When the California Privacy Protection Agency (“CalPrivacy”) announced a $1.35 million settlement in September 2025 – the largest CCPA penalty to date – one of the itemized grievances stood out for any practitioner who has wrestled with a vendor redline: the company had failed to amend or enter into third-party data protection vendor contracts by regulatory deadlines.

This hints at where state privacy enforcement is heading. The consumer-facing side of privacy compliance – notices, opt-out links, cookie banners – is visible and testable. But the back-end architecture of a compliant privacy program lives at least in part in vendor contracts, and regulators increasingly treat those contracts as evidence of program maturity (or its absence). Nowhere is this more concrete than in California’s 11 CCR § 7051.

The California Baseline: 11 CCR § 7051

Section 7051 of the CCPA regulations sets out nine mandatory terms that every contract with a “service provider” or “contractor” must contain. The regulation isn’t new – it took its current form in March 2023 – but it is now a bright-line compliance artifact that regulators can request and check at any time. If the requirements are not met, the contract is not with a service provider or contractor. Put differently: if the paper isn’t right, the transfer becomes a sale or share. That reclassification cascades into opt-out obligations, notice obligations, and downstream liability. The requirements for a service provider or contractor contract:

  1. Prohibit selling or sharing the personal information collected under the contract.
  2. Identify the specific business purpose(s) for the processing – “generic” cross-references to the underlying services agreement do not satisfy the regulation.
  3. Purpose Limitation. Prohibitthe service provider or contractor from retaining, using, or disclosing the personal information for any purpose other than the specified business purpose(s). This is the basic “stay in your lane” rule: the vendor uses the data only for what the contract authorizes.
  4. No-commingling of data. Prohibit the service provider or contractor from using the personal information outside the direct business relationship — including combining or updating it with personal information from other sources or the vendor’s own consumer interactions. Where item (3) limits what the vendor does with the data, this limits what the vendor mixes it with.
  5. Require compliance with the CCPA and its regulations, including providing the same level of privacy protection the business is required to provide.
  6. Grant the business the right to take reasonable and appropriate steps to ensure CCPA-consistent use of the personal information.
  7. Require notice from the service provider or contractor if it can no longer meet its CCPA obligations.
  8. Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use.
  9. Require the service provider or contractor to enable the business to comply with consumer requests (or require the business to inform them of applicable requests and provide the information necessary for compliance).

Section 7053 extends a parallel regime to “third-party” contracts – entities that receive personal information outside the service-provider/contractor structure.

The regulations expressly tie enforcement of the contract to the business’s ability to defend against liability for a service provider’s noncompliance. A business that never enforces the contract or exercises its audit rights may find its statutory defense unavailable when the regulator comes calling.

What Changed on January 1, 2026

CalPrivacy’s automated decision-making technology (“ADMT”), risk assessment, and cybersecurity audit regulations took effect on January 1, 2026, and they expressly layer new contracting expectations onto § 7051’s baseline. In practice, that means three new categories of vendor cooperation:

  • ADMT cooperation. Where a service provider or contractor supports ADMT used to make significant decisions, the contract should address the vendor’s cooperation with the business’s Pre-Use Notice obligations, opt-out and appeal mechanics (including the fifteen-day downstream-notification window for third parties following a post-processing opt-out), and access-request responses under Article 11. Section 7153 separately requires businesses that make ADMT available to other businesses to provide “all facts necessary” to support the deploying business’s risk assessment, which is triggered by a business’s deployment of ADMT tools.
  • Risk assessment support. Section 7151 of the regulations contemplates that service providers, contractors, and other external parties, including experts in detecting and mitigating ADMT bias, may be involved in the risk assessment process. Section 7152 then prescribes the operational elements the risk assessment must document, including the categories of recipients (service providers, contractors, and third parties) and the logic, inputs, and outputs of any ADMT used for significant decisions. Vendor contracts need to enable the transfer of information sufficient for the business to complete the assessment, retain it, and submit the required attestation and summary to CalPrivacy.
  • Cybersecurity audit cooperation. Section 7123 enumerates the components a qualifying business’s annual cybersecurity audit must address, including oversight of service providers and contractors. Businesses subject to the audit requirement will need contractual visibility into vendor security programs sufficient to support the auditor’s work, including the ability to make relevant information available on request.

The State Patchwork

Section 7051 of the CCPA regulations is the most prescriptive of the comprehensive state privacy regimes, but it is far from alone. The Virginia Consumer Data Protection Act (§ 59.1-579), Colorado Privacy Act (§ 6-1-1305), Connecticut Data Privacy Act (§ 42-520), and most of their successors across the US require written contracts between controllers and processors. The common core across these statutes:

  • A statement of processing instructions, nature and purpose, type of personal data, and duration.
  • Duty of confidentiality for processor personnel.
  • Flow-down of equivalent obligations to subcontractors (typically upon written notice of changes, with a right to object).
  • Assistance with data-subject rights requests, data protection assessments, breach notification, and security.
  • Audit, inspection, or assessment rights.
  • Deletion or return of personal data at the end of the engagement.

The substance overlaps considerably, which is why a well-drafted DPA template can generally cover the controller-processor laws with jurisdiction-specific riders. California remains the outlier – because § 7051 is more prescriptive and because the CCPA uniquely reaches employee personal information unlike the other state laws.

Practical Next Steps

A straightforward ordering for businesses that have not recently touched their vendor paper:

  1. Inventory. Identify every vendor that receives or processes personal information on the business’s behalf, and categorize each as a service provider/contractor (California), processor (other state laws), or third party.
  2. Conduct a gap assessment on your standard DPA. Compare existing DPA language against the updated requirements.
  3. Layer the 2026 obligations. For service providers touching ADMT, risk-assessment-triggering processing, or systems in scope for cybersecurity audits, add cooperation clauses tailored to those regulatory deliverables.
  4. Prioritize amendments. Sequence by risk (data sensitivity, volume, regulatory scrutiny).
  5. Document enforcement. The audit-rights provision is only as good as its exercise. Build a practical vendor review cadence.

The through-line across all of this is that state privacy law compliance enforcement has expanded focus from notice-heavy to contract-heavy. Regulators read the paper now, and they are treating contract gaps as program gaps. The good news is that § 7051, despite being the most prescriptive of the state regimes, also provides the clearest compliance roadmap. Running it against your vendor inventory is the fastest way to find out whether your paper supports your program.

Edited by John Tomaszewski and Yana Komsitsky