ARTICLE
12 May 2026

The Paper Trail: State Privacy Law Contracting Requirements

SS
Seyfarth Shaw LLP

Contributor

Seyfarth Shaw LLP logo
With approximately 1,000 lawyers across 17 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
Explore Firm Details
California's Privacy Protection Agency has signaled a new enforcement priority through its largest CCPA penalty to date, highlighting failures in vendor contract compliance. As state privacy regulators increasingly...
United States Privacy
Danny Riley
Your Author LinkedIn Connections
Seyfarth Shaw LLP are most popular:
  • within Compliance topic(s)

When the California Privacy Protection Agency (“CalPrivacy”) announced a $1.35 million settlement in September 2025 – the largest CCPA penalty to date – one of the itemized grievances stood out for any practitioner who has wrestled with a vendor redline: the company had failed to amend or enter into third-party data protection vendor contracts by regulatory deadlines.

This hints at where state privacy enforcement is heading. The consumer-facing side of privacy compliance – notices, opt-out links, cookie banners – is visible and testable. But the back-end architecture of a compliant privacy program lives at least in part in vendor contracts, and regulators increasingly treat those contracts as evidence of program maturity (or its absence). Nowhere is this more concrete than in California’s 11 CCR § 7051.

The California Baseline: 11 CCR § 7051

Section 7051 of the CCPA regulations sets out nine mandatory terms that every contract with a “service provider” or “contractor” must contain. The regulation isn’t new – it took its current form in March 2023 – but it is now a bright-line compliance artifact that regulators can request and check at any time. If the requirements are not met, the contract is not with a service provider or contractor. Put differently: if the paper isn’t right, the transfer becomes a sale or share. That reclassification cascades into opt-out obligations, notice obligations, and downstream liability. The requirements for a service provider or contractor contract:

  1. Prohibit selling or sharing the personal information collected under the contract.
  2. Identify the specific business purpose(s) for the processing – “generic” cross-references to the underlying services agreement do not satisfy the regulation.
  3. Purpose Limitation. Prohibitthe service provider or contractor from retaining, using, or disclosing the personal information for any purpose other than the specified business purpose(s). This is the basic “stay in your lane” rule: the vendor uses the data only for what the contract authorizes.
  4. No-commingling of data. Prohibit the service provider or contractor from using the personal information outside the direct business relationship — including combining or updating it with personal information from other sources or the vendor’s own consumer interactions. Where item (3) limits what the vendor does with the data, this limits what the vendor mixes it with.
  5. Require compliance with the CCPA and its regulations, including providing the same level of privacy protection the business is required to provide.
  6. Grant the business the right to take reasonable and appropriate steps to ensure CCPA-consistent use of the personal information.
  7. Require notice from the service provider or contractor if it can no longer meet its CCPA obligations.
  8. Grant the business the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use.
  9. Require the service provider or contractor to enable the business to comply with consumer requests (or require the business to inform them of applicable requests and provide the information necessary for compliance).

Section 7053 extends a parallel regime to “third-party” contracts – entities that receive personal information outside the service-provider/contractor structure.

The regulations expressly tie enforcement of the contract to the business’s ability to defend against liability for a service provider’s noncompliance. A business that never enforces the contract or exercises its audit rights may find its statutory defense unavailable when the regulator comes calling.

What Changed on January 1, 2026

CalPrivacy’s automated decision-making technology (“ADMT”), risk assessment, and cybersecurity audit regulations took effect on January 1, 2026, and they expressly layer new contracting expectations onto § 7051’s baseline. In practice, that means three new categories of vendor cooperation:

  • ADMT cooperation. Where a service provider or contractor supports ADMT used to make significant decisions, the contract should address the vendor’s cooperation with the business’s Pre-Use Notice obligations, opt-out and appeal mechanics (including the fifteen-day downstream-notification window for third parties following a post-processing opt-out), and access-request responses under Article 11. Section 7153 separately requires businesses that make ADMT available to other businesses to provide “all facts necessary” to support the deploying business’s risk assessment, which is triggered by a business’s deployment of ADMT tools.
  • Risk assessment support. Section 7151 of the regulations contemplates that service providers, contractors, and other external parties, including experts in detecting and mitigating ADMT bias, may be involved in the risk assessment process. Section 7152 then prescribes the operational elements the risk assessment must document, including the categories of recipients (service providers, contractors, and third parties) and the logic, inputs, and outputs of any ADMT used for significant decisions. Vendor contracts need to enable the transfer of information sufficient for the business to complete the assessment, retain it, and submit the required attestation and summary to CalPrivacy.
  • Cybersecurity audit cooperation. Section 7123 enumerates the components a qualifying business’s annual cybersecurity audit must address, including oversight of service providers and contractors. Businesses subject to the audit requirement will need contractual visibility into vendor security programs sufficient to support the auditor’s work, including the ability to make relevant information available on request.

The State Patchwork

Section 7051 of the CCPA regulations is the most prescriptive of the comprehensive state privacy regimes, but it is far from alone. The Virginia Consumer Data Protection Act (§ 59.1-579), Colorado Privacy Act (§ 6-1-1305), Connecticut Data Privacy Act (§ 42-520), and most of their successors across the US require written contracts between controllers and processors. The common core across these statutes:

  • A statement of processing instructions, nature and purpose, type of personal data, and duration.
  • Duty of confidentiality for processor personnel.
  • Flow-down of equivalent obligations to subcontractors (typically upon written notice of changes, with a right to object).
  • Assistance with data-subject rights requests, data protection assessments, breach notification, and security.
  • Audit, inspection, or assessment rights.
  • Deletion or return of personal data at the end of the engagement.

The substance overlaps considerably, which is why a well-drafted DPA template can generally cover the controller-processor laws with jurisdiction-specific riders. California remains the outlier – because § 7051 is more prescriptive and because the CCPA uniquely reaches employee personal information unlike the other state laws.

Practical Next Steps

A straightforward ordering for businesses that have not recently touched their vendor paper:

  1. Inventory. Identify every vendor that receives or processes personal information on the business’s behalf, and categorize each as a service provider/contractor (California), processor (other state laws), or third party.
  2. Conduct a gap assessment on your standard DPA. Compare existing DPA language against the updated requirements.
  3. Layer the 2026 obligations. For service providers touching ADMT, risk-assessment-triggering processing, or systems in scope for cybersecurity audits, add cooperation clauses tailored to those regulatory deliverables.
  4. Prioritize amendments. Sequence by risk (data sensitivity, volume, regulatory scrutiny).
  5. Document enforcement. The audit-rights provision is only as good as its exercise. Build a practical vendor review cadence.

The through-line across all of this is that state privacy law compliance enforcement has expanded focus from notice-heavy to contract-heavy. Regulators read the paper now, and they are treating contract gaps as program gaps. The good news is that § 7051, despite being the most prescriptive of the state regimes, also provides the clearest compliance roadmap. Running it against your vendor inventory is the fastest way to find out whether your paper supports your program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Danny Riley
Danny Riley
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More