Consumer Data Transfers Under New Privacy Laws: Contracting Requirements; Due Diligence; Vendor Management

Best Practices for Drafting and Modifying Documents to Ensure Continued Compliance With Ever-Evolving Privacy Laws

A live 90-minute CLE video webinar with interactive Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Tuesday, October 10, 2023

1:00pm-2:30pm EDT, 10:00am-11:30am PDT

or call 1-800-926-7926
Add to your calendar

This CLE course will guide business and technology counsel in managing transfers of U.S. consumer data in light of nearly a dozen new state privacy laws, including on conducting data practice assessments and drafting and updating technology vendor agreements, and data sales and license agreements, to meet the new and upcoming requirements of these laws. In addition, the new EU/U.S. personal data transfer mechanism, the Data Privacy Framework (DPF), which replaces Privacy Shield, and how to qualify under it will be explained. The panel will also discuss the evolving privacy landscape and provide practical advice to ensure that businesses abide by enhanced protections for consumers by reviewing requirements for compliance, differences in the scope of application with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA), the EU General Data Protection Regulation, and other state privacy laws as well as due diligence tactics for evaluating personal data transfers.

Description

U.S. consumer privacy compliance continues to evolve as California has strengthened its law and nearly a dozen states have followed with their own legislation. Companies must be aware of what this means for privacy regulation in California and beyond.

As of Jan. 1, 2023, human resources and B-to-B personal data are now fully in scope under CCPA. While the other states have limited the scope of regulation to traditional consumers, most join California in providing special treatment for "high risk" activities such as the sale of personal data, transfers related to targeted (cross-context) advertising, sensitive personal data, and profiling. This includes the need to conduct and document data practice assessments for these activities, including considering vendors and other recipients. Many of the states also require contracts with recipients with requirements for specific provisions.

Since Privacy Shield was invalidated, personal data transfers from the EU to the U.S. have been challenging, necessitating the use of standard contractual clauses (SCCs) or binding corporate rules and complex transfer risk assessments (TRAs)/transfer impact assessments (TIAs). The need for TRAs/TIAs has made use of U.S. vendors to process exported EU personal data challenging. In July 2023, the EU found adequacy for the DPF, designed to replace Privacy Shield, and ruled that transferring under the DPF no longer requires TRAs/TIAs. Learn how to qualify for DPF and how DPF adequacy can be leveraged to aid in completing TRAs/TIAs if SCCs remain the applicable vendor transfer mechanism.

Listen as our authoritative panel of privacy attorneys and consultants clarifies state privacy law and DPF requirements and provides best practices for drafting and modifying documents to ensure continued compliance.

READ MORE

Outline

  1. History of U.S. state consumer privacy laws
  2. What has changed under the new generation of U.S. consumer privacy laws
  3. Contracting requirements for personal data transfers under U.S. consumer privacy laws
  4. The benefits of DPF for EU-U.S. personal data transfers and how to qualify for DPF and leverage it for non-DPF transfers
  5. Performing due diligence on existing vendor agreements for compliance
  6. Drafting vendor and third-party transfer contracts or amending existing agreements
  7. Tips for implementing an effective vendor risk management program

Benefits

The panel will review these and other relevant topics:

  • Data transfer contracting requirements under new U.S. consumer privacy laws:
    • for service providers/processors
    • for other transfers (sales and licenses)
    • regarding sensitive data, targeted advertising, and other high risk data practices
  • The role of assessments
  • How DPF can be used to enable EU-U.S. personal data transfer
  • Vendor management best practices

Faculty

Friel, Alan
Alan L. Friel
Partner
Squire Patton Boggs

Mr. Friel is co-Chair of the firm’s Global Data Privacy, Cybersecurity & Digital Assets Practice. BTI has...  |  Read More

Jacobson, Julia
Julia B. Jacobson
Partner
Squire Patton Boggs

Ms. Jacobson helps clients maximize the value of their strategic relationships by drafting and negotiating a wide range...  |  Read More

Yushchak, Colleen M.
Colleen Yushchak
Senior Managing Director
Ankura Consulting Group

Ms. Yushchak has over 20 years of experience in technology and litigation consulting, including compliance consulting...  |  Read More

Attend on October 10

Cannot Attend October 10?

You may pre-order a recording to listen at your convenience. Recordings are available 48 hours after the webinar. Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video

Download