“Contractor” means a person to whom the business makes available a consumer’s

personal information for a business purpose, pursuant to a written contract with the business, provided that the contract:

(A) Prohibits the contractor from:

 

(i) Selling or sharing the personal information.

 

(ii) Retaining, using, or disclosing the personal information for any purpose

other than for the business purposes specified in the contract, including

retaining, using, or disclosing the personal information for a commercial

purpose other than the business purposes specified in the contract, or as

otherwise permitted by this title.

 

(iii) Retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business.

 

(iv) Combining the personal information that the contractor receives

pursuant to a written contract with the business with personal

information that it receives from or on behalf of another person or

persons, or collects from its own interaction with the consumer, provided

that the contractor may combine personal information to perform any

business purpose as defined in regulations adopted pursuant to

paragraph (10) of subdivision (a) of Section 1798.185, except as provided

for in paragraph (6) of subdivision (e) and in regulations adopted by the

California Privacy Protection Agency.

 

(B) Includes a certification made by the contractor that the contractor

understands the restrictions in subparagraph (A) and will comply with them.

 

(C) Permits, subject to agreement with the contractor, the business to monitor the

contractor’s compliance with the contract through measures, including, but

not limited to, ongoing manual reviews and automated scans and regular

assessments, audits, or other technical and operational testing at least once

every 12 months.

 

(2) If a contractor engages any other person to assist it in processing personal

information for a business purpose on behalf of the business, or if any other person

engaged by the contractor engages another person to assist in processing personal

information for that business purpose, it shall notify the business of that

engagement, and the engagement shall be pursuant to a written contract binding

the other person to observe all the requirements set forth in paragraph (1).