Insights: AlertVendor Management from a U.S. Data Privacy PerspectiveSeptember 5, 2023 Given the increasing number of data privacy laws in the U.S., entering into appropriate data processing agreements (“DPAs”) with vendors has now become a critical component of vendor management. It can also be one of the most time-consuming and complex aspects of data privacy compliance. This article discusses when an organization should enter into a DPA with a vendor, an overview of U.S. DPA requirements, key considerations when negotiating a DPA, and some other key aspects of vendor management from a U.S. data privacy perspective besides entering into a DPA. When an Organization Should Enter into a DPA with a Vendor At the onset of the vendor relationship, it is critical to determine whether a DPA is legally required. Current or forthcoming comprehensive data privacy laws in certain U.S. states1 contain various contractual requirements, which is a driving factor in the rising number of DPAs in the U.S. As a first step in determining whether to enter into a DPA, it is important to understand whether either or both the organization (or customer) and the vendor are subject to the U.S. comprehensive data privacy laws that would mandate a DPA. Although thresholds vary by state, generally U.S. state comprehensive data privacy laws have high thresholds for applicability (e.g., $25 million in gross annual revenue, processing the personal data of 100,000 consumers in a given state, or significantly engaging in the “sale” of personal data), which means that they do not apply to many smaller organizations. If both the customer and the vendor are not subject to these laws, then no DPA is legally required. However, a customer may still want to negotiate a DPA to afford adequate contractual protections for the personal data provided to the vendor. Next, if either the customer or the vendor is subject to these laws, DPAs are only legally required where “personal data” or “personal information” (i.e., information that is linked or reasonably linkable to an identified or identifiable individual) is being disclosed to the vendor. Therefore, if the information being disclosed to the vendor does not constitute personal data under applicable law or if the information has been sufficiently de-identified or aggregated so that it is no longer personal data, a DPA is not legally required. As contractual requirements under U.S. state comprehensive data privacy laws generally only apply when the vendor is acting as a “processor” (i.e., processing the personal data on behalf of the customer) or a “service provider” (i.e., using the personal data only for a specified business purpose), it is important to look at each vendor critically to determine its role. If the vendor is not providing a traditional service offering such that the vendor is not processing the personal data on the customer's behalf or using the personal data outside of the specified business purpose, then no DPA may be legally required and/or a modified DPA might be preferred. Examples of such vendors include integration partners and data brokers. Lastly, other state laws and federal laws may impose contractual requirements for certain types of data or for certain industries, which also might be exempt from the comprehensive data privacy laws. For example, recently enacted laws governing “consumer health data” in Nevada2 and Washington3 contain detailed contractual requirements (such as requiring a vendor to act consistently with the customer's consumer health data privacy policy). On a federal level, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule contain detailed contract requirements for in-scope service arrangements. U.S. financial privacy laws also may shape DPAs, as financial institutions must monitor and assess their vendors' data security capabilities.4 Overview of U.S. DPA Requirements For those instances where a vendor is processing personal data on the customer's behalf, the following are contractual requirements common across the various U.S. state comprehensive data privacy laws:
In addition to the above, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”) imposes unique contractual requirements. The CCPA requires businesses to use mandatory language in their contracts with vendors that complies with the following obligations:
The CCPA is also unique in that even if a vendor does not process the personal data on the customer's behalf (such that the customer is “selling” personal data to the vendor), certain contractual requirements still apply. Such requirements include provisions limiting the vendor's use of the customer's personal data and requiring the vendor to comply with the CCPA. Key Considerations When Negotiating a DPA When negotiating a DPA, many vendors will insist upon starting with the vendor's form DPA, which tends to be heavily drafted in favor of the vendor and may inadequately protect the personal data provided by the customer. Therefore, as the customer, it is important to carefully review and typically negotiate DPAs. In addition to the legally required contractual obligations noted above, there are some additional provisions that the customer will likely want to consider adding to the DPA with the vendor. For example, these include:
In negotiations of DPAs, contentious issues to negotiate often include the following:
Other Data Privacy Considerations for Vendor Management Finally, customers should keep in mind that DPAs are not the only way that they should or must manage vendors. Prior to engagement, customers should conduct diligence of a vendor's privacy and security practices. Selecting an inadequate vendor that triggers a consumer lawsuit, personal data breach, or regulatory violation may cause reputational and commercial harm. Pursuing a breach of contract claim against the vendor that violates a DPA cannot rebuild trust with customers or repair a damaged brand name. In addition, smaller or less sophisticated vendors might agree to a customer's DPA requirements but have no practical means of meeting those requirements. Absent a strong insurance requirement, such vendors would likely be incapable of making the customer financially whole in the event of a breach of the DPA, which makes selecting the right vendors critical. Once a DPA is in place with a vendor, customers should exercise their negotiated audit rights and monitor for updates to the DPA. The CCPA provides a strong incentive for exercising such rights, as customers that annually exercise such right are not responsible for the vendor's violation under the CCPA. Lastly, it is important to monitor developments in data privacy laws and enter into any necessary amendments to the DPA to ensure the parties compliance with relevant data privacy laws. FootnotesRelated People![]() John M. Brigagliano
jbrigagliano@ktslaw.com |

