No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Advent of New State Data Privacy Laws Is the Perfect Time to Revisit Your Contracts

Complying with patchwork of laws creates continual burden

by Sarah McAvoy
October 9, 2023
in Data Privacy
stacks of papers

A contract establishes an organization’s obligations and rights, serving as the framework for every business relationship. But as additional states continue to debate, approve and then roll out data privacy laws, the continually moving goalposts can be an operational nightmare. Sarah McAvoy of Factor proposes a solution: effective contract management.

This summer, Colorado and Connecticut made their mark on an increasingly complex patchwork of state data privacy laws. The Colorado Privacy Act and Connecticut Personal Data Privacy and Online Monitoring Act are the latest in a steady stream of state regulations that shows no signs of abating.

In the absence of federal oversight in the U.S., more states are eyeing data privacy legislation of their own — at least 25 states introduced or considered consumer privacy bills in 2023.

With bandwidth already stretched and the threat of more regulatory projects looming, how can organizations mitigate risk and position themselves for success with the new laws in Colorado and Connecticut and other state regulations on the horizon?

While there are similarities between the various state laws, there are also nuances that impacted organizations must understand and navigate. In general, states have slightly different processing and sale thresholds for impacted businesses, as well as specified rights for consumers.

This patchwork of data privacy legislation translates to operational headaches — that’s where contract management comes in.

A contractual body contains the full breadth of an organization’s responsibilities, obligations and rights, housing the framework for every business relationship. But when minute elements of that framework must change on a case-by-case basis, organizations are often faced with an operational nightmare.

New legislation, new organizational complexity

Teams impacted by new data privacy laws must balance two priorities: implementing changes to comply with new requirements, while continuing to manage existing requirements.

This balancing act is particularly difficult when new regulations create onerous business obligations, as is the case with the Colorado and Connecticut laws. For example, businesses may be obligated to:

  • Treat consumers under a certain age with an “opt-in” default for the sale of their personal information.
  • Obtain parental consent to process data of consumers under the age of 13.
  • Provide notice to consumers about certain data practices.
  • Conduct certain risk assessments of privacy and/or security projects or procedures.

As new obligations mount and existing demands persist, organizations need a sustainable strategy for navigating the complex regulatory landscape. What’s more, that strategy needs to be documented.

But what if you’re not sure where to find your impacted documents at all, let alone the language that needs updated? This is an all-too-common reality. Nearly 70% of contract professionals search for completed documents at least once a week — almost 30% of the time, they’re doing it to meet legal and regulatory requirements. On average, the hunt to find impacted documents and locate relevant language takes over two hours.

Multiply this time commitment across any scale — as is inevitable when meeting regulatory demands — and it quickly becomes untenable. To avoid burnout without risking noncompliance, better contract management is vital.

ceo speaking concept
Cybersecurity

Why Data Privacy and Cybersecurity Must Be at the Top of CEOs’ Communications Agendas

by FTI Consulting
September 26, 2023

The scope of a CEO’s job is wide, to be sure, but as data privacy and cybersecurity continue to come to the fore, a group of experts from FTI Consulting argue: Top leaders need to make talking about infosec one of their biggest priorities.

Read moreDetails

3 contract management strategies to ease data privacy burdens

Because these laws are so far-reaching, complying with new and existing data privacy legislation requires cooperation from across the entire organization. Still, one person or group must fully understand the implications of the legislation and the necessary work to comply — often, a huge portion of this work lives in the bucket of contractual requirements.

Implement these practical steps to ensure your organization is prepared to meet immediate regulatory requirements and positioned to meet others that arise. 

Complete a holistic review of your contract body

The best way to get a view of your organization’s risk profile is through a top-down contract review. You don’t know what you don’t know, so if you haven’t completed a thorough review of your contract population, you run the risk of something slipping through the cracks. Insights from this review will position you to manage existing data privacy obligations and those that have yet to unfold. 

Elevate contract hygiene from ‘nice to have’ to core imperative

Organizations with subpar document storage and organization processes often find that reaching compliance with data privacy legislation requires them to complete a project within a project. When it takes unnecessary time and effort just to locate the latest version of a contract, then additional legwork to review it for compliance, teams already burdened by untenable workloads are further bogged down by inefficiency.

A sophisticated storage and retrieval system allows organizations to locate contracts and review relevant clauses quickly; as new state data privacy laws continue to emerge and regulatory burdens become more complex, this sort of system will prove vital in reaching compliance.

Consider a new approach to managing data processing agreements

Though in-house legal teams often struggle with bandwidth when handling work-intensive regulatory updates, they tend to shoulder the burden alone, unaware that an alternative partner can meaningfully assist.

Data processing agreements are one of the contracts most impacted by data privacy laws; they require careful management to ensure alignment with specific state requirements while maintaining consistent positions. This work is relatively high in volume and complexity, making it a constant drain on in-house resources but an ideal basis for a managed contracting service.

Achieving compliance with data privacy legislation

Even grasping the value of contract management, organizations are bound to struggle with a sense of overwhelm as they wade through the bevy of state legislation. Consider these tips to help focus your contract management strategies on highest-impact priorities:

  • Understand your legal requirements. It is important to know where the legislation permits discretion by the organization, such as determining the specifics of how to process consumer requests about their data, as well as the areas where the legislation is very precise, such as the setting of response periods in event of a breach.
  • Be aware of requirements for certain types of personal data. Many state laws have specific requirements for the handling of different types of personal data, such as the handling of children’s data or the handling of sensitive data/health data. Each impacted business needs to ensure it has specific, more protective processes in place where necessary, and that these processes are implemented and policed.
  • Be aware of the rights of the consumer. In each state, consumers are granted specific rights. For example, both the Colorado and Connecticut laws grant consumers, at least, the right to access, correct, delete and obtain a copy of their personal data. Consumers also have the right to request that their personal data be deleted. Copies of their personal data can be requested, and where it is technically possible, businesses are required to provide a copy to the consumer in a usable format.
  • Have appropriate processes and controls. Ensure your organization has mechanisms in place to gather, track and store the consents of the consumers as necessary.
  • Have adequate technological security measures. Similar to the EU GDPR, the personal data protection legal framework requires data controllers and processors to put in place adequate technological security measures taking into account (i) the nature of the personal data subject to processing; (ii) the vulnerability of the processing systems; and (iii) the technological developments in the market. Such security measures must be reviewed and updated regularly, requiring management oversight and visibility into developments.
  • Ensure your organization provides privacy notices about how it uses and processes data. Each state has its own requirements on the content of these notices with the general requirement to ensure reasonable data security practices.
  • Note the trending of universal “opt-out” mechanisms. As in other states, Colorado and Connecticut will soon require a universal opt-out mechanism. This means that company websites require a mechanism whereby online consumers can exercise their right to “opt-out” from their personal data being processed (or sold) for targeted advertising. Once this privacy preference is set, the preference is automatically sent each time the consumer visits a website. 
  • Carefully manage data processing agreements. Many states follow the EU in requiring data processing agreements between controllers and processors. It is important to ensure your organization is familiar with the specific requirements to be included in any DPA. State laws vary with respect to what is required by a data processing agreement. Your business should ensure there is an effective process in place for determining when a DPA is required and then agreeing the terms with the counterparty. Other considerations, such as the storing of the executed DPA, ensuring the content of the agreement is effectively communicated to the relevant bodies in your organization and, of course, implementing the obligations, should be met. 

With a clearer understanding of the broad contract management strategies that support regulatory compliance, as well as key tips for focusing your approach on data privacy legislation, you can simplify the otherwise unnavigable maze to compliance. 

It is both fascinating and daunting to witness the law catching up with the technological developments of modern society. Compliance with privacy laws requires patience, collaboration and detailed organization. As organizations grapple with new legislation coming into effect and wonder what may be next, taking proactive steps toward thoughtful contract management will prove vital in navigating the regulatory landscape.


Tags: California Consumer Privacy Act (CCPA)California Privacy Rights Act (CPRA)Contract ManagementData GovernanceGDPRVirginia Consumer Data Protection Act (CDPA)
Previous Post

Privacy Law Compliance Parallels and Peculiarities: Navigating the Consumer Privacy Compliance Circus

Next Post

Cybersecurity Threats Increase Civil and Criminal Liability for Government Contractors

Sarah McAvoy

Sarah McAvoy

Sarah McAvoy is a director at Factor, an integrated law provider. Factor works alongside corporate legal departments and law firms to solve the ever-increasing demands and complexity of transactional legal work like contracting.

Related Posts

data privacy leader concept

Who’s Minding Your Data? The Case for Dedicated Privacy Leadership

by Daniel Barber
June 16, 2025

As state privacy laws multiply and AI introduces new vulnerabilities, the question isn't whether you need dedicated privacy expertise —...

abstract obscured data colorful

NIST’s Differential Privacy Guidelines: 6 Critical Areas for Secure Implementation

by Michelle Drolet
June 16, 2025

Standard de-identification methods remain vulnerable to sophisticated attacks, but differential privacy offers mathematical guarantees that scale with emerging threats

overwhelming stacks of documents

Why Contract Management Is No Longer Legal’s Problem

by Matt Lhoumeau
June 6, 2025

As companies eliminate dedicated legal departments, contract ownership is shifting to teams that view agreements as business processes, not just...

todd snyder runway show scarf

Lessons Learned: Todd Snyder CCPA Enforcement Action

by Richart Ruddie
May 29, 2025

Third-party risk, overcollection of data and lax training all cited by California data privacy enforcer

Next Post
glitchy image of data center

Cybersecurity Threats Increase Civil and Criminal Liability for Government Contractors

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
    • Upcoming
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights