In Colorado, Connecticut, Montana, Tennessee, Texas, Utah and Virginia, contracts are required with entities who process or collect information for the business. What do these laws, collectively, require be in the contracts? The following is a quick reminder:

• Instruct on how data is to be processed, and the nature and purpose of the processing. (In California, that processing will be limited to the specific purpose listed in the contract if the entity is a “service provider.” In Colorado, Connecticut, Montana, Texas, Tennessee, Utah and Virginia, that processing will be limited to the specific purpose listed in the contract if the entity is a “processor”). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
• Indicate the type of personal data to be processed and duration of the processing. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
• Obligate confidentiality and that information be returned upon termination. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
• Obligate appropriate technical and organizational measures to protect the data. (CA, CO, CT, IN, MT, TN, TX, UT, VA)
• Give proof of ongoing legal compliance. (And in California, compliance specifically with CCPA). (CA, CO, CT, IN, MT, TN, TX, UT, VA)
• Cooperate with assessments and audits. (CA, CO, CT, IN, MT, TX, UT, VA)
• Obtain written permission before engaging subcontractors (CO, CT, IA).

*Kathryn Smith is a fellow in the firm’s Chicago office.

Putting It Into Practice: As we quickly approach July 1, and companies are thinking about the effective dates of Colorado and Connecticut, now is a good time to review contracts and assess if they need to be updated for future state laws.