CCPA Service Provider Addendum Template
Service provider addendum template to align contracts with CCPA/CPRA sale/share rules, data use limits, and security expectations.
A CCPA/CPRA service provider addendum prevents your vendors from turning data use into a “sale” or “share.” It sets purpose limits, security expectations, and opt-out handling. This template walks through must-have clauses, enforcement lessons like Sephora settled a CCPA action for about 1.2 million USD in 2022 (source: California AG), and authoritative links.
Required clauses
- Service provider designation; purpose limitation
- No sale/share, no combining data across customers
- Security requirements and audit rights
- Subprocessor notice/approval and transparency
- Assistance with rights, opt-outs, and GPC
- Deletion/return at termination
- Transfers and safeguards if data leaves the US
Step-by-step adoption
- Identify vendors handling personal information.
- Send the addendum with no sale/share language and purpose limits.
- Require subprocessor listings and notice periods; keep a registry.
- Align with your do-not-sell/share page and cookie banner for ad tech.
- Store signed copies and version control; link language to your Privacy Policy Generator and Terms of Service Generator.
Table: addendum structure
| Section | Coverage | Evidence |
|---|---|---|
| Roles/definitions | Controller vs service provider | Signed DPA/addendum |
| Purpose limits | Specific tasks only | Contract clauses |
| Subprocessors | Notice/approval | Subprocessor page |
| Security | Controls, audits | SOC2/ISO reports |
| Opt-outs/GPC | Cooperation duties | Process doc |
| Deletion/return | Termination steps | Tickets |
| Transfers | Safeguards | SCCs/annexes |
Common mistakes to avoid
- Generic MSAs without CPRA language
- Allowing vendors to use data for their own analytics/ads
- No subprocessor notice or approval rights
- Inconsistent promises between privacy policy and contracts
- Missing proof of distribution and acceptance
External references
Conclusion
Lock down vendor risk with clear service provider terms. Keep contracts in sync with the Privacy Policy Generator, ad tech disclosures and opt-outs via the Cookie Policy Generator, and obligations reflected in the Terms of Service Generator. Review annually and whenever vendors or data uses change.
H2: Drafting tips
- Mirror definitions with your privacy policy (personal information, sale, share, sensitive PI).
- Add change notification for new subprocessors with a window to object.
- Include cooperation on security incidents and breach notifications with timelines.
- Clarify data return/deletion methods and timelines.
H2: Mapping to your privacy and cookie practices
Ensure your contracts, Privacy Policy Generator, and Cookie Policy Generator all say the same things about sharing, ad tech, and opt-outs. If you list partners publicly, align with your published subprocessor list.
H2: Example clauses
- “Vendor will not sell or share personal information or combine it with data from other clients except to perform services.”
- “Vendor will notify Company of new subprocessors at least X days prior; Company may object or terminate.”
- “Vendor will assist with verifiable consumer requests and honor GPC signals received from Company.”
H2: Common pitfalls
- Allowing broad analytics reuse by the vendor
- No termination rights if a vendor adds risky subprocessors
- Missing cooperation language for GPC and do-not-sell/share
- Failing to keep signed versions and distribution records
H2: External references
H2: Conclusion
Service provider terms protect you from inadvertent “sales” or “sharing.” Keep them tight, aligned with the Privacy Policy Generator and Cookie Policy Generator, and reflected in Terms of Service Generator. Review annually and whenever vendors or laws change.
H2: Negotiation tips with vendors
- Insist on purpose limitation and no secondary use.
- Require security disclosures or SOC/ISO reports.
- Set clear breach notice timelines and contacts.
- Keep a fallback plan if vendors refuse no sale/share language.
H2: Documentation and evidence
- Store signed addenda, change notices, and subprocessor updates.
- Keep a summary sheet for audits showing which vendors have CPRA terms.
Conclusion
Contracts are a key defense under CPRA. Keep your addenda current, in line with your Privacy Policy Generator and Cookie Policy Generator, and mirrored in Terms of Service Generator. Review regularly with legal and procurement.
H2: Enforcement watchpoints
- CPRA expands “sharing” and sensitive PI; ensure language covers both.
- Regulators expect GPC honoring when applicable; include cooperation clauses.
- Keep records of when you sent and executed addenda for audits and due diligence.
H2: Buyer-facing summary
- Prepare a one-pager showing which vendors have CPRA terms.
- Note subprocessor update cadence and how customers can subscribe to notices.
Conclusion
Service provider terms are dynamic. Align them with your {cta_priv} and {cta_cookie}, reflect obligations in {cta_terms}, and keep proof of execution.
H2: Sample addendum outline to copy
- Definitions and roles
- Purpose limitation and permitted processing
- No sale/share and restrictions on combining data
- Security measures and audits
- Subprocessors: notice, approval, flow-down terms
- Assistance with rights, opt-outs, and GPC
- Breach notification (timelines, contacts)
- Transfers and safeguards (SCCs if needed)
- Deletion/return at termination
- Liability and indemnity alignment with {cta_terms}
H2: Playbook for roll-out
- Prioritize vendors by data sensitivity and volume.
- Send addenda with tracked distribution; set deadlines.
- Track signatures and store in a centralized folder.
- Update your public subprocessor list if applicable; notify customers.
- Review annually and when CPRA guidance or vendor stack changes.
H2: Metrics
- Percentage of in-scope vendors signed
- Time to sign from request
- Number of vendors with subprocessor notice windows
- Count of opt-out/GPC cooperation clauses implemented
Conclusion
Treat CPRA addenda as part of your privacy stack. Keep them aligned with the {cta_priv}, ad tech controls via the {cta_cookie}, and contractual language in the {cta_terms}. Maintain a tracker and evidence to respond quickly to audits or customer questions.
H2: Longer drafting guidance
H3: Sensitive personal information
- If vendors touch sensitive categories, add explicit limits and require extra safeguards.
H3: Audit and reporting
- Define how often vendors provide security updates or certifications.
- Allow you to request summaries of audits relevant to your data.
H3: Termination and transition
- Specify how data is returned or deleted, and timelines.
- Require cooperation to confirm deletion; allow certification of destruction.
H2: Example timelines
- Notice of new subprocessor: 30 days
- Breach notification: without undue delay, target 24-72 hours
- Deletion after termination: within 30-60 days
Conclusion
A thorough addendum reduces risk and accelerates procurement. Keep it aligned with your {cta_priv}, {cta_cookie}, and {cta_terms}, and revisit as CPRA guidance evolves.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowH2: Industry-specific considerations
- Ad tech: ban reuse of data for profiling across clients; require honoring opt-outs and GPC.
- Analytics: ensure data is used only for your property; prohibit combining across customers.
- Support/BPO: require secure access, least privilege, and deletion after case closure.
H2: Internal rollout plan
- Maintain a CPRA contract tracker with status, dates, and signatories.
- Provide playbooks for sales and procurement to explain why the addendum is mandatory.
- Schedule reminders before renewals to refresh terms if laws change.
H2: FAQ microcopy for vendors
- “This addendum clarifies that you act solely as our service provider and cannot sell/share data.”
- “We require notice before adding subprocessors; we need time to review.”
- “Please confirm how you handle opt-outs and GPC; describe your process.”
Conclusion
Treat the addendum as a standard control. Keep it documented, aligned with {cta_priv} and {cta_cookie}, and reflected in {cta_terms}, with owners and trackers to ensure full coverage.
H2: Controller responsibilities to mirror
- Make sure your own {cta_priv} and do-not-sell/share mechanics accurately describe vendor relationships.
- Keep a list of all vendors with CPRA terms and subprocessor lists for transparency.
- Align retention promises in {cta_terms} with deletion timelines in the addendum.
H2: Extra sample language
- “Service Provider will assist Company in responding to consumer rights requests within required timelines.”
- “Service Provider will implement reasonable security appropriate to the nature of the personal information.”
- “Service Provider will promptly inform Company if it can no longer meet its obligations under this Addendum.”
Conclusion
Extend CPRA discipline through your contracts. Keep language consistent across {cta_priv}, {cta_cookie}, and {cta_terms}, and maintain a contract tracker with evidence.
H2: Long-form example workflow
- Identify all vendors touching personal information.
- Classify them: service provider vs contractor vs third party.
- Send the CPRA addendum; track responses and exceptions.
- Update privacy policy {cta_priv} to reflect service provider relationships and no sale/share where applicable.
- Verify vendors can honor opt-outs and GPC; document their process.
- Store signed copies, update subprocessor lists, and notify customers if required.
- Revisit annually or when laws, vendors, or services change.
H2: Detailed table of obligations
| Obligation | Vendor duty | Your duty | Evidence |
|---|---|---|---|
| Purpose limitation | Use data only to provide services | Define purposes clearly | Contract language |
| No sale/share | Do not sell/share or combine data | Disclose accurately in {cta_priv} | Signed addendum |
| Subprocessors | Notify/seek approval | Review and object if needed | Subprocessor list |
| Security | Maintain reasonable security | Evaluate and monitor | SOC/ISO, pen test |
| Rights/GPC | Assist with requests and signals | Forward signals and requests | Process docs |
| Deletion/return | Delete/return on termination | Initiate and confirm | Tickets |
H2: Closing CTA
Make CPRA terms non-negotiable for in-scope vendors. Keep contracts, policies, and {cta_terms} aligned, and maintain evidence for auditors and customers.
H2: Playbook for reviews and renewals
- Before renewals, verify vendor subprocessors and security posture.
- Reissue updated addenda if laws or your data flows change.
- Keep a heat map of vendor risk to prioritize negotiation.
- Document exceptions and mitigation plans.
Conclusion
Service provider addenda are living documents. Keep them reviewed, versioned, and aligned with {cta_priv}, {cta_cookie}, and {cta_terms}, with a clear owner to maintain coverage.
Extra depth
Spell out examples in your appendix: data categories processed, permitted purposes, and prohibited uses. Add a short FAQ for vendors explaining how to comply with your do-not-sell/share requirements and how to pass through obligations to their subprocessors. Reconfirm alignment with {cta_priv}, {cta_cookie}, and {cta_terms} every time you change ad tech or data flows.
H2: Longer FAQ for internal teams
- “What happens if a vendor refuses CPRA terms?” Use alternatives or mitigation; document exceptions.
- “Do we need this for B2B-only vendors?” If they process California personal information, yes.
- “How do we handle sensitive personal information?” Limit use, require security controls, and ensure vendors do not sell/share it.
H2: Evidence storage
- Keep a CPRA contract register with dates, versions, and contacts.
- Store PDFs and signed copies; back them up in your audit folder.
- Link each vendor record to your Privacy Policy Generator disclosures and subprocessor list.
Conclusion
Make CPRA terms standard. Keep them enforced, documented, and aligned with Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator, so audits and renewals move quickly.