In a CLE webinar earlier this week, Malcolm Dowden (Partner, London) and Niloufar Massachi (Associate, Los Angeles) discussed evaluating, drafting, and updating vendor agreements to meet the privacy and security requirements of new US privacy laws and the GDPR.

The new laws in California, Virginia, Colorado, Utah, and Connecticut, which will take effect beginning January 1, 2023, create additional requirements for vendor agreements beyond what is currently required under California’s currently in effect California Consumer Privacy Act (CCPA). Meanwhile, many businesses are also adapting to the new Standard Contractual Clauses (SCCs) that were adopted by the EU and UK as an adequate data transfer mechanism. Although the new SCCs resolve certain practical issues businesses faced when using the old SCCs, they also introduce new obligations for businesses that transfer personal data. Material differences between GDPR and new US state law requirements present drafting challenges to creating a DPA that covers UK/EU and the new US laws. For more information on the new requirements and tips to help navigate this complex and rapidly changing area, see their program materials available here.

DPA templates, with customization assistance, and negotiation playbooks are available to clients. Contact your SPB relationship partner.