Of the many worries on privacy compliance teams’ lists as we face the onslaught of state “general” privacy laws are the impacts they have on vendor contracts. Fortunately for those who have already had to deal with contracts with vendors (service providers, processors) in California or EU’s GDPR, the impact should be fairly minimal.
In Colorado, Connecticut, Montana, Tennessee, Texas, Utah and Virginia, contracts are required with entities who process or collect information for the business. What do these laws, collectively, require be in the contracts? The following is a quick reminder:
- Instruct on how data is to be processed, and the nature and purpose of the processing. (In California, that processing will be limited to the specific purpose listed in the contract if the entity is a “service provider.” In Colorado, Connecticut, Montana, Texas, Tennessee, Utah and Virginia, that processing will be limited to the specific purpose listed in the contract if the entity is a “processor”). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
- Indicate the type of personal data to be processed and duration of the processing. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
- Obligate confidentiality and that information be returned upon termination. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
- Obligate appropriate technical and organizational measures to protect the data. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
- Give proof of ongoing legal compliance. (And in California, compliance specifically with CCPA). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
- Cooperate with assessments and audits. (CA, CO, CT, IN, MT, TX, UT, VA)
- Obtain written permission before engaging subcontractors (CO, CT, IA).
Putting It Into Practice: As we quickly approach July 1, and companies are thinking about the effective dates of Colorado and Connecticut, now is a good time to review contracts and assess if they need to be updated for future state laws.