Data Contract Requirements under New State Data Privacy Laws

4 min

Want to learn more about drafting, negotiating, and understanding intellectual property and technology contracts and have 10 minutes to spare? Grab your morning coffee or afternoon tea and dig into our Tech Contract Quick Bytes—small servings of technical contract insights expertly prepared by our seasoned attorneys. This month, we're dishing up tips on navigating new state privacy laws.

A number of new state privacy laws now govern and mandate certain contractual requirements for collecting, sharing, and processing of personal information. Personal information is generally defined as data that is linked or reasonably linkable to an identified or identifiable individual, including pseudonymous data and identifiers such as cookies and mobile identifiers.

Data that constitutes personal information can be determined from a singular piece or a combination of a variety of data. So, many types of information can conceivably qualify as personal information subject to these new state laws. Consequently, they may have a broad impact on contracts for technology, software, or related services.

These laws are intended primarily to address data collection, sharing, and processing related to individual consumers. However, as drafted, a number of them may apply in other contexts. In particular, data collection between an employee and his or her employer is now implicated and governed by the data privacy law in California.

In 2023, new laws are now effective or will take effect in California, Connecticut, Colorado, Nevada, Utah, and Virginia (in addition, numerous data privacy laws in other states have been enacted this year). Although their laws differ in certain respects, nearly all of these states have introduced contracting requirements built around new terms and definitions identifying the respective parties and related information, namely, "processor," "controller," "business," "service provider," "contractor," "third party," "personal information" or "personal data."

Nevada currently has no explicit contracting requirements. But Utah requires that data processing be conducted under a contractual agreement between a controller and processor that provides instructions and details the processing, requires processor personnel involved in the processing to be bound to a duty of confidentiality, and requires that any subprocessor be contractually bound to the same obligations as the processor.

The remaining states require controllers to enter into contractual requirements with data processors containing specific terms. Specific requirements vary but generally require that contracts must address some of the following:

  • Describe the processing and relevant data, and provide processing instructions to the processor
  • Require processor and personnel involved in the processing to be bound to a duty of confidentiality
  • Require deletion or return of data at the termination of the contract
  • Require the processor to disclose information related to its contractual compliance to the controller upon request
  • Require the processor to cooperate with assessments by the controller or the controller's designated representative, or to conduct such assessments themselves
  • Bind any subprocessors to the same requirements as the processor

Additional details about these new state statutes are summarized below.


The California Privacy Rights Act of 2020 (CPRA), effective January 1, 2023, which amended and expanded the California Consumer Privacy Act of 2018 (CCPA), requires a business that collects and sells or shares personal information with a third party, or that discloses it to a service provider or contractor for a business purpose, to enter into an agreement with the third party, service provider, or contractor that addresses certain state-specific requirements.


The Virginia Consumer Data Protection Act (VCDPA), also effective January 1, 2023, requires that contracts between "controllers" and "processors" include certain requirements in their respective written contracts.


The Colorado Privacy Act (CPA), effective July 1, 2023, also requires the written contract between a "controller" and "processor" to include similar requirements in their respective written contracts.


Likewise, the Connecticut Data Privacy Act (CTDPA), effective July 1, 2023, also requires the contract between processors and controllers to include certain requirements.


Finally, the Utah Consumer Privacy Act (UCPA), effective December 31, 2023, requires contracts between controllers and processors to include instructions or requirements.

Similar statutes in Oregon, Florida, Delaware, Iowa, Texas, Montana, Tennessee, and Indiana will go into effect in the coming years. Moreover, for many of these states, organizational data assessments or privacy reviews may need to be conducted in connection with any processing activities. Consequently, additional contractual obligations may still need to be added or adjusted. If you or your company would like to talk about data privacy and related contracting requirements, please contact A.J. Zottola or Channing D. Gatewood. And click here to learn more about Venable's extensive privacy practice.