, Inc., No. 1:22-cv-00892-JLT-SKO (E.D. Cal. Sept. 22, 2023), a federal court enforced a New Jersey forum selection clause in patient portal terms, but California state courts have not directly addressed this question for CCPA-mandated DPAs.

What are the penalties for not having a DPA?

Failing to have a compliant DPA triggers multiple risks:

1. Loss of Service Provider/Contractor Protections Without a proper DPA, your vendor loses service provider or contractor status.

2. CPPA Administrative Penalties The California Privacy Protection Agency can impose civil penalties of up to $2,663 per violation, or $7,988 per intentional violation or violations involving minors under 16 (effective January 1, 2025) (Cal. Civ. Code § 1798.155(a); CPPA notice on updated monetary thresholds, 2025).

3. Private Right of Action for Security Breaches If a security breach occurs, consumers can sue for statutory damages of $107–$799 per consumer per incident, or actual damages, whichever is greater (effective January 1, 2025) (Cal. Civ. Code § 1798.150; CPPA Announcement, December 17, 2024).

Because penalty exposure depends on your specific business size and data practices, Ask Sawyer researches California law to answer questions about your facts.

Is my data processing agreement legally enforceable in California?

Timing: Contract Before Disclosure

The written contract must be in place before personal information is disclosed. Operating as a service provider or contractor without a qualifying written contract disqualifies the entity from those status protections (11 CCR § 7051). Disclosure without compliant contractual assurances violates the CCPA.

Specificity of Purpose

California law rejects generic purpose descriptions. The regulation explicitly prohibits references like "performing services described in Exhibit A" as insufficient (11 CCR § 7051(a)(2)). Purposes must be particularized to the processing activity.

Reasonableness and Proportionality

All collection, use, retention, and sharing must be "reasonably necessary and proportionate" to achieve disclosed purposes (Cal. Civ. Code § 1798.100(c)). Contracts authorizing broader use violate the CCPA regardless of mutual agreement.

Audit Cost Allocation

The mandatory 12-month audit requirement does not specify which party bears costs. This is subject to negotiation; the regulation is silent on cost responsibility (11 CCR § 7051(a)(7)).

How is California's DPA law different from federal HIPAA/GLBA rules?

Element Federal Baseline California
Scope Sector-specific (HIPAA health, GLBA financial, COPPA children) All "personal information" across industries; no sector limitation
Mandatory contract terms HIPAA: business associate agreement with specified provisions; GLBA: "by contract require safeguards" (general) Ten specific provisions for service providers/contractors; six for third parties; generic descriptions prohibited
Purpose specificity HIPAA: permitted uses and disclosures; GLBA: maintain appropriate safeguards Specific, non-generic business purpose identification mandatory
Combination restrictions HIPAA: downstream subcontractor restrictions Express prohibition on combining personal information from contract with other sources
Audit rights HIPAA: make practices available to Secretary Mandatory 12-month minimum for assessments, audits, or testing
Consumer rights integration Not mandated federally Mandatory cooperation with consumer requests; 15-business-day deadlines for opt-out/limitation
Rights waivers No general prohibition Per se void: Any waiver of CCPA rights, including representative action waivers
Liability limitations Generally enforceable subject to state law Void: Exemptions for fraud, willful injury, or violation of law
Private right of action None under HIPAA, COPPA, GLBA Security breaches only: $107–$799 per consumer per incident (effective January 1, 2025)
Administrative penalties HHS OCR, FTC enforcement CPPA primary: Up to $2,663 per violation, $7,988 for intentional violations or minors (effective January 1, 2025)

What mistakes should I avoid in my California data processing agreement?

Generic Purpose Descriptions

Describing purposes by reference to general contract exhibits or using boilerplate language ("performing the services") violates 11 CCR § 7051(a)(2). Draft specific purposes using statutory categories: auditing, security, debugging, performing services, advertising, or internal research (Cal. Civ. Code § 1798.140(e)).

Inadequate Subcontractor Flow-Down

Failing to include all ten mandatory provisions in subcontractor agreements creates liability exposure. Prime contractors must maintain and produce copies of compliant subcontractor agreements.

Liability Caps Covering Regulatory Penalties

Attempting to cap liability for CCPA violations, security breaches, or administrative fines risks voiding under Cal. Civ. Code § 1668. Carve out CCPA violations, security breaches, and indemnification obligations from liability caps.

Conflating CCPA "Contractor" with Labor Law Status

The CCPA "contractor" definition (Cal. Civ. Code § 1798.140(j)) is distinct from the labor law "independent contractor" test under Labor Code § 2775's ABC test. An entity may qualify as a CCPA contractor without satisfying labor law independent contractor standards, and vice versa.

Missing Healthcare "Sensitive Services" Controls

Effective July 1, 2024, entities handling medical information on "sensitive services" (gender affirming care, abortion, contraception) must implement technical controls to prevent disclosure to persons outside California, including automatic access disablement for out-of-state entities (Cal. Civ. Code § 56.101(c)).

Failure to Update for Regulatory Changes

CPPA penalty thresholds adjust annually. As of January 1, 2025: administrative penalties are $2,663/$7,988; private action statutory damages are $107–$799 per consumer per incident. The Delete Act's centralized deletion mechanism (DROP) becomes operative January 1, 2026.

Whether your agreements need updating for these evolving requirements depends on your specific data flows and vendor relationships; Ask Sawyer researches current California law to answer questions about your facts.

Last reviewed: