ARTICLE
30 June 2023

The Comprehensive Privacy Law Deluge: Updating Vendor Contracts

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin Richter & Hampton logo
Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
Explore Firm Details
Of the many worries on privacy compliance teams' lists as we face the onslaught of state "general" privacy laws are the impacts they have on vendor contracts.
United States California Colorado Connecticut Montana Tennessee Texas Utah Virginia Privacy
Liisa M. Thomas,Snehal Desai, and Kathryn Smith
Your Author LinkedIn Connections

Listen to this post

Of the many worries on privacy compliance teams' lists as we face the onslaught of state "general" privacy laws are the impacts they have on vendor contracts. Fortunately for those who have already had to deal with contracts with vendors (service providers, processors) in California or EU's GDPR, the impact should be fairly minimal.

In Colorado, Connecticut, Montana, Tennessee, Texas, Utah and Virginia, contracts are required with entities who process or collect information for the business. What do these laws, collectively, require be in the contracts? The following is a quick reminder:

  • Instruct on how data is to be processed, and the nature and purpose of the processing. (In California, that processing will be limited to the specific purpose listed in the contract if the entity is a "service provider." In Colorado, Connecticut, Montana, Texas, Tennessee, Utah and Virginia, that processing will be limited to the specific purpose listed in the contract if the entity is a "processor"). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
  • Indicate the type of personal data to be processed and duration of the processing. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
  • Obligate confidentiality and that information be returned upon termination. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
  • Obligate appropriate technical and organizational measures to protect the data. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
  • Give proof of ongoing legal compliance. (And in California, compliance specifically with CCPA). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
  • Cooperate with assessments and audits. (CA, CO, CT, IN, MT, TX, UT, VA)
  • Obtain written permission before engaging subcontractors (CO, CT, IA).

Putting It Into Practice: As we quickly approach July 1, and companies are thinking about the effective dates of Colorado and Connecticut, now is a good time to review contracts and assess if they need to be updated for future state laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Liisa M. Thomas
Liisa M. Thomas
Photo of Snehal Desai
Snehal Desai
Photo of Kathryn Smith
Kathryn Smith
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More