Service Providers are not required to comply with the stringent CCPA (California Consumer Protection Act) regulations which means, in order to limit your liability with clients, you need to clearly state your role and responsibility regarding your access and control over their client data, and clearly state that you are merely a Service Provider providing services to the business.
Similar to the CCPA, the GDPR (General Data Protection Regulation) enacted by the European Economic Area (E.U. plus Iceland, Liechtenstein, and Norway, the United Kingdom will continue as party of the EEA until December 31, 2020) requires parties to safeguard data and requires different actions and standards of care based on the what role you are playing, and what you doing with personal data.
Key Clauses included are:
- Clearly states role as Service Provider (CCPA)
- Distinguishes between Controller and Data Processor (GDPR)
- Cross Border Data Transfers
- Security Measures
- Data Breach Notification Requirements