Data Contract Requirements under New State Data Privacy Laws

Channing Gatewood, Allaire Monticollo, Michael Signorelli, Armand Zottola
Venable LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Venable LLP

A number of new state privacy laws now govern and mandate certain contractual requirements for collecting, sharing, and processing of personal information. Personal information is generally defined as data that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data and identifiers such as cookies and mobile identifiers.

Data that constitutes personal information can be determined from a singular piece or a combination of a variety of data. So, many types of information can conceivably qualify as personal information subject to these new state laws. Consequently, they may have a broad impact on contracts for technology, software, or related services.

These laws are intended primarily to address data collection, sharing, and processing related to individual consumers. However, as drafted, a number of them may apply in other contexts. In particular, data collection between an employee and his or her employer is now implicated and governed by the data privacy law in California.

In 2023, new laws are now effective or will take effect in California, Connecticut, Colorado, Nevada, Utah, and Virginia (in addition, numerous data privacy laws in other states have been enacted this year). Although their laws differ in certain respects, nearly all of these states have introduced contracting requirements built around new terms and definitions identifying the respective parties and related information, namely, "processor," "controller," "business," "service provider," "contractor," "third party," "personal information" or "personal data."

Nevada currently has no explicit contracting requirements. But Utah requires that data processing be conducted under a contractual agreement between a controller and processor that provides instructions and details the processing, requires processor personnel involved in the processing to be bound to a duty of confidentiality, and requires that any subprocessor be contractually bound to the same obligations as the processor.

The remaining states require controllers to enter into contractual requirements with data processors containing specific terms. Specific requirements vary but generally require that contracts must address some of the following:

  • Describe the processing and relevant data, and provide processing instructions to the processor
  • Require processor and personnel involved in the processing to be bound to a duty of confidentiality
  • Require deletion or return of data at the termination of the contract
  • Require the processor to disclose information related to its contractual compliance to the controller upon request
  • Require the processor to cooperate with assessments by the controller or the controller's designated representative, or to conduct such assessments themselves
  • Bind any subprocessors to the same requirements as the processor

Additional details about these new state statutes are summarized below.

California

The California Privacy Rights Act of 2020 (CPRA), effective January 1, 2023, which amended and expanded the California Consumer Privacy Act of 2018 (CCPA), requires a business that collects and sells or shares personal information with a third party, or that discloses it to a service provider or contractor for a business purpose, to enter into an agreement with the third party, service provider, or contractor that addresses certain state-specific requirements.

Virginia

The Virginia Consumer Data Protection Act (VCDPA), also effective January 1, 2023, requires that contracts between "controllers" and "processors" include certain requirements in their respective written contracts.

Colorado

The Colorado Privacy Act (CPA), effective July 1, 2023, also requires the written contract between a "controller" and "processor" to include similar requirements in their respective written contracts.

Connecticut

Likewise, the Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, also requires the contract between processors and controllers to include certain requirements.

Utah

Finally, the Utah Consumer Privacy Act (UCPA), effective December 31, 2023, requires contracts between controllers and processors to include instructions or requirements.

Similar statutes in Oregon, Florida, Delaware, Iowa, Texas, Montana, Tennessee, and Indiana will go into effect in the coming years. Moreover, for many of these states, organizational data assessments or privacy reviews may need to be conducted in connection with any processing activities. Consequently, additional contractual obligations may still need to be added or adjusted.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Venable LLP | Attorney Advertising

Written by:

Venable LLP
Venable LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Venable LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide