Some See California as Standard for Privacy Contract Requirements
Companies should pay particular attention to how California enforces contract requirements in the California Consumer Privacy Act, Greenberg Traurig attorney Darren Abernethy said Thursday during a TrustArc webinar.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The Interactive Advertising Bureau in July said it’s taking note of the California Privacy Protection Agency’s emphasis on contractual requirements in the state's privacy law (see 2507070043). The agency used its contract enforcement authority in its cases against Honda and Healthline.
Privacy laws in Virginia, Colorado, Utah and Connecticut also carry contract requirements. Companies are required to include language setting limits on a service provider’s ability to retain, use or disclose personal information. Many states require companies to describe their data processing activity, impose confidentiality duties on employees, require data deletion standards, require certain disclosure for processors and require processors to agree to controller assessments.
California has shown it’s going to be “active” in upholding contractual language, and the state is seen as a national standard, said Abernethy. During the webinar, he addressed a question about how it’s often a “nightmare” to get third-party cookie providers to “sign anything” and if there’s a contractual “template” to keep regulators “happy.”
“There’s no sort of panacea or silver bullet here,” said Abernethy.
He suggested companies have a data-processing addendum, either for the U.S. or across jurisdictions and internationally. The problem is, however, that larger social media vendors aren’t willing to alter their terms.
“Try to have a process in place to indicate why you really need to use your paper, and if you don’t, and you’re working with a vendor who won’t let you, then look for the big things that you would want to have them amend in theirs,” he said. “If all else fails, you may end up having to use the paper from the big vendor if you don’t have the bargaining leverage. ... Contracting is obviously a very difficult part of all this, but it’s a necessary part of it.”
Another option is to use standard industry contracts and networks, he said. IAB, for example, created the multi-state privacy agreement, which sets out standard terms that can be used to convert a third party into a service provider, he said. The main goal should be to have some form of data processing addendum with listed requirements and language, he added.