Modern state privacy laws mandate that agreements with service providers or processors contain specific contractual provisions to govern the parties’ relationship. Which provisions should be included in a vendor agreement, however, differ by state statute. In addition, some state privacy laws impose statutory obligations upon vendors that do not necessarily need to be memorialized in the party’s contract. For example, the VCDPA requires that a processor provide information necessary for a controller to conduct and document a data protection assessment. That obligation is statutorily imposed and need not be duplicated within the agreement of the parties.[1] Other states may imply certain contractual provisions, but do not expressly mandate their inclusion.
The following provides a side-by-side comparison of the contractual provisions expressly mandated to be memorialized in the contract by various state privacy statutes (indicated by a “✔”) and statutory obligations imposed on processors that are not required to be memorialized in the contract (indicated by a “!”), and compares those requirements against the European GDPR. Areas in which a statute is ambiguous about whether a provision must be contained within a contract are also flagged (indicated by “✔/X”).
Requirement |
EU GDPR 2018 |
CA CCPA 2020 |
CA CPRA 2023 |
VA VCDPA 2023 |
CO CPA 2023 |
Utah UCPA 2023 |
Conn. CTDPA 2023 |
1. Subject Matter. Description of the subject matter of processing. |
✔[2]
|
X | X | X | X | X | X |
2. Duration. Description of the duration of processing. |
✔[3]
|
X | X | ✔[4] | ✔[5] | ✔[6] | ✔[7] |
3. Nature and Purpose. Description of the nature and purpose of processing. |
✔[8]
|
X | X | ✔[9] | ✔[10] | ✔[11] | ✔[12] |
4. Type of Data. Description of the type of personal data to be processed. |
✔[13]
|
X | X | ✔[14] | ✔[15] | ✔[16] | ✔[17] |
5. Categories of Data Subjects. Description of the categories of data subjects about which the data relates. |
✔[18]
|
X | X | X | X | X | X |
6. Use Restrictions. A service provider can only process personal data consistent with a controller’s documented instructions. |
✔[19]
|
✔[20]
|
✔[21]
|
X | X | X | X |
7. Stop unauthorized use. Agreement must permit the business to, upon notice, take reasonable and appropriate steps to stop and remediate unauthorized use of personal information. | X[22] | X | ✔[23] | X | X | X | X |
8. Combining personal information from multiple clients. Agreement prohibits a service provider from “combining the personal information” that it receives from one business with the personal information that it receives from another business (or collects from its own interaction with consumers), unless it relates to a business purpose identified by regulations to be adopted by the California Privacy Protection Agency. | X |
X
|
✔[24]
|
X | X | X | X |
9. Disclosure Restrictions. Confidentiality provision that ensures that persons authorized to process personal data have committed themselves to confidentiality. |
✔[25]
|
✔[26]
|
✔[27] | ✔[28] | ✔[29] | ✔[30] | ✔[31] |
10. Explicit prohibition against selling or sharing for behavioral advertising. Agreement prohibits service provider from selling personal information or sharing personal information for the purpose of cross-context behavioral advertising. | X |
X/✔[32]
|
✔[33]
|
X | X | X | X |
11. Delete or return data. Service provider will delete or return data at the end of the engagement. |
✔[34]
|
✔[35]
|
✔[36] | ✔[37] |
✔[38]
|
X | ✔[39] |
12. Security. Service provider will implement appropriate technical and organizational measures to secure information. |
✔[40]
|
X | ![41] | ![42] | ![43] | ![44] | ![45] |
13. Assisting Controller In Responding to Data Breach. Service provider will cooperate with controller in the event of a personal data breach. |
✔[46]
|
X[47]
|
X | ![48] | ![49] | ![50] | ![51] |
14. Subcontractor notification. A service provider must notify a business if it engages another person or company to assist it in processing personal information. |
✔[52]
|
✔/X[53]
|
✔[54]
|
X |
✔[55] (must provide opportunity to object) |
X |
✔[56] (must provide opportunity to object) |
15. Subcontractor selection. A service provider must obtain written authorization before subcontracting, and must inform the company before it makes any changes to its subcontractors. |
✔[57]
|
X | X | X | X | X | X |
16. Subcontracting flow down obligations. Service provider will flow down these obligations to any sub-processors. |
✔[58]
|
X | ✔[59] | ✔[60] |
✔[61]
|
✔[62] |
✔[63]
|
17. Subcontracting liability. A service provider must remain fully liable to the controller for the performance of a sub-processors obligations. |
✔[64]
|
X | X | X | X | X | X |
18. Responding to data subjects. Service provider will assist the company to respond to any requests by a data subject. |
✔[65]
|
X | ![66] | ![67] | ![68] | ![69] |
![70]
|
19. Compliance with applicable obligations. Agreement requires that the service provider provide the level of privacy protections required under law governing controller. |
✔[71]
|
X | ✔[72] | X | X | X | X |
20. Assisting Controller In Creating DPIA. Service provider will cooperate with controller in the event the controller initiates a data protection impact assessment. |
✔[73]
|
X | X | ![74] | ![75] | X |
![76]
|
21. Audit Right. Service provider will allow company to conduct audits or inspections for compliance to these obligations. |
✔[77]
|
X |
X/✔[78]
|
✔[79] |
✔[80]
|
X |
✔[81]
|
22. Cross-border transfers. Service provider will not transfer data outside of the EEA without permission of company. |
✔[82]
|
X | X | X | X | X | X |
23. Obligates service provider to notify business of non-compliance. Agreement requires that a service provider notify the business if the service provider determines that it can no longer meet obligations under applicable law. | X/✔[83] | X | ✔[84] | X | X | X | X |
24. Provide Information. Agreement requires the Service Provider make available to the company all information necessary to demonstrate compliance with the Service Provider’s obligations. |
✔[85]
|
X |
X/✔[86]
|
✔[87] | ✔[88] | X |
✔[89]
|
[1] Va. Code § 59.1-575(A)(3).
[2] GDPR, Article 28(3).
[3] GDPR, Article 28(3).
[4] Va. Code § 59.1-575(B) (2021).
[5] C.R.S. § 6-1-1305(5)(b) (2021).
[6] Utah Code Ann. § 13-61-301(2)(a) (2022).
[7] Conn. Sub. Bill No. 6, § 7(b) (enacted April 28, 2022 pending governor approval).
[8] GDPR, Article 28(3).
[9] Va. Code § 59.1-575(B) (2021).
[10] C.R.S. § 6-1-1305(5)(a) (2021).
[11] Utah Code Ann. § 13-61-301(2)(a) (2022).
[12] Conn. Sub. Bill No. 6, § 7(b) (enacted April 28, 2022 pending governor approval).
[13] GDPR, Article 28(3).
[14] Va. Code § 59.1-575(B) (2021).
[15] C.R.S. § 6-1-1305(5)(b) (2021).
[16] Utah Code Ann. § 13-61-301(2)(a) (2022).
[17] Conn. Sub. Bill No. 6, § 7(b) (enacted April 28, 2022 pending governor approval).
[18] GDPR, Article 28(3).
[19] GDPR, Article 28(3)(a).
[20] Cal. Civ. Code § 1798.140(v) (West 2020).
[21] Cal. Civ. Code § 1798.100(d)(1), 140(ag)(1)(B), (C) (West 2021).
[22] While the GDPR does not mandate that a contractual provision be included in a processor agreement that would permit the controller to stop unauthorized uses by the processor, a contract must state that processing may only occur based upon the documented instructions of the controller.
[23] Cal. Civ. Code § 1798.100(d)(5) (West 2021).
[24] Cal. Civ. Code § 1798.140(ag)(1)(D) (West 2021).
[25] GDPR, Article 28(3)(b).
[26] Cal. Civ. Code § 1798.140(v) (West 2020).
[27] Cal. Civ. Code § 1798.140(ag)(1)(B), (C) (West 2021).
[28] Va. Code § 59.1-575(B)(1) (2021).
[29] C.R.S. § 6-1-1305(3)(a), (5)(c) (2021).
[30] Utah Code Ann. § 13-61-301(2)(b) (2022).
[31] Conn. Sub. Bill No. 6, § 7(b)(1) (enacted April 28, 2022 pending governor approval).
[32] While the CCPA did not include an express requirement that a contract prohibit a service provider from combining personal information from multiple clients, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.140(v) (West 2020).
[33] Cal. Civ. Code § 1798.140(ag)(1)(A) (West 2021).
[34] GDPR, Article 28(3)(g).
[35] Cal. Civ. Code § 1798.140(v) (West 2020).
[36] Cal. Civ. Code § 1798.140(ag)(B), (C) (West 2021).
[37] Va. Code § 59.1-575(B)(2) (2021).
[38] C.R.S. § 6-1-1305(5)(c), (d)(I) (2021).
[39] Conn. Sub. Bill No. 6, § 7(b)(2) (enacted April 28, 2022 pending governor approval).
[40] GDPR, Articles 28(1), 28(3)(c), 31(1).
[41] Cal. Civ. Code § 1798.100(d)(4) (West 2021); Cal. Civ. Code § 1798.100(e) (West 2021).
[42] Va. Code § 59.1-575(A)(2) (2021).
[43] C.R.S. § 6-1-1305(4), (5)(c) (2021).
[44] Utah Code Ann. § 13-61-301(1)(b) (2022).
[45] Conn. Sub. Bill No. 6, § 7(a)(2) (enacted April 28, 2022 pending governor approval).
[46] GDPR, Articles 28(3)(f), 33-34.
[47] Note that laws, other than the CCPA, apply to data breach response. Those laws do not, however, require that a service provider’s contract contain a provision that the service provider will cooperate or assist with a business in the event of a breach.
[48] Va. Code § 59.1-575(A)(2) (2021).
[49] C.R.S. § 6-1-1305(2)(b) (2021).
[50] Utah Code Ann. § 13-61-301(1)(b) (2022).
[51] Conn. Sub. Bill No. 6, § 7(a)(2) (enacted April 28, 2022 pending governor approval).
[52] GDPR, Articles 28(2), 28(3)(d).
[53] While the CCPA did not include an express requirement that a contract require a service provider to notify the business if another person or entity would be assisting in the processing of personal information, it did include a requirement that a service provider not “disclos[e]” personal information for any purpose other than for the specific purpose of performing those services specified by a business. See Cal. Civ. Code § 1798.14(v) (West 2020).
[54] Cal. Civ. Code § 1798.140(ag)(2) (West 2021).
[55] C.R.S. § 6-1-1305(3)(b), (5)(c) (2021).
[56] Conn. Sub. Bill No. 6, § 7(b)(4) (enacted April 28, 2022 pending governor approval).
[57] GDPR, Articles 28(2), 28(3)(d).
[58] GDPR, Articles 28(3)(d), 28(4).
[59] Cal. Civ. Code § 1798.140(ag)(2) (West 2021).
[60] Va. Code § 59.1-575(B)(5).
[61] C.R.S. § 6-1-1305(3)(b), (5)(c) (2021).
[62] Utah Code Ann. § 13-61-301(2)(c) (2022).
[63] Conn. Sub. Bill No. 6, § 7(b)(4) (enacted April 28, 2022 pending governor approval).
[64] GDPR, Articles 28(3)(d).
[65] GDPR, Articles 28(3)(e), 12-23.
[66] Cal. Civ. Code § 1798.105(c)(3), 130(3)(A) (West 2021).
[67] Va. Code § 59.1-575(A)(1).
[68] C.R.S. § 6-1-1305(2)(a).
[69] Utah Code Ann. § 13-61-301(1)(b) (2022).
[70] Conn. Sub. Bill No. 6, § 7(a)(1) (enacted April 28, 2022 pending governor approval).
[71] GDPR, Article 28(1) (Note that the GDPR does not specifically mandate that this requirement be included in the parties contract, it does, however, state that a processor must provide “sufficient guarantees” that its processing will “meet the requirements of this Regulation . . . .”).
[72] Cal. Civ. Code § 1798.100(d)(2) (West 2021).
[73] GDPR, Articles 28(3)(f), 35-36.
[74] Va. Code § 59.1-575(A)(3).
[75] C.R.S. § 6-1-1305(2)(c).
[76] Conn. Sub. Bill No. 6, § 7(a)(3) (enacted April 28, 2022 pending governor approval).
[77] GDPR, Article 28(3)(h).
[78] Cal. Civ. Code § 1798.100(ag)(1)(D) (West 2021). Note that this provision could be interpreted as only allowing the business to audit the service provider for compliance with its prohibition again combining personal information. Cal. Civ. Code § 1798.100(d)(3) (West 2021). Note, however, that business must have the right to take “reasonable and appropriate steps” to ensure that service providers use is consistent with legal obligations. This might include audit rights.
[79] Va. Code § 59.1-575(B)(4) (referring to reasonable assessments) (2021).
[80] C.R.S. § 6-1-1305(5)(c), (d)(II)(A), (B) (2021).
[81] Conn. Sub. Bill No. 6, § 7(b)(5) (enacted April 28, 2022 pending governor approval). Note that Connecticut refers to cooperation with regard to reasonable “assessments.” There may be ambiguity as to whether assessments includes, or does not include, all proposed audits.
[82] GDPR, Articles 28(3)(a), 46.
[83] GDPR, Article 28(3)(h). The GDPR requires only that a processor immediately inform the controller if an instruction provided by the controller infringes the GDPR or other Member State data protection laws; it does not generally mandate that a processor notify the controller if it can no longer meet other contractual obligations. Note, however, that other contractual documents between the parties (most notably the Standard Contractual Clauses for cross border data transfers) may contain such a requirement.
[84] Cal. Civ. Code § 1798.100(d)(4) (West 2021).
[85] GDPR, Article 28(3)(h).
[86] Cal. Civ. Code § 1798.100(d)(3) (West 2021). Note, however, that business must have the right to take “reasonable and appropriate steps” to ensure that service providers use is consistent with legal obligations. This might include audit rights.
[87] Va. Code § 59.1-575(B)(3).
[88] C.R.S. § 6-1-1305(5)(d)(II)(A) (2021).
[89] Conn. Sub. Bill No. 6, § 7(b)(3) (enacted April 28, 2022 pending governor approval).