Interested in training for your team? Click here to learn more

Drafting Vendor Agreements to Comply With CPRA, CCPA, and GDPR Requirements: New Standard Clauses

Privacy Enforcement Authority, Compliance, and Accountability Standards; Sensitive Personal Information

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, September 20, 2022

Recorded event now available

or call 1-800-926-7926

This CLE webinar will guide business and technology counsel on drafting and updating technology vendor agreements to meet the privacy requirements of the California Privacy Rights Act (CPRA). The panel will discuss the evolving privacy landscape and provide practical advice to ensure that businesses abide by the stricter protections for consumers by reviewing requirements for compliance, differences in the scope of application with the California Consumer Privacy Act (CCPA) and the EU General Data Protection Regulation (GDRP) new standard clauses, and due diligence tactics for evaluating existing technology vendor agreements.


Recently, privacy laws have been enhanced by a number of laws in Europe and California, including the CPRA, CCPA, and GDPR. Companies must be aware of what this means for privacy regulation in California and beyond.

The majority of the CPRA's substantive provisions will take effect on Jan. 1, 2023, providing covered businesses with several months of valuable set-up time with the rulemaking process to begin during that same period. The CPRA's expansion of the "Right to Know" impacts personal information collected during the ramp-up period, on or after Jan. 1, 2022. Businesses must still comply with the CCPA and any regulations in the meantime.

Besides creating new criteria under which businesses are regulated and new categories of "sensitive personal information," the most powerful piece of this legislation is the creation of a new privacy enforcement authority. That authority shall have the ability to issue steep fines and restrict business activities of companies that fail to comply. Counsel should be prepared to review and revise policies to conform to the new and expanded consumer privacy rights.

The EU issued new Standard Contractual Clauses (SCCs) for the GDRP on June 4, 2021. The new SCCs address the compliance requirements for cross-border data transfers. The EU has established how the new SCCs resolve certain practical issues companies faced when using the older versions but simultaneously introduce new obligations for businesses that transfer personal data out of the EU.

Listen as our authoritative panel of attorneys clarifies the new CPRA requirements and best practices to begin modifying policies to ensure compliance.



  1. History of CPRA/CCPA/GDPR
  2. Changes in CPRA
    1. New criteria for which businesses are regulated
    2. The new category of "sensitive personal information"
    3. New and expanded consumer privacy rights
    4. Creation of a new privacy enforcement authority
  3. Performing due diligence on existing vendor agreements for CPRA compliance
  4. Drafting new vendor contracts or amending existing contracts: language to include
  5. Tips for implementing an effective vendor risk management program


The panel will review these and other relevant topics:

  • What are the major expansions of privacy regulations under CPRA?
  • What are the key features of CPRA as it relates to vendor relationships and risk exposure?
  • How does one determine if a business is subject to CPRA and what constitutes "sensitive personal information"?
  • What are steps companies and their counsel should take immediately to ensure vendor agreements comply with CCPA?
  • What effect will the California privacy enforcement authority have on compliance with CPRA?
  • How have GDPR principles been incorporated into CPRA?


Burstein, Aaron
Aaron J. Burstein

Kelley Drye & Warren

Mr. Burstein provides legal advice on privacy, information security, and marketing laws and best practices, including...  |  Read More

Dowden, Malcolm
Malcolm Dowden

Squire Patton Boggs

Mr. Dowden has more than 25 years’ experience advising UK and international clients on a wide range of...  |  Read More

Massachi, Niloufar
Niloufar Massachi

Squire Patton Boggs

Ms. Massachi is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice. She focuses her practice...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video