Next year will undoubtedly be a big one for transactional attorneys who deal with personal data. New state privacy laws will impose a host of detailed contract requirements by the beginning of 2023. And even sooner, international regulators will be examining whether global businesses and their domestic vendors are incorporating new mandatory clauses into data-related agreements.
These changes will likely have the greatest impact on businesses that handle consumer data exclusively from jurisdictions that, up until recently, have not imposed robust privacy regimes. Meanwhile, larger companies, which are accustomed to consolidating privacy language required by several regimes into one contract, might find a less bumpy road ahead.
Much uncertainty remains as to how these new and updated laws will actually be enforced. For now, businesses must glean whatever insight they can from a careful analysis of the provisions that regulators have made available.
California’s Call for More Contracts
Throughout 2022, scores of tech lawyers will likely be finalizing their clients’ updated contracting procedures in preparation for an assortment of new state privacy laws.
This trend was kicked off by the California Consumer Privacy Act (CCPA), which took effect in January 2020. Not one year went by before voters approved of major amendments to the CCPA via the California Privacy Rights Act (CPRA) in November 2020. In addition to bestowing numerous data-related rights upon Californians, the CPRA created new contracting requirements for businesses that handle the data of individuals residing within the nation’s most populous state.
By Jan. 1, 2023, businesses that collect personal information from California consumers must enter into an agreement with every service provider or contractor to which such information is disclosed, as well as with any third party to which such information is sold. Agreements with a service provider or contractor, as the CPRA defines such terms, are already standard practice. But the exact nature of other arrangements that will soon require formal contracts is not so clear.
The CPRA term “third party” excludes the business with whom the consumer intentionally interacts, as well as that business’s service providers and contractors. Under this broad definition, a “third party” could be an internet service provider, online advertising network, or even a government agency. If a business sells personal information to such an entity—or shares it for behavioral advertising purposes—then an agreement will be required.
For some businesses, this could mean having to negotiate contracts for arrangements that, before now, would have never involved any formal agreement, let alone one containing specific compliance provisions. The newly established California Privacy Protection Agency, headed by a former Federal Trade Commission official, could possibly provide some clarification on third-party transactions in regulations due next year.
States Are Starting to Get Specific
California will also require agreements involving personal information to address specific matters. For instance, such contracts must permit businesses to take “reasonable and appropriate steps” to confirm that any use of personal information is consistent with the CPRA. Agreements with a service provider or contractor must include additional prohibitions on specific uses of personal information, such as combining it with separately collected personal data. A contractor must also certify its compliance. The graphic below illustrates how these requirements might apply to various entities.
To enlarge this image, click here.
California is not alone in making contracts an integral part of compliance. Virginia’s Consumer Data Privacy Act, effective Jan. 1, 2023, and the Colorado Privacy Act, effective July 1, 2023, will also require businesses that control the processing of personal data to incorporate certain clauses into agreements with their selected data processors. While there are several subtle but potentially significant differences between these laws, both will require contracts to cover similar subjects, such as the processor’s responsibility to ensure that any subcontractors are bound to the same requirements.
The impact of these obligations will likely be more profound for businesses that do not handle the data of Europeans, as such companies have not had to adjust to the stringent requirements of the EU’s General Data Protection Regulation (GDPR). Results from a May 2021 Bloomberg Law survey suggest that applying compliance programs created for GDPR to new state laws could be a helpful strategy. However, while businesses with such programs already in place may have somewhat of an advantage, contracting standards for international transactions are themselves about to experience some significant shifts.
A Whole New World ... of Clauses
Following last year’s invalidation of the popular data transfer framework known as the EU-U.S. Privacy Shield via Schrems II, the EU published new standard contractual clauses (SCCs) in June 2021 as a replacement mechanism for trans-Atlantic data sharing. December 2022 is the deadline for amending existing contracts containing the older version of the SCCs; the deadline for ceasing use of the old SCCs in new agreements expired this September.
For multinational companies—many of which have been struggling to implement GDPR operational requirements since 2018—the broader range of processing roles captured by the new SCCs may reduce the need to execute multiple agreements for a single data flow. But domestic businesses that import the personal data of Europeans into the U.S. or other non-EU “third countries” will be hit particularly hard by the new contractual obligations. These “data importers” may include vendors that are not directly subject to the GDPR (i.e., that do not offer products to Europeans), but nonetheless must agree to the SCCs to retain multinational clients.
The most noteworthy changes to data importer obligations are closely tied to the newly required transfer impact assessments, which address Schrems II concerns about government surveillance. A data importer must now promptly notify the party from which it received personal data (the “data exporter”) of any reason to believe that applicable laws impede data protection. Similarly, the importer must promptly notify the exporter—and, where possible, the individual to whom personal data relates (i.e., a European consumer)—of any binding request for disclosure by a public authority. Moreover, if such a request appears to be unlawful following a “careful assessment,” the importer must challenge it.
There are also outstanding questions as to whether the enforcement of other new international privacy laws will be similar to the EU’s enforcement of GDPR. In particular, China recently passed the Personal Information Protection Law. Considering that Chinese citizens comprise nearly one-fifth of global population, China’s yet-to-be-published standard clauses governing personal data transfers will likely have widespread impact. 2022 might be when businesses finally get a glimpse of how China will be enforcing its new law, which just took effect on Nov. 1.
Access additional analyses from our Bloomberg Law 2022 series here, including pieces covering trends in Litigation, Regulatory & Compliance, Transactions & Contracts, and the Future of the Legal Industry.
Bloomberg Law subscribers can monitor new privacy laws with our Privacy and Data Security Legal Developments Tracker and find guidance on data-related contract language on our Practical Guidance: Information Technology Agreements resource page.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content, or click here to view the web version of this article.