Yesterday, Utah’s Social Media Regulation Act (“SMRA”) was signed into law by Gov. Spencer Cox.

The SMRA applies to businesses that provide a social media platform with at least five (5) million account holders worldwide. The definition of “social media platform” is broad but includes 24 exceptions that generally narrow the SMRA’s scope to a lay-person’s typical understanding of a social media platform.

It goes into effect on May 3, 2023 with numerous compliance requirements and prohibitions for social media platforms coming into force beginning March 1, 2024. Continue Reading Utah’s Social Media Regulation Act Signed by Governor

The Utah Consumer Privacy Act (“UCPA”) was signed into law by Governor Spencer J. Cox yesterday. CPW has been tracking the UCPA’s progress throughout this legislative session.

Effective Date

December 31, 2023.

Applicability

In comparison to other state laws, the UCPA’s applicability thresholds are more stringent, requiring controllers or processors to meet three prongs:

  1. Do business in the state or targeting residents with products/services;
  2. Have annual revenue of $25 million or more; and
  3. Data collection, processing, or sale/revenue thresholds.

Practically, this will likely exempt smaller to mid-market organizations with limited revenue but substantial data collection, processing, and/or sale activities, unlike the other state laws.

In comparison, under the CCPA/CPRA, covered businesses could meet the revenue requirement or another threshold (e.g., sell/share the personal information of 50,000 or more consumers, OR derive 50% or more of annual revenues from selling consumers’ personal information).  The CDPA and CPA do not have revenue thresholds.

Enforcement

The UCPA establishes the Department of Commerce Division of Consumer Protection (“Division”), which will receive and investigate consumer complaints alleging violations of the UCPA.  Depending on the outcome of its investigation, the Division may refer certain cases to the Utah Attorney General (“AG”), who has exclusive authority to enforce the UCPA.  The AG may initiate an enforcement action based on the referral against a controller or process that violates the UCPA.

Enforcement Risk

Controllers or processors receiving a notice of violations have a 30-day cure period.  After, the AG may initiate an action against a controller or processor for failure to cure the noticed violations or if violations are ongoing.  The AG may seek up to $7,500 for each violation.

Rulemaking

The UCPA does not provide explicit authority for the AG to issue regulations. Interestingly, it requires the AG and the Division to compile a report by July 1, 2025 that evaluates liability and enforcement provisions and details summary of data protected (and not) by UCPA. Perhaps this report will spur the need for amendments and regulations, though it remains to be seen whether the legislature will act to empower the AG, Division, or other agency to carry out rulemaking in the meantime.

 

As CPW has previously covered, Utah is one of several states considering enacting a comprehensive privacy bill this year.  CPW’s Kristin Bryan and Kyle Fath were recently interviewed by Bloomberg Law concerning this development.  The full article is available here.

Kyle commented that “[d]espite the bill’s similarity to the Virginia law and its number of exemptions, it still complicates the national compliance picture.  Businesses may apply more stringent standards from jurisdictions like California to consumers in other states, such as Utah, because it can be complicated and costly to comply in a piecemeal manner.”

As Kristin explained, the failure of the federal government to enact comprehensive privacy legislation means that “many states are taking privacy regulations into their own hands,” and “[t]he inclusion of a private right of action for bills is a ‘worst case scenario’ for businesses that would be regulated under such laws.”  In this instance, she commented, “[i]t does appear [the Utah legislature is] trying to strike the right balance between providing privacy protections while also limiting the exposure to businesses, as seen by lack of private right of action.”

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conduct business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

Prior Legislative History

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

Update as of March 3, 2022

On March 3, 2022, the Utah Senate passed the House Amendments to SB 227, and returned SB 227 to the House for signature of the Speaker.  The amended version of SB 227 passed with 22 Yay votes, 0 Nay votes, and 4 absentees. This means that the bill has passed the concurrence process. Once the bill is signed by the Speaker, it moves on to the ‘enrolling process,’ and then afterwards will be delivered to the Governor, in accordance with the Utah legislative process

What’s Next

In Utah, if a chamber passes a bill with amendments, the “the bill is sent back to originating [chamber] for concurrence of the amendment.”  Here, SB 227 passed in the Senate (where it was first introduced), then passed in the House with amendments, and afterwards was sent back to the Senate for concurrence.

If the Senate accepts the House amendments, SB 227 will be delivered to the Governor for action.  The Governor has 20 days from adjournment to (1) sign (or not sign the bill), after which the bill becomes law; or (2) veto the bill, in which case the bill does not become a law unless the Governor’s veto is overridden by the legislature.

Utah is inching closer to passing the Utah Consumer Privacy Act.  CPW will be here to keep you in the loop.

On Friday, February 25, 2022, the Utah Senate unanimously passed SB 227, or the Utah Consumer Privacy Act.

Controllers and Processors Beware

SB 227 is an omnibus privacy bill that shares similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.  For instance, the bill imposes different obligations on a covered business depending on whether the business is acting as a controller (one who determines the purposes for processing data, alone or in coordination with others) or processor (one who processes data on behalf of a controller).

Controllers are responsible for transparency, purpose specification, and data minimization.  They must also obtain the consumer’s consent for any secondary uses, and must honor consumer rights (generally within 45 days of receipt of the consumer’s request).  Controllers are also responsible for safeguarding data privacy and security, non-discrimination, non-retaliation, and non-waiver of consumer rights.  Controllers are prohibited from processing certain data qualifying as “sensitive data” without first presenting the consumer with clear notice and providing an opportunity to opt-out of processing.

Processors must follow a controller’s instructions and must enter into a contract that incorporates certain enumerated requirements (e.g., requirements pertaining to duty of confidentiality and data privacy and security safeguards) before processing data on behalf of the controller.

Applicability

The bill applies to:

  1. Businesses who (a) (i) conducts business in Utah; or produces a product or service targeted to consumers who are Utah residents; (b) has an annual revenue of $25,000,000 or more; and (c) satisfies one of more of certain enumerated thresholds (e.g., controls or processes the personal data of 100,000 or more consumers; or derives over 50% of gross revenue from the sale of personal data);
  2. “Personal Data,” which is information that can be linked (or is reasonably linkable to) an identified or identifiable individual, with exclusions; and
  3. “Biometric data,” which is “automatic measurements of an individual’s unique biological characteristics” that can identify a specific individual, excluding, among others, photographs or video recordings (or data derived from either).

The bill does not apply to, among others:

  1. Government entities;
  2. Business entities that are covered entities or business associates pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”); and
  3. Information subject to HIPAA, the Federal Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”), or the federal Drivers Privacy Protection Act (“DPPA”).

Consumer Rights

The bill protects “consumers,” which are individuals who are Utah residents acting in an individual or household context, not in an employment or commercial context.  Consumers would have the rights of access, correction, deletion, portability, and right to opt-out of certain processing.  Consumers also have a right to opt-out of certain processing, including the “sale” of personal data.

The parents or legal guardians of consumers who are children (under 13 years old) may exercise consumer rights on behalf of the child.  The personal data of children is considered “sensitive data” under the Utah Consumer Privacy Act.  The bill as currently drafted requires controllers to process the personal data of known children according to the requirements of the federal Children’s Online Privacy Protection Act (“COPPA”).

No Right of Private Action

The bill as currently drafted does not grant a private right of action and explicitly precludes consumers from using a violation of the Act to support a claim under other Utah laws, such as laws regarding unfair or deceptive acts or practices.

Risk of Enforcement Action

The Utah Consumer Privacy Act grants exclusive enforcement authority to the Utah Attorney General.  However, before the Attorney General initiates an enforcement action, the Attorney General must first provide the allegedly non-compliant business with (1) written notice (30 days before initiating enforcement action) and (2) an opportunity to cure (30 days from receipt of the written notice).

What’s Next

The Utah Consumer Privacy Act was previously introduced in 2021 (as S 200) and in 2020 (as S 429).  In 2021, S 200 passed the first and second Senate floor readings, but failed to get a third Senate floor reading despite a substitute bill and fiscal note being distributed.  The Utah legislature closes on March 4, 2022.

It remains to be seen how the 2022 version of the Utah Consumer Privacy Act will fare in the Utah House, but CPW will be here to keep you in the loop.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Divided SEC Proposes Slew of Cybersecurity Regulations for Securities Market Entities | Privacy World

Utah’s Social Media Regulation Act Signed by Governor | Privacy World

2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements | Privacy World

Priority Topics for French CNIL Investigations in 2023: “Smart” Cameras, Mobile Apps, Bank and Medical Records | Privacy World

Colorado Privacy Act Rules Finalized; To Be in Effect July 1 | Privacy World

Iowa is the Latest State to Pass Comprehensive Privacy Legislation | Privacy World

The UK’s New Data Protection Bill: Common Sense Reform or Significant Divergence? | Privacy World

SEC Proposes Replacing Its Regulations Under the Federal Privacy Act | Privacy World

SEC Charges Software Company for Downplaying Scope of Ransomware Attack in Public Disclosures | Privacy World

SPB Lawyers to Present on Several Upcoming Can’t-Miss Webinars and Events | Privacy World

CFPB and FTC to Scrutinize Tenant Screening Practices | Privacy World

China Releases the Standard Contract on Personal Information Export | Privacy World

WEBINAR: New State Data Privacy Laws in California and Other States: Corporate Counsel Compliance Guidance | Privacy World

The Bare Minimum and More: Complying with the Contracting Requirements under U.S. Privacy Laws | Privacy World

Registration OPEN: SPB’s Julia Jacobson and Dr. Annette Demmel and Brittany Powell, Senior Manager Privacy and Compliance at The Coca-Cola Company to present on Practical Privacy by Design | Privacy World

T

On January 1st of this year, the Virginia Consumer Data Protection Act (“VCDPA”) and amendments to the California Consumer Privacy Act (“CCPA”) went into effect. Later this year, the Colorado Privacy Act (“CPA”), Connecticut’s Public Act No. 22-15 (known as the “Connecticut Privacy Act” or “CTPA”), and the Utah Consumer Privacy Act (“UCPA”) will go into effect as well. Aside from the UCPA, these laws will obligate covered entities to document and assess certain processing activities in formal data protection assessments, which will be available to regulators. The purpose is to require companies to look critically at high-risk data processing activities and avoid unjustifiable risks and negative impacts on data subjects. Assessments can also serve the purpose of maintaining current data inventories and retention schedules and ensuring that processing is not inconsistent with the notified purposes at the time of collection. Continue Reading 2023 State Privacy Laws and Regulations Bring Extensive Data Protection Assessment Requirements

Almost one year to the day after Utah enacted the Utah Consumer Privacy Act (“UCPA”), Iowa is one (Kim Reynolds’) signature away from passing the sixth comprehensive consumer data privacy law, joining California, Colorado, Virginia, Connecticut, and Utah. Continue Reading Iowa is the Latest State to Pass Comprehensive Privacy Legislation

Part 1 of How to Approach DPAs in view of Final CCPA Regs: A Series

This is the first in our series of blog posts on top considerations for approaching data processing terms required under the state privacy laws that have, or will, come into effect this year, namely the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CPRA”) (collectively the “CCPA”), the Colorado Privacy Act (“CPA”), the Virginia Consumer Data Protection Act (“VCDPA”), the Utah Consumer Privacy Act (“UCPA”), and Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”), which we collectively refer to throughout as “U.S. Privacy Laws.” This post will focus on the statutory and regulatory requirements on provisions that must be in contracts with data recipients (notably, we use “recipient” for ease of reference, although recipients may, in fact, collect directly from a consumer). For a handy list and chart summarizing the required provisions, see Appendix A. We will publish additional blog posts as part of this series, including with a focus on customer-specific considerations for DPAs, as well as one on vendor-specific considerations.

Note: Where we use a defined term from one of the U.S. Privacy Laws, we will put it in quotation marks in the first instance it is used. We use “personal information” and “PI” to refer to both “personal information” and “personal data” interchangeably. As indicated above, reference to the CCPA is as amended by the CPRA unless stated otherwise. Certainly, the required contractual provisions do not necessarily need to be included in data processing addenda or agreements (“DPAs”) that are separate from a master services or other agreement, but we have drafted this post under the assumption that many companies will approach contracting requirements in that manner, and in many instances companies will have to incorporate these requirements into their DPA templates that already address existing privacy and related requirements, such as under the CCPA (pre-CPRA amendments) and global privacy laws such as the EU and UK GDPR (referred to collectively here as GDPR).

Entering into appropriate data processing terms is one of the most challenging aspects of a privacy compliance program. A number of factors affect a company’s ability to enter into compliant DPAs, including the sheer number of existing processor agreements that pre-date the requirements of new U.S. Privacy Laws, bargaining power as between the parties, timing (e.g., contract renewals and regulatory deadlines), and which states’ laws apply, among others. In addition, different companies and their counsel have different interpretations of, levels of sophistication with regard to, and understanding of, the U.S. Privacy Laws generally, the prescriptive requirements that exist across them, and the parties’ roles in processing data.

Despite having at least draft CCPA Regulations (also referred to as “Regs”) for the CPRA’s updates for about nine months now, some vendors have been reluctant over the last year or so to update their MSAs or DPAs to include certain required provisions. Both vendors and customers have correspondingly been reluctant to commit the substantial resources required to amend or enter into DPAs with to-be-required language in view of the regulatory uncertainty and prospect of it changing as the regulations change. Now that we have some regulatory certainty, given that the California Privacy Protection Agency (“CPPA”) has submitted final Regs to the Office of Administrative Law for administrative approval, this will likely – or rather, it should – spur companies into action to address the contracting requirements under the CCPA and other state privacy laws by July 1, when the CPRA’s amendments become enforceable and the Colorado and Connecticut laws become effective and enforceable. As many are aware, contracting requirements are among many others on the compliance checklist to be completed by July 1.

While there are a number of issues and considerations to address with respect to DPAs, one of the foundational issues is meeting the prescriptive contracting requirements, which is particularly important under the CCPA. This is because failure to have a compliant contract in place results in the data transfer being deemed a “sale” and/or “sharing.” Yet, at least in our experience, this is an area where both vendors and customers struggle to agree. Below, we provide some practical guidance on this topic, starting with understanding the roles of the parties involved and key provisions that are required to be in DPAs.

High Level Takeaways

  • The CCPA’s terms are arguably the most important. Tracking the CCPA’s required provisions closely, and making sure they are in your contracts, is of utmost importance because they are required to avoid the consequence of sale and/or sharing. This continues to be an area of focus of enforcement by the Office of the Attorney General of California (“OAG”), as indicated in enforcement summaries issued by the OAG, and will almost certainly be one of the CPPA, which will share enforcement responsibility of the CCPA with the OAG.
  • C2C terms are only required under CCPA. So-called controller-to-controller terms, or C2C terms, are only required in California (in certain situations). “Businesses” must have contracts in place with certain “third party” recipients where sale or sharing is implicated, but “controllers” under the other U.S. Privacy Laws do not have a corresponding or similar requirement.
  • GDPR-like schedules will become commonplace. The non-CA states require the types of personal information processed by a “processor” to be disclosed, which effectively necessitates a GDPR-style schedule in your DPA templates that sets forth various details of processing. Similarly, CA’s requirement of specifying business purposes for processing more specifically than referring to the services or the underlying agreement also makes boilerplate DPAs technically deficient.
  • Going beyond the bare minimum requirements will assist with broader compliance. Given the complexity of operationalizing consumer requests, the need for considering how vendors and data recipients’ processing is implicated, and requirements under U.S. Privacy Laws, contracts between vendors and their customers necessitate addressing specifics on how the parties will address these issues.
  • An interim approach? Assuming existing DPAs provide that the processor must process the business’ PI pursuant to its instructions, as provided from time-to-time (which is a typical provision found in many DPAs), a short-term solution to shoring up existing DPAs may be to provide written directions that confirm the new obligations and restrictions. While this remains untested, for some businesses it may be the only practical path to addressing multitudes of existing agreements.

Service Providers/Processors, Contractors, and Third Parties

To implement data processing terms required by U.S. Privacy Laws into DPAs, it is important to first understand the roles of the parties involved. The U.S. Privacy Laws require certain language to be included in DPAs depending on the parties involved, data use, and data sharing.

While the determination of a party’s role under the U.S. Privacy Laws can be nuanced at times (which we do not discuss in detail in this blog post), a quintessential service provider/processor relationship is a traditional vendor relationship where the vendor processes PI on behalf of a customer (the business/controller). There are not many factual situations that align with the “contractor” designation under CCPA, though there are limited situations (such as auditors) where the business simply “makes available” PI to the counterparty that may be appropriate. The third party designation under CCPA is appropriate where the recipient cannot qualify as a service provider, such as where it processes for purposes that disqualify it as such (for example, using its customer’s PI to provide services to another customer), where the services are processing of PI for cross-contextual behavioral advertising, or where a sale is clearly implicated (e.g., selling a list of email addresses to a recipient for the recipient’s purposes for cash). The requirements to enter into contracts under the CCPA are even further nuanced; by way of example, though a data recipient may qualify as a third party, a contract is not required if a business makes available data to the third party under an available exception that would avoid a sale/sharing from occurring (such as an “intentional interaction”). (Contracts with non-processor recipients are not required under the non-CA laws.) You should certainly consider all of these nuances in your vendor and third-party management program to classify data recipients appropriately. 

The CCPA has three categories of recipients of personal information — (1) service providers, (2) contractors, and (3) third parties. The CCPA requires particular contract terms to be in place with each type of recipient, and the language that is required differs across the three, which we touch on below. Also very notable is that the CCPA prohibits third parties from receiving PI from a business without the proper contractual provisions in place with the business. As a result, the CCPA imposes direct contracting obligations on third party recipients as well.

Virginia, Colorado, Utah, and Connecticut require both “controllers” and “processors” to enter into contract terms that govern the processing of PI. These laws all generally follow the same blueprint in terms of their required contractual provisions, although there are some variations between the states regarding the specific language or provisions that must be included in these contracts. The non-CA laws do include the concept of a “third party” but, unlike the CCPA, they do not require controllers to impose contractual requirements on recipients of data that qualify as third parties, nor do they require third parties to have certain terms in place with controllers to receive PI. The failure of the required contract in the non-CA states is a statutory violation, but it does not convert the transfer into a “sale” as does the CCPA.

What data processing terms should be included in contracts between businesses/controllers and service providers/processors?

For the remainder of this blog post, we will focus on the provisions that are required to be in place between a business/controller and its service providers/processors under the U.S. Privacy Laws. You will note (as you likely have already) that there is overlap between a number of the provisions required in the CCPA and in the other U.S. Privacy Laws, as well as under the GDPR. As a result, in many instances, having a DPA which amalgamates the states’ requirements (and where applicable, the GDPR and other jurisdictions) is likely a sound approach. That said, such an approach may not be appropriate or desirable for certain parties that, for example, have the technical ability to apply differential requirements to California PI vs. PI of consumers from other states or jurisdictions, or that are not subject to the laws of certain jurisdictions. Details on third party transfers and agreements will be addressed in a future blog post. However, in Appendix A, we provide a handy chart that compares the requirements across the various U.S. Privacy Laws and the GDPR, and includes the CCPA’s requirements for contracts with third parties.

Below is a summary of provisions that are required under the CCPA to be in contracts with service providers (in some instances, we have paraphrased for sake of efficiency):

  • Identifying the specific business purposes (and not by mere reference to the services or underlying agreement) and specifying that such purposes are the only purposes for which the business is disclosing the PI to the service provider;
  • Setting forth prescriptive prohibitions on the service provider’s data processing (e.g., cannot sell/share; cannot retain, use, or disclose except for certain, limited purposes; cannot use outside of direct relationship with the business; cannot combine with other PI it has)
  • Requiring the service provider to comply with the CCPA and to provide the same level of privacy protection required by CCPA businesses (examples provided in the Regs include assisting with compliance with consumer requests and implementing reasonable security);
  • Requiring the service provider to enable the business to comply with consumer requests made pursuant to the CCPA or requiring the service provider to comply with a request upon a business informing it of one;
  • Requiring notice by the service provider if the service provider can no longer meet its legal obligations;
  • Granting the business the right to stop & remediate unauthorized use of PI;
  • Granting the business the right to take reasonable and appropriate steps to ensure that the service provider uses the PI consistent with the business’ obligations under the CCPA (e.g., through annual audits);
  • Requiring the service provider to enter into written contract with subcontractors to comply with the CCPA (i.e., effectively mirroring these obligations); and
  • If the business makes available deidentified data to the service provider, incorporating the specific requirements from the CCPA that apply to deidentified data (not having this provision will not prevent the service provider designation from being in place).

The CCPA requires the same for contracts with contractors, with the addition of a certification made by the contractor that it understands the restrictions set forth in the contract and will comply with them.

The following is a summary of what the non-CA U.S. Privacy Laws (the CPA, VCDPA, UCPA, and CTPA) require contracts between controllers and processors to include:

  • Instructions for processing, including the nature & purpose of processing (specific to the transaction and services);
  • Types of PI being processed (specific to the transaction and services);
  • Duration of processing (specific to the transaction and services);
  • Rights and obligations of the parties;
  • Provisions requiring the processor to:
  • Enter into a written contract with its subcontractors;
  • Provide the controller an opportunity to object to subcontractor engagement (arguably implied contractual requirement under certain of the non-CA U.S. Privacy Laws);
  • Require all persons processing PI to be subject to duty of confidentiality;
  • Delete/return PI (required by all non-CA U.S. Privacy Laws except UCPA);
  • Allow, and cooperate with/contributes to, reasonable assessments/audits (required by all non-CA U.S. Privacy Laws except UCPA); and
  • Make info available to demonstrate compliance (only for certain of the non-CA U.S. Privacy Laws).

A table summarizing and comparing the required data processing terms is provided in Appendix A.

Though not required, it may be desirable in many instances to include provisions that address processors’ statutory obligations and other issues and risks, such as:

  • Details regarding how the parties will operationalize the passing through of deletion and other requests or how the service provider/processor will assist with access requests;
  • Limitations on processing of sensitive PI (e.g., so as to avoid the CCPA’s right to limit from being invoked);
  • Specifics and/or limitations with respect to audits;
  • Specific information regarding protecting PI and security obligations;
  • Restrictions and obligations with respect to the use of tracking technologies by the recipient, or access to the business’/controller’s IT systems;
  • Provisions requiring data breach notification and assistance with investigation, remediation, etc., by the recipient;
  • Shifting of liability for losses related to data processing (e.g., indemnity), and reimbursement of costs and expenses arising out of a data breach; and
  • Intellectual property and other non-data privacy related considerations on use of data.

Conclusion

Implementing appropriate data processing terms is a vital aspect of complying with U.S. Privacy Laws. Coming into compliance requires a number of considerations including identifying the roles of the parties involved and whether the roles require a contract to be in place. Most importantly, it requires assessing which terms are required and keeping in mind that the bargaining power between the parties may weigh on where they land in terms of the specifics of data processing terms, such as the parameters of required audits, assistance with consumer rights, and so on. Now that there is some regulatory certainty in California, companies should, if they have not already, prioritize addressing data processing contracting requirements under the U.S. Privacy Laws.

We have a number of DPA forms and detailed vendor/third-party management guidance documents available for fixed fees plus customization charges. Forms available include service provider/processor, third party/C2C terms, and hybrid service provider/processor and third party/C2C terms, crafted for a range of scenarios (e.g., short form, long form, pro-service provider/processor, pro-business/controller). Forms include US only as well as a variety of global DPAs that also include requirements under the laws of a variety of other nations, including UK/EU, Canada, Mexico, Australia and China. Contact one of the authors or your SPB relationship attorney for more information.