Interested in training for your team? Click here to learn more

Consumer Data Transfers Under New Privacy Laws: Contracting Requirements; Due Diligence; Vendor Management

Best Practices for Drafting and Modifying Documents to Ensure Continued Compliance With Ever-Evolving Privacy Laws

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, October 10, 2023

Recorded event now available

or call 1-800-926-7926

This CLE course will guide business and technology counsel in managing transfers of U.S. consumer data in light of nearly a dozen new state privacy laws, including on conducting data practice assessments and drafting and updating technology vendor agreements, and data sales and license agreements, to meet the new and upcoming requirements of these laws. In addition, the new EU/U.S. personal data transfer mechanism, the Data Privacy Framework (DPF), which replaces Privacy Shield, and how to qualify under it will be explained. The panel will also discuss the evolving privacy landscape and provide practical advice to ensure that businesses abide by enhanced protections for consumers by reviewing requirements for compliance, differences in the scope of application with the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA), the EU General Data Protection Regulation, and other state privacy laws as well as due diligence tactics for evaluating personal data transfers.


U.S. consumer privacy compliance continues to evolve as California has strengthened its law and nearly a dozen states have followed with their own legislation. Companies must be aware of what this means for privacy regulation in California and beyond.

As of Jan. 1, 2023, human resources and B-to-B personal data are now fully in scope under CCPA. While the other states have limited the scope of regulation to traditional consumers, most join California in providing special treatment for "high risk" activities such as the sale of personal data, transfers related to targeted (cross-context) advertising, sensitive personal data, and profiling. This includes the need to conduct and document data practice assessments for these activities, including considering vendors and other recipients. Many of the states also require contracts with recipients with requirements for specific provisions.

Since Privacy Shield was invalidated, personal data transfers from the EU to the U.S. have been challenging, necessitating the use of standard contractual clauses (SCCs) or binding corporate rules and complex transfer risk assessments (TRAs)/transfer impact assessments (TIAs). The need for TRAs/TIAs has made use of U.S. vendors to process exported EU personal data challenging. In July 2023, the EU found adequacy for the DPF, designed to replace Privacy Shield, and ruled that transferring under the DPF no longer requires TRAs/TIAs. Learn how to qualify for DPF and how DPF adequacy can be leveraged to aid in completing TRAs/TIAs if SCCs remain the applicable vendor transfer mechanism.

Listen as our authoritative panel of privacy attorneys and consultants clarifies state privacy law and DPF requirements and provides best practices for drafting and modifying documents to ensure continued compliance.



  1. History of U.S. state consumer privacy laws
  2. What has changed under the new generation of U.S. consumer privacy laws
  3. Contracting requirements for personal data transfers under U.S. consumer privacy laws
  4. The benefits of DPF for EU-U.S. personal data transfers and how to qualify for DPF and leverage it for non-DPF transfers
  5. Performing due diligence on existing vendor agreements for compliance
  6. Drafting vendor and third-party transfer contracts or amending existing agreements
  7. Tips for implementing an effective vendor risk management program


The panel will review these and other relevant topics:

  • Data transfer contracting requirements under new U.S. consumer privacy laws:
    • for service providers/processors
    • for other transfers (sales and licenses)
    • regarding sensitive data, targeted advertising, and other high risk data practices
  • The role of assessments
  • How DPF can be used to enable EU-U.S. personal data transfer
  • Vendor management best practices


Friel, Alan
Alan L. Friel

Squire Patton Boggs

Mr. Friel is co-Chair of the firm’s Global Data Privacy, Cybersecurity & Digital Assets Practice. BTI has...  |  Read More

Jacobson, Julia
Julia B. Jacobson

Squire Patton Boggs

Ms. Jacobson is a partner in the Data Privacy, Cybersecurity & Digital Assets Practice. She offers practical and...  |  Read More

Yushchak, Colleen M.
Colleen Yushchak

Senior Managing Director
Ankura Consulting Group

Ms. Yushchak has over 20 years of experience in technology and litigation consulting, including compliance consulting...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video