Starting in December 2022, a series of significant laws (domestic and international) are due to come into effect, which will impact new AND existing vendor contracts. Vendor contracts are agreements between two parties (a vendor and a business/individual) that detail the goods and/or services that will be provided in exchange for compensation. The applicability of the pending updates will depend on the contracting parties, such parties’ respective jurisdictions, and the contract terms themselves.
International Privacy Laws (December 27, 2022)
Prior to December 27, 2022, service contracts between controllers and processors that involve data transfers from the European Union (“EU”) to third countries (such as the United States) must be updated to include the new Standard Contractual Clauses (“SCCs”). On June 4, 2021, the European Commission issued the modernized SCCs. SCCs are preapproved contract clauses that ensure compliance with the General Data Protection Regulation (“GDPR”) by setting out appropriate data protection safeguards.
Please note that these changes apply differently to vendor contracts that involve data transfers with the United Kingdom (“UK”). The UK adopted the SCCs while a member of the EU, but left the EU prior to the issue of the modernized SCCs. However, the UK recently adopted the new SCCs, which came into effect on March 21, 2022. As such, service contracts that involve data transfers from the UK to the United States have until March 21, 2024 to be updated.
Domestic Privacy Laws (January 1, 2023)
On January 1, 2023, the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“CDP”) will become effective. On July 1, 2023, California will begin to enforce the CPRA, and the Colorado Privacy Act (“CPA”) will also go into effect. In addition, on December 31, 2023, the Utah Consumer Privacy Act (“UCPA”) will become effective.
Overall, the privacy laws are very similar. For example, under all four acts, consumers have the right to opt-out of the sale and sharing (i.e., targeted advertisements) of their personal information (“PI”). However, the acts differ in unique ways including, but not limited to: 1) the CPRA gives consumers the right to limit the use and disclosure of sensitive PI; 2) the CDP only permits consumers to request access to their PI free of charge twice per year; 3) the CPA requires a universal opt-out for both sales and sharing; and 4) the UCPA does not permit consumers to correct collected PI.
Subscription/Automatic Renewal Law Updates (January 1, 2023)
Starting January 1, 2023, businesses that serve Idaho consumers will need to update their vendor contracts if such contracts are automatically renewed. Automatic renewal or “subscription” contracts are arrangements in which purchasing agreements are automatically renewed for a specific price at the end of a definite term on a reoccurring basis unless the consumer cancels the agreement (e.g., book clubs of the month). Pursuant to Idaho’s law, such contracts must include clear and conspicuous disclosures about the automatic renewal offer terms and cancellation methods. While Idaho is the most recent to enact a subscription law, the Federal Trade Commission, California, and Colorado have updated their automatic renewal rules and laws over the past year.
As businesses prepare their vendor contracts to be compliant with international privacy laws (December 27, 2022) and domestic privacy laws (January 1, 2023), they should also take the opportunity to ensure that their contracts are compliant with the forthcoming CPA and UCPA, and other relevant laws. Combining efforts in this way should provide significant time and cost savings.
The material contained herein is provided for informational purposes only and is not legal advice nor is it a substitute for seeking legal advice from an attorney. Each situation is unique, and you should not act or rely on any information contained herein without seeking the advice of an experienced attorney.
Similar Blog Posts: