Although all fifty states now have data breach notification statutes on the books, a smaller but growing number of states have adopted substantive data privacy laws. The recently passed California Privacy Rights Act (CPRA) has garnered a lot of attention thanks to that state’s size and reputation for consumer protection laws, but statutes recently passed in Colorado, Connecticut, Virginia and Utah also have the potential to impact the provisions of many businesses’ contracts with service providers.
The CPRA, the Colorado Consumer Protection Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, and the Utah Consumer Privacy Act (collectively, the Laws) will all take effect in 2023. The CPRA and the Virginia Law took effect on January 1, 2023, the Colorado and Connecticut Laws take effect on July 1, 2023, and the Utah Law takes effect on December 31, 2023.
The Laws have many similar provisions regarding the scope of their coverage, including exemptions for specific types of entities (typically for entities that are subject to substantive data privacy regulations under federal laws like HIPAA and the Gramm-Leach-Bliley Act) and exemptions for specific types of data (e.g., de-identified data or publicly available data). They also include relatively similar provisions regarding the definition of consumers who are subject to their protections and the rights of consumers to limit the use and disclosure of their sensitive personal data. Likewise, the Laws impose transparency and security obligations, along with use and resale restrictions, on businesses who collect and process consumers’ data (Controllers). On these points, the Laws are fairly similar to existing foreign data privacy laws (such as the EU’s General Data Protection Regulation) and essentially codify many of the best practices that US-based Controllers have already implemented via their privacy policies in an effort to avoid liability for unfair and deceptive trade practices.
One area where the Laws are particularly noteworthy, however, is their requirement that a Controller enter into a mutually binding contract with each person who will be processing consumers’ data on the Controller’s behalf (a Processor). Like HIPPA’s requirements that business associate agreements with subcontractors include specific minimum provisions, the Laws include their own litanies of provisions that must be included in these Controller-Processor contracts. Some typical (but by no means universal) examples of these mandatory provisions include requirements to (a) contain instructions regarding the nature and purpose of the data processing to be performed by the processor, (b) identify the type of data to be processed, (c) specify the duration of the processing, (d) compel the Processor to ensure that each individual involved in the processing be subject to a duty of confidentiality, (e) not permit subcontracting unless the subcontractor is bound by a written contract requiring it to meet the Processor’s obligations with respect to data, and (f) address the deletion or return of data upon the completion of the processing services.
While many existing forms of service-provider contracts will contain provisions that satisfy some of the Laws’ requirements, it will behoove Controllers and their attorneys to make sure that their contracts with Processors include all of the Laws’ mandatory provisions. This is especially the case if the Controller is doing a substantial amount of business with residents of California, Colorado, Connecticut, Virginia, or Utah, whether by virtue of having a physical presence in such states or via the internet. Moreover, as additional states adopt their own substantive data privacy laws in the coming months and years—which appears highly probable given current trends—they will likely include similar provisions regarding Controller-Processor contracts. Thus, early compliance efforts may prove fruitful even if the Controller currently has minimal exposure to the personal data of California, Colorado, Connecticut, Virginia, or Utah residents.
If you have any concerns regarding your contracts’ compliance with these Laws, or the Laws’ applicability to your business, the attorneys in Poyner Spruill’s Data Privacy & Information Security Practice Group would be happy to speak with you.