Ask the Expert: What New Privacy Laws Mean For Your Agreements

June 22, 2021 6 min read

Contributing writer

people in the office having a meeting

Navigating privacy laws as a business can be overwhelming, especially as legislation seemingly continues to change. Here to answer your burning questions about data privacy and your business, we asked Founder, CEO, and Chief Data Privacy Officer Debbie Reynolds, also known as “The Data Diva,” to tell us what new privacy laws mean for your agreements.

If you’d like to watch the full playback of our live “Ask an Expert” session with Debbie, you can access it here.

Panelists at

Debbie Reynolds, Demeka Fields, and Nicole Dobias at “Ask an Expert: What New Privacy Laws Mean for Your Agreements”

What are the top 3 privacy issues in-house counsel should address?  

The top three privacy issues in-house counsel should address relate to evidence of data practices, assessing third-party data risk, and assessing risk with legacy data. Evidence of data practices is essential because regulators want information about how companies handle data and their processes and procedures.

They also want proof of actual data practices. As a result of technology and the fact that data can be tracked and traced, businesses must go beyond just creating documentation. Assessing third-party data risk is a crucial part of the future of data privacy for almost any company.

Data privacy regulations worldwide are becoming more focused on how companies who have data of individuals transfer that data to third parties. There are legitimate reasons to transfer data to third parties for business reasons. However, data privacy regulations worldwide require more of first-party data holders and third parties related to protecting the rights of individuals.

Third-party data risk is a huge problem, as we see that in data privacy and cybersecurity. So there is a security of the data, protecting the rights of individuals and also securing the data from unauthorized access, assessing the risk of the third party or legacy data is of critical importance because a lot of times legacy data may not be as valuable to organizations, as they have been in the past. Still, there may not have been statutory regulations about when data of individuals should be deleted after a business process.

Data privacy regulations call for organizations to tie data to a purpose. Once the purpose is done with the data, it should be deleted or returned to the individual. This creates a new wrinkle in data privacy for corporations, as they have to create triggers or create procedures that will let them know when to delete data. 

What’s the difference between the CPRA and the new VA law?  What are the commonalities between these privacy laws? Any common denominators?

The  California Privacy Rights Act of 2020 (CPRA) has similarities with the Virginia Consumer Data Protection Act (CDPA). Both these laws are made to protect consumer data and give guidance to organizations about how they handle data at a high level. Both set out to describe what is considered personal data what are the rights of individuals and what are the responsibilities of businesses that handle the data of individuals.

Both laws also call for businesses to do proactive assessments of their data privacy management. Two large differences between these laws is that Virginia law does not have a private right of action which means fines of businesses will go back to the state and not to individuals, in contracts the California law allows individuals to obtain financial redress for data privacy violations. Also, the CPRA creates a new agency in California to manage data privacy issues between consumers and businesses.

What advice do you have for engaging non-legal stakeholders on data privacy issues?  

It is vital to have non-legal stakeholders engaged in data privacy issues because data privacy impacts everyone and all organizations. To resolve data privacy issues or be more mature in your data privacy programs is very important to find ways to connect with non-legal stakeholders and also make it clear how they play a part in protecting the data of individuals.

It is very important that data privacy issues not be siloed within organizations and then everyone understands not only the risks but also the fact that these types of practices and procedures protect people like them, so being able to bring data privacy down to a personal level will help non-legal stakeholders connect with the reasons and purposes behind protecting data and why is of vital importance to organizations

Are there any potential state or federal laws that companies should be aware of?  

There are federal, state, and local laws related to data privacy that companies should be mindful of in the United States. The laws on the national level are HIPAA, although HIPAA is not a privacy law but has privacy rules. Anything related to children online like COPPA, that’s something that businesses should be aware of, especially with advertising. Companies need to pinpoint and be more aware of the state-level regulations related to data privacy; the state-level regulations about data privacy are unique in the US because they’re so different from state to state.

Not all states have privacy laws, but the states with data privacy laws are specific about how data is handled for people who live in their state. So if you are a company operating in the US and have customers in many different states, you may have to treat their data differently for states to have data privacy regulations. For example, The New York shield Act has precise details about how businesses handle data of individuals who live in New York state.

So, even if your business is not located in New York, if you have customers in the state of New York, you may be subject to those laws, so that is also the case with the California CCPA and CPRA. Data privacy regulations being passed at the state level will create more complexity for businesses as they figure out how they need to treat these individuals who live in these states differently.

How do you deal with the implementation of privacy protections at your company?

There is no one way to deal with implementing privacy protections at your company, but it is essential to think about privacy by design. One good way companies should start when they’re thinking about implementing data privacy protections is thinking about minimizing the intake of data from individuals. Hence, part of that is a business process is to say these are the data points that we need to do business from individuals, and these are the only things that we’re going to collect from people.

Companies can improve their data maturity in the future and reduce the amount of data they need to do business processes. It is just thinking through the problem and asking why we are collecting such data. Hence, minimizing the data that you collect from individuals minimizes your risk of data privacy issues. And then also making sure that data is tied to a purpose is vital as people are thinking about doing these types of implementations of Privacy Practices.

How do you see the new law impacting companies that are primarily B2B?  

Many data privacy regulations tend to address third-party data sharing, which would relate to business-to-business activity. Companies need to understand that even if they are not directly subject to specific data privacy laws, they may be required to align with those laws to do business with other businesses. Especially as it relates to contracts, there will be a lot of new contracts being sent out due to a lot of this third-party data risk focus of data privacy regulations. Businesses need to address areas where they have a joint responsibility to handle issues related to data privacy.

Are there any clauses that should be added to standard agreements that were likely not there before?

Since first-party and third-party data holders have joint responsibilities under most data privacy regulations, these responsibilities should be spelled out in contracts.

Would you please share examples of business partners that have served as privacy champions for vendor review?

Business partners need to work very closely together and find out what data privacy regulations apply to their businesses and figure out who will take responsibility for what part of this data handling process. Hence, it isn’t a thing now where only the first-party data hole holder has obligations; third-party data holders have obligations, so figuring out who is responsible for what part of that process is very important.

Do you see more states adopting and implementing privacy laws and regulations?

Many states are poised to pass new data privacy legislation in the near future.  In fact, the state of Colorado is the most recent state to pass Data Privacy regulations in June of 2021.

About Ironclad

Ironclad is the #1 contract lifecycle management platform for innovative companies. L’Oréal, Staples, Mastercard, and other leading innovators use Ironclad to collaborate and negotiate on contracts, accelerate contracting while maintaining compliance, and turn contracts into critical carriers of operational business intelligence. It’s the only platform flexible enough to handle every type of contract workflow, whether a sales agreement, an HR agreement or a complex NDA. The company was named one of the 20 Rising Stars on the Forbes 2019 Cloud 100 list, and is backed by leading investors like Accel, Y Combinator, Sequoia, and BOND. For more information, visit or follow us on LinkedIn and Twitter.

More stories from our team.