---
title: "CPRA Contracts, Contractors, and Service Providers"
canonical_url: "https://www.sorena.io/artifacts/us/cpra/contracts-contractors-and-service-providers"
source_url: "https://www.sorena.io/artifacts/us/cpra/contracts-contractors-and-service-providers"
author: "Sorena AI"
description: "Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations."
keywords:
  - "CPRA contracts"
  - "contractor agreement CPRA"
  - "service provider clauses CPRA"
  - "California third party contract"
  - "CPRA"
  - "Contracts, Contractors, and Service Providers"
  - "California privacy"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CPRA Contracts, Contractors, and Service Providers

Draft California recipient contracts that support both baseline CPRA compliance and the newer assurance obligations.

*Vendor Governance* *CPRA*

## California CPRA Contracts, Contractors, and Service Providers

Grounded in the California statute, CPPA regulations, and the 2026 California rule changes.

The current California rules expect contracts to carry real operational obligations. In a mature CPRA programme, the contract is one of the main control surfaces for rights, security, and oversight.

## Required recipient restrictions

Service provider and contractor contracts should identify limited and specified business purposes, prohibit use outside those purposes except where permitted, require the same level of privacy protection as the business owes, and require notice if the recipient can no longer comply.

- Describe the purpose specifically rather than by generic contract reference
- Prohibit retention, use, or disclosure outside the direct business relationship unless permitted
- Require notice if the recipient can no longer meet California obligations
- Flow the same obligations to subcontractors where used

## Operational assistance duties

The updated California rules explicitly connect recipient contracts to the business rights, cybersecurity audit, risk assessment, and ADMT obligations.

- Require assistance with consumer requests and downstream deletion or suppression
- Require support for cybersecurity audit and risk assessment where applicable
- Require reasonable security appropriate to the nature of the information
- Retain evidence that the recipient can actually perform these duties

## Monitoring and remediation

Due diligence is part of the legal model. The business should be able to take reasonable and appropriate steps to ensure compliant use and then stop and remediate misuse upon notice.

- Use audit, testing, or attestation rights on a real schedule
- Collect evidence that opt out and deletion instructions are honoured
- Track remediation actions and contract escalations
- Review whether the contract form still matches the recipient actual data use

*Recommended next step*

*Placement: after the template, evidence, or documentation block*

## Keep California CPRA Contracts, Contractors, and Service Providers in one governed evidence system

SSOT can take California CPRA Contracts, Contractors, and Service Providers from reusing this material inside a governed evidence system to a reusable workflow inside Sorena. Teams working on California CPRA can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

- [Open SSOT for California CPRA Contracts, Contractors, and Service Providers](/solutions/ssot.md): Start from California CPRA Contracts, Contractors, and Service Providers and keep documents, evidence, and control records in one governed system.
- [Talk through California CPRA](/contact.md): Review your current process, evidence gaps, and next steps for California CPRA Contracts, Contractors, and Service Providers.

## Primary sources

- [CPPA regulations](https://cppa.ca.gov/regulations/?ref=sorena.io) - Official California regulations hub.
- [California privacy statute effective January 1, 2026](https://cppa.ca.gov/regulations/pdf/ccpa_statute_2026.pdf?ref=sorena.io) - Current statutory text as reflected in CPPA materials.
- [CPPA FAQ](https://cppa.ca.gov/faq.html?ref=sorena.io) - Official California FAQ.
- [CPPA CCPA updates](https://cppa.ca.gov/ccpa_updates.html?ref=sorena.io) - Rulemaking and effective date updates.

## Related Topic Guides

- [CPPA Regulations Tracker | California Rulemaking Tracker](/artifacts/us/cpra/cppa-regulations-tracker.md): Track the California rules that changed the operating baseline in 2026 and the related regulator outputs.
- [CPRA Applicability Test | California Scope and Trigger Guide](/artifacts/us/cpra/applicability-test.md): Confirm California scope and then identify which CPRA specific obligations activate.
- [CPRA Checklist | California Privacy Rights Act Checklist](/artifacts/us/cpra/checklist.md): Track the California privacy workstreams that changed under CPRA and the 2026 rules.
- [CPRA Compliance Program | California Operating Model](/artifacts/us/cpra/compliance.md): Run a California programme that can absorb ongoing CPPA rules without constant redesign.
- [CPRA Consumer Rights Workflow | California Rights Operations](/artifacts/us/cpra/consumer-rights-workflow.md): Run California rights operations across delete, correct, know, opt out, and limit.
- [CPRA Deadlines and Compliance Calendar | California Privacy Calendar](/artifacts/us/cpra/deadlines-and-compliance-calendar.md): Use the dates that matter for the current California privacy regime.
- [CPRA FAQ | Practical California Privacy Rights Answers](/artifacts/us/cpra/faq.md): Answer the California questions that stall CPRA implementation decisions.
- [CPRA Penalties and Fines | California Enforcement Exposure](/artifacts/us/cpra/penalties-and-fines.md): Understand what makes California exposure larger, faster, and harder to defend.
- [CPRA Requirements | California Control Requirements](/artifacts/us/cpra/requirements.md): Translate the current California regime into control statements that teams can build and test.
- [CPRA Risk Assessment Template | California Risk Assessment Guide](/artifacts/us/cpra/cpra-risk-assessment-template.md): Use a California specific template that matches the current rule structure instead of a generic DPIA form.
- [CPRA Risk Assessments and Cybersecurity Audits | California Assurance Guide](/artifacts/us/cpra/risk-assessments-and-cybersecurity-audits.md): Prepare for the California assurance duties that now have real structure, timing, and evidence requirements.
- [CPRA Sensitive Personal Information | California SPI Guide](/artifacts/us/cpra/sensitive-personal-information.md): Handle SPI with the level of design and evidence the California rules now expect.
- [CPRA vs CCPA | What Actually Changed in California Privacy](/artifacts/us/cpra/ccpa-vs-cpra.md): A practical CPRA vs CCPA delta guide grounded in the current California statute, CPPA regulations, Proposition 24, and official agency guidance.
- [CPRA vs Colorado Privacy Act | State Privacy Comparison](/artifacts/us/cpra/cpra-vs-colorado-privacy-act.md): Compare the California and Colorado models before reusing a state privacy template across both.
- [CPRA vs Virginia VCDPA | State Privacy Comparison](/artifacts/us/cpra/cpra-vs-virginia-vcdpa.md): Compare California and Virginia privacy models before reusing contracts or request flows across both.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/us/cpra/contracts-contractors-and-service-providers