Drafting Vendor Agreements to Comply With California Privacy Rights Act: Requirements Beyond CCPA and GDPR

New Privacy Enforcement Authority, Compliance, and Accountability Standards; Sensitive Personal Information

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, January 26, 2021

Recorded event now available

or call 1-800-926-7926
Course Materials

This CLE course will guide business and technology counsel on drafting and updating technology vendor agreements to meet the privacy requirements of the California Privacy Rights Act (CPRA) that was approved on Nov. 3, 2020. The panel will discuss the evolving privacy landscape and provide practical advice to ensure that businesses abide by the stricter protections for consumers by reviewing requirements for compliance, differences in the scope of application with the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDRP), and due diligence tactics for evaluating existing technology vendor agreements.


On Nov. 3, 2020, Californians voted to approve Proposition 24, a ballot measure that creates the CPRA. Recently, privacy laws have been enhanced by both the GDPR and the CCPA, California's most recent privacy law. Companies must be aware of what this means for privacy regulation in California and beyond.

The majority of the CPRA's substantive provisions will take effect Jan. 1, 2023, providing covered businesses with two years of valuable set-up time with the rulemaking process to begin during that same period. The CPRA's expansion of the "Right to Know" impacts personal information collected during the ramp-up period, on or after Jan. 1, 2022. Businesses must still comply with the CCPA and any regulations in the meantime.

Besides creating new criteria under which businesses are regulated and new categories of "sensitive personal information," the most powerful piece of this legislation is the creation of a new privacy enforcement authority. That authority shall have the ability to issue steep fines and restrict business activities of companies that fail to comply. Counsel should be prepared to review and revise policies to conform to the new and expanded consumer privacy rights.

Listen as our authoritative panel of attorneys clarifies the new CPRA requirements and best practices to begin modifying policies to ensure compliance.



  1. History of CPRA/CPPA/GDPR
  2. Changes in CPRA
    1. New criteria for which businesses are regulated
    2. The new category of "sensitive personal information"
    3. New and expanded consumer privacy rights
    4. Creates a new privacy enforcement authority
  3. Performing due diligence on existing vendor agreements for CPRA compliance
  4. Drafting new vendor contracts or amending existing contracts: language to include
  5. Tips for implementing an effective vendor risk management program


The panel will review these and other relevant topics:

  • What are the major expansions of privacy regulations under CPRA?
  • What are the key features of CPRA as it relates to vendor relationships and risk exposure?
  • How does one determine if a business is subject to CPRA and what constitutes "sensitive personal information"?
  • What are steps companies and their counsel should take immediately to ensure vendor agreements comply with CCPA?
  • What effect will the California privacy enforcement authority have on compliance with CPRA?
  • How have GDPR principles been incorporated into CPRA?


Burstein, Aaron
Aaron J. Burstein

Kelley Drye & Warren

Mr. Burstein provides legal advice on privacy, information security, and marketing laws and best practices, including...  |  Read More

Friel, Alan
Alan L. Friel

Baker & Hostetler

Mr. Friel leads the firm’s U.S. Consumer Privacy practice, which counsels clients on compliance with the...  |  Read More

Manek, David
David Manek

Senior Managing Director
Ankura Consulting Group

Mr.  Manek's global practice focuses on data analytics, cyber, data privacy, e-discovery, and digital...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video