With the recent release of the CCPA’s final regulations, businesses are asking vendors for more detailed contract terms regarding the permitted scope of data use. These requests have affected vendors that provide, among other services, HR processing, fraud monitoring, network security, customer relationship management, cloud tools and hosting. This article provides insights from privacy and transactional practitioners at Morrison & Foerster, Mayer Brown, Hogan Lovells and Strategic Cybersecurity Partners about the key negotiating points on CCPA vendor agreements, the range of permissible data uses for service providers and remaining ambiguities in the law to consider. See our two-part series on updating vendor agreements to comply with the CCPA: “Service-Provider Exemption and Corporate Approaches” (Nov. 6, 2019); “Non-Third Parties and Key Steps” (Nov. 13, 2019).