The Virginia Consumer Data Protection Act (CDPA), which becomes effective on January 1, 2023, includes a requirement that all parties obtaining data processing services from third party vendors must enter into binding written agreements with those service providers. Data processing services include a wide range of services involving the collection, sharing, and analysis of consumer data. Although organizations that do not fall within the scope of the CDPA are not required to execute such written contracts, there are several reasons why those organizations may choose to enter into written contracts. Alliance Law Group LLC can work with your organization to determine which written agreements it may be required by the CDPA to execute.  Alliance Law Group can also help your organization to develop appropriate written contracts for data processing services even if your organization is not within the scope of the CDPA. We can also help your organization review existing agreements it may already have with third party data processing service vendors to ensure that those arrangements comply with the CDPA and effectively serve the needs of your organization.

The CDPA requires that all contracts with third party data processing service providers address, at a minimum, certain key elements. The agreements must clearly and specifically identify the parties functioning as “data controller” and “data processor.” The agreements also must include a clear, accurate, and complete description of the data processing services to be provided, providing clear and enforceable instructions to the data processor specifying the actual data services to be provided. In addition, the agreements must provide that all individuals involved in the data processing services will be subject to valid and enforceable confidentiality agreements applicable to the data. Moreover, the data controller must retain the right to require that the data processor either delete specific data or return that data immediately upon reasonable request by the data controller.

The agreements must provide the data controller with the right to require the data processor to provide documentation of compliance with the CDPA immediately upon reasonable request. The agreements must commit the data processors to cooperate fully with the data controllers during data security audits and in the event there is a data security breach which must be remedied and investigated.  The agreements must commit the data processor to maintain all operational and administrative controls necessary to protect the consumer data, and the data processors must commit to apply all of the terms of the agreements to all sub-processors who may be engaged in the work contemplated by the agreements.

It seems likely that the requirement for written data processing services agreements and the specific terms identified in the CDPA may eventually be seen to be among the best practices associated with data processing operations.  In that context, organizations should carefully consider adopting the written agreement requirements, even if they are not within the scope of the CDPA.  By doing so, organizations can enhance the quality and effectiveness of their data privacy policies and practices, thus reducing their future potential legal liability associated with data privacy issues.

Alliance Law Group can work with your organization to review and update existing data processing services agreements and to assist on preparing new agreements as required. And ALG can help your organization ensure that all such agreements comply with the requirements of the CDPA.

* This article is not intended to provide legal advice. Individual facts and circumstances vary. Accordingly, please consult Alliance Law Group or other legal counsel for issues concerning requirements concerning data processing vendors and other requirements of the Virginia CDPA.