Introduction
This checklist will assist in-house counsel, private practice lawyers, and data managers in developing privacy and data security provisions for contracts with consumers that are effective as well as compliant with the relevant laws and regulations. This checklist is limited to steps in drafting a privacy agreement or privacy and data security terms and provisions within a consumer contract, and does not relate to the development of an overall privacy policy.
This checklist covers:
- Consider preliminary matters
- Draft key data privacy and security terms and provisions
This checklist can be used in conjunction with the following How-to guide: Incident response plan readiness and identification of a reportable breach, and Checklists: Drafting a consumer privacy policy and Responding to a data breach.
Step 1 – Consider preliminary matters
| No. | Requirement |
| 1.1 | Understand relevant federal law |
| 1.2 | Understand relevant state statutes and regulations |
| 1.3 | Determine the type of data collected |
Step 2 – Draft key data privacy and security terms and provisions
| No. | Requirement |
|---|---|
| 2.1 | Draft terms related to the data being collected and how it will be used |
| 2.2 | Draft terms related to data transfers |
| 2.3 | Draft terms related to the exercise of rights of data subjects |
| 2.4 | Draft terms related to data protection officers |
| 2.5 | Draft terms related to data breaches |
| 2.6 | Draft terms regarding cookies |
| 2.7 | Draft terms regarding changes to the privacy agreement |
| 2.8 | Draft terms regarding limitations of liability |
General notes
Consumer information is arguably the most critical asset any organization can have. For an organization to succeed and grow, it must obtain accurate information about its consumers to properly execute its business functions, which include strategic planning, marketing, and operational decision-making. While some of this information can be gained from general research and analysis, the most useful data must often be obtained from the consumers themselves.
At state and federal level, governmental agencies have begun placing greater emphasis on data privacy and security for the protection of consumers. Accordingly, these agencies have also begun to incorporate an increasing number of data privacy and security provisions into state and federal laws. Generally, these laws state that, if an organization receives or shares consumers’ personally identifiable information or other sensitive data, the organization must disclose the processes it uses so that consumers can consent to whether and how their data is used. The agencies that promulgate such laws also typically wield enforcement powers that enable them to take legal action against organizations that fail to adequately protect consumer data, and such organizations can face significant penalties for mishandling consumer data.
One of the most effective ways for organizations to comply with legal requirements and instill trust in their consumers is to include data privacy and security provisions in their consumer contracts. This is especially true for organizations that operate in the financial or healthcare sectors, as well as those that offer products or services directed toward children. The purpose of this checklist is to assist organizations, particularly those mentioned above, in drafting essential data privacy and data security terms in their consumer contracts.
Legal framework
The laws relating to data privacy in the United States are complex. No single federal law regulates data security or online privacy, even though many attempts have taken place. . Several federal regulations (the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Children’s Online Privacy Protection Act (COPPA)) add additional burdens to data collectors regarding the collection and retention of certain types of data and the data of certain data subjects. In the educational sector, the Family Educational Rights and Privacy Act (FERPA) does not require educational institutions to adopt specific data security controls, but professionals in the industry have recognized the importance of preventing breaches of educational data.
Many states have their own data privacy statutes. For instance, California, Colorado, Connecticut, Illinois, Utah, and Virginia are among the states with legislation currently in effect that places added burdens on data collectors to protect the data that they collect from state residents and from organizations that do business in the respective states. These states have also implemented a variety of reporting requirements in the case of breaches of personal data. For further information, see US Data Protection and Privacy (state-by-state).
Organizations that operate, or that collect and use data from consumers, in states with their own data privacy statutes must understand the legal requirements that may exist under the applicable state law, as the contract language may need to reflect these potential additional demands. It is best practice for data collectors to establish policies that are reflected in their privacy agreements and that take into consideration an increasing trend of regulation. See further Checklist: Drafting internal privacy policies and procedures.
Organizations that collect personal data should consider that state regulations are often crafted to protect state residents’ data no matter where the transaction takes place and privacy agreements should be drafted with those standards in mind.
Although the specific legal requirements are not overly prescriptive, certain best practices have emerged. Data privacy agreements generally should reference the type of information the data collector is collecting from the data subject, what that information will be used for, and how it will be stored and processed. Data collectors should inform data subjects of changes to data privacy agreements in advance.
Step 1 – Consider preliminary matters
There is no single source of privacy law in the United States. Privacy laws and practices stem from an array of sources including federal laws, state laws, common law privacy claims, and even pressure from the public to undertake certain privacy protections (eg, public pressure to apply enhanced protections for credit card information as a reaction to a publicized data breach). US privacy law is an evolving patchwork of federal and state laws.
1.1 Understand relevant federal law
At the federal level, the primary privacy laws are sector-specific and apply only to certain types of business activity. However, privacy standards may also be woven into other laws and regulations. The following are some of the key federal privacy laws: US Privacy Act of 1974 which governs federal agencies, including those organizations under contract with federal agencies; the Health Insurance Portability and Accountability Act (HIPAA) and the privacy rules adopted under that Act which govern healthcare entities, including hospitals, medical services providers, and third-party collections agencies; the Gramm-Leach-Bliley Act (GLBA) which governs businesses engaged in finance; and the Children’s Online Privacy Protection Act which governs website operations or those operating online services directed at children under the age of 13.
Organizations must have a thorough understanding of their legal requirements under federal laws and should employ the use of personnel and other mechanisms that can routinely monitor for any changes in the laws. This knowledge will provide organizations with valuable insight that may be used as a guide when drafting or revising the language of data privacy and security terms in their consumer contracts.
For further information, see How-to guide: How to determine and apply relevant US privacy laws to your organization and Checklist: Understanding privacy laws in the US.
1.2 Understand relevant state statutes and regulations
Many states have enacted laws regarding the privacy of consumer data. Connecticut, Colorado, California, Illinois, Virginia, and Utah have all enacted comprehensive consumer privacy laws. The Oregon Consumer Privacy Act, the Florida Digital Bill of Rights, the Texas Data Privacy and Security Act, and the Montana Consumer Data Privacy Act all went into effect in 2024. New laws in Delaware, Iowa, Nebraska, New Hampshire, and New Jersey take effect in January of 2025. State privacy laws govern a consumer’s right to access or delete their personal information, to opt out of the collection or sale of their information, and to be notified of the collection and their rights relating to the collection.
This current wave of state-specific data privacy bill enactments shows how organizations must maintain knowledge of the legal requirements for the state in which they operate and that pertain to consumer privacy and data security. Organizations should also consider including a choice-of-law provision in their privacy agreements to help ensure that the contracts are governed by the laws of a specific state in the event of a legal action.
For further information, see US Data Protection and Privacy (state-by-state).
1.3 Determine the type of data collected
Different types of personal data are governed by different statutes, so the type of data a company collects, stores, or processes will influence how they conduct operations, as well as the applicable language to be included in their privacy agreements. Entities that collect, store, and process healthcare information are regulated under HIPAA rules, whereas businesses engaged in the collection, storage, and processing of financial data are regulated under GLBA.
Sometimes, certain classes of data subjects are regulated separately. For example, the collection, storage, and processing of data of children under 13 is regulated under COPPA, but the buying or selling of personal data of minors is regulated by certain state laws (eg, the California Consumer Privacy Act), ages vary by state statute.
Privacy agreements should be drafted to comply with federal and state statutes, and such agreements should adequately reflect the company’s current policies for each type of data being collected from data subjects. Before drafting contractual terms and provisions, it is important to determine what type of data your organization collects and which statutes it must comply with.
Step 2 – Draft key data privacy and security terms and provisions
Always draft a privacy agreement with the legal and regulatory requirements for data protection in mind. These legal and regulatory standards should be taken as the minimum level of protection required.
2.1 Draft terms related to the data being collected and how it will be used
Privacy agreements should clearly spell out what data will be collected and used, and also how it will be used, and should reflect the organization’s policies and any relevant federal or state statutes. For artificial intelligence (AI) usage, consider and evaluate the appropriateness of data feeding into AI systems.
2.1.1 What data will be collected?
State the types of personal data that will be collected and retained. Provide express notification to the data subject about what that data is being used for, and whether that data is being used solely within the organization or is being shared with other parties, such as third-party affiliates or business partners of the organization. Where the contract involves more than one type of data, provide definitions of the distinct types of data that will be collected and retained.
Be aware of specific sectoral legislation that limits the use of data. HIPAA mandates that healthcare information should be used only for the express purposes described in the Act. GLBA limits the use or transfer of certain data (such as account information) for sales or marketing purposes. Both statutes require organizations to notify data subjects about what data is being collected and which parties will have access to that data.
2.1.2 How the data will be used
As mentioned above, there are certain federal statutes that regulate the collection, storage, and processing of data, particularly those dealing with healthcare and finance. HIPAA lays out detailed rules about who may share and use personal healthcare information, including data controllers and processors. Such information cannot ordinarily be sold or bartered. Under GLBA, certain personal information cannot be transferred, including account information or similar data, when used for marketing purposes. As a rule, personal data may be used only for those purposes set forth in the privacy agreement.
Under most state laws, a data collector may acquire and use information only for ‘a legitimate purpose.’ The definition of what constitutes a legitimate purpose varies by state, but it generally refers to a purpose related to the data collector’s legitimate business. For example, data collected by an online retailer may be used for statistical purposes by the retailer (eg, judging the likely demand for a particular type of product), but not to support a political campaign involving one of the retailer’s executives.
Several states have promulgated statutes designed to limit how data is traded. States such as California have passed laws that require data brokers to register with the state. See California Civil Code section 1798.99.80.
Privacy agreements should be drafted with federal and state statutes regarding the use and re-use of data in mind. Clearly distinguish how each type of data collected will be used. Reflect in the privacy agreement the company’s current practices concerning how data is to be used.
2.1.3 Data security
To achieve data security, it is a best practice to enforce the following safeguards to keep data safe:
- administrative (eg, policies, procedures, and training);
- physical (eg, limiting physical access and providing adequate physical infrastructure); and
- technical (eg, encryption, firewalls, and training).
It is also best practice to craft privacy and data security contract provisions that ensure data subjects are aware of the sensitivity of their own personal data and that data subjects take their own reasonable safeguards to assist in data security.
Privacy agreements should also address data retention, and the security measures to be taken. There should also be a provision for destruction or deletion of old or unneeded data.
2.1.4 Sensitive data
Safeguard all personal identifiable information, often referred to as PII, but take particular care with especially sensitive information, which includes financial, credit, and healthcare information. While there is no universal definition of PII, it is generally considered ‘any information that can be used to distinguish or trace an individual’s identity.’
Federal regulations have adopted reasonableness standards for the securing of sensitive personal data. The general rule for HIPAA data is as follows:
- ensure the confidentiality of personal health information;
- identify and protect against reasonably anticipated threats to security;
- protect against reasonably anticipated impermissible uses or disclosures; and
- ensure compliance of all workers with the confidentiality statutes and regulations.
GLBA has established a more detailed standard for safeguarding customer information. See 16 CFR Part 314.
Organizations should formulate privacy agreement provisions relating to data security in a way that reflects the data security policies and practices of the organization. Likewise, those policies and practices should reflect a level of security that is reasonable to the nature of the personal data the organization collects and stores. Additionally, the organization’s policies should reflect the current best practices of the human resource, physical security, and information technology communities.
In their technology blog, the Federal Trade Commission (FTC) alludes to the ever changing technology surrounding data security and states that ‘[t]echnology is not a monolith’ and is ever changing. The blog lists terms and developments in the areas of security in data management, security in software development, and security in product design for humans that should be addressed by companies with data security risks.
2.2 Draft terms related to data transfers
Not every state or federal agency mandates notifying data subjects about transfers of their personal information to other parties, but it is still best practice to craft privacy agreements in such a fashion that subjects are informed about which parties will have access to their personal information, whether those parties are affiliates of the data collector, or whether they are outside processors or data brokers.
Any privacy agreements should reflect which affiliate or nonaffiliate organizations the data subject’s data will be shared with. This includes any data processors and sub-processors. The agreement also should reflect what those data processors will do with the personal information that has been collected and shared. There are restrictions under HIPAA and GLBA on the sharing of private data for marketing purposes.
There are no federal restrictions on transferring or storing personal information of data subjects overseas, but US laws will continue to apply to this data.
An agreement should also spell out whether the data subject’s information will be sold or bartered (or with whom it might otherwise be shared), what types of personal information will be sold or bartered, and the scope of the data that will be used in that way. COPPA restricts the collection and use of information on data subjects younger than 13 years, but trends in state law suggest that all organizations should be circumspect in the use of the information of data subjects under the age of majority (typically, 18 years).
Developments in state law trend toward any transfer of personal identifiable information being considered a sale that requires data collectors to notify data subjects of any transfers. The California Consumer Privacy Act, for example, considers a sale to be any act of ‘making available, transferring, or otherwise communicating’ personal data. It is best practice when drafting privacy agreements to notify data subjects of any such transfers, especially if such transactions involve data subjects from states with strong privacy regulations, such as California, Colorado, Utah, and Virginia.
2.3 Draft terms related to the exercise of rights of data subjects
Under HIPAA, data subjects have a right to access their healthcare information, and under GLBA, data subjects have a right to access their financial and credit information, to question their personal financial information, and to request corrections and changes to that information. Under HIPAA, a covered entity may require data subjects or their representatives to make information requests in writing, or they may provide electronic means such as by email or secure web portal. See 45 CFR 164.524(b)(1).
US law provides a limited ‘right to be forgotten’ as compared with other schemes such as the General Data Protection Regulation (GDPR). Under COPPA, parents have the right to review and have deleted the records of minors under 13 years age. See 16 CFR 312.4. Some state schemes, such as in California (as well as in draft legislation in Colorado and Virginia) allow data subjects to opt out of having their data processed.
Privacy agreements should be drafted with COPPA in mind, and data collectors must provide parents with a way to review information collected on covered children, give them a way to revoke consent, and provide a means to delete material already collected.
The trend appears to suggest a growth in the rights of data subjects, and any privacy agreement should inform the data subject of their rights under state-specific and sector-specific statutes and regulations when it comes to accessing, correcting, or deleting their personal data. Agreements should also provide a clear and readily accessible means for exercising those rights, such as providing consumers with a choice of what data they want to share, providing periodic updates regarding what data has been collected by the organization and how the organization uses and shares that data. The agreement should also provide consumers with an easy way to cancel their service, with assurances that their data will be deleted upon cancellation.
2.4 Draft terms related to data protection officers
While the appointment of a data protection officer (DPO) is not generally required under the law, HIPAA requires covered data collectors to appoint a specific individual to the dedicated position of DPO. Organizations whose operations implicate HIPAA should consider the inclusion of the name and information of the appointed DPO. See 45 CFR 164.530. Under the GDPR, appointing a DPO is sometimes mandatory for both controllers and processors. The GDPR sets strict requirements for the competence, tasks and independence of the role.
With Massachusetts (and other states) and federal regulations, including the recently updated FTC Safeguards Rule (applicable to non-banking financial institutions), requiring organizations to appoint one or more employees to maintain their information security program it appears that having a DPO may become more commonly required in the US.
2.5 Draft terms related to data breaches
Draft privacy agreements in such a way that data subjects know in advance what will happen in the event of a data breach.
The various federal and state laws often differ on what type of event constitutes a data breach. A general working definition of a data breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector or the data collector’s affiliates. An organization’s privacy officers should familiarize themselves with the standards and requirements of the jurisdictions in which they do business.
Jurisdictions also differ on what types of breaches need to be reported or recorded. Under HIPAA regulations, for example, breaches involving 500 or more data subjects are treated differently from those involving fewer subjects. Some states require reporting of data breaches that involve only a certain number of data subjects, and others classify breaches based on whether the breached data is likely to cause serious harm to the data subject. Each jurisdiction requires the reporting of serious data breaches (as defined by local law), either to state officials or to the data subjects themselves, or both. Some states require that serious breaches also be reported to consumer reporting agencies. Standards vary between states. It is best practice to be familiar with the statutes of the state in which your organization does business and incorporate those standards into your privacy agreements.
Provide information to the data subject about what steps the data collector will take in case of a breach, and also provide information to the data subject on what that data subject can or should do in case of a breach and what steps are otherwise advisable to safeguard the data subject’s personal information. See also, How-to guide: Incident response plan readiness and identification of a reportable data breach and Checklist: Responding to a data breach.
2.6 Draft terms regarding cookies
The use of website-tracking technology such as cookies are commonplace on the Internet. Every website privacy agreement should have a section explaining the data collector’s use of cookies. Improper use of cookies, by using cookies in a fashion other than laid out by the privacy agreement, or by using cookies to misidentify web recipients or collect unauthorized data, could fall afoul of common law fraud or state eavesdropping statutes. Where relevant, organizations should ensure that the language included within its privacy agreements reflects the practices of the organization with regard to its use of cookies, and that those practices align with the applicable state and federal laws.
There are no federal laws regulating cookies in the US. However, state laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act (CDPA) treat cookies as personal information. Under CCPA, businesses don't need opt-in consent for cookies but must disclose their use and the data collected. If used for targeted advertising, it might be considered a ‘sale,’ requiring consent. Virginia's CDPA allows consumers to opt-out of personal data processing for targeted ads, data sales, and profiling, which can include cookie use
2.7 Draft terms regarding changes to the privacy agreement
Draft privacy agreements in such a way that data subjects are aware of how changes to the privacy agreement will be transmitted to them. Based on the nature of the organization and the industry in which it operates, organizations should consider whether to provide data subjects with an option to agree to such changes, or whether mere notification of the changes will suffice. For instance, organizations that operate in the financial sector may be required to provide consumers with an opportunity to opt out of certain changes to their privacy practices under a new privacy agreement. Data subjects should be informed of changes, such as changes to the type of data that is to be collected, the reason why it is being collected or who it will be shared with, prior to their implementation.
2.8 Draft terms regarding limitation of liability
When a data breach or other privacy incident occurs, consumers generally seek to hold the organization that handled or exposed their information to the unauthorized use or disclosure accountable. While consumers may want such organizations to assume unlimited liability for such incidents, doing so could leave organizations significantly or unreasonably exposed. Limitation of liability provisions allow for the categorization of damages where direct damages may not be readily ascertainable. Where a federal or state data protection statute provides for specific damages, a limitation of liability provision can help ensure that the organization will only be expected to pay those specific damages to consumers, as opposed to potential lost profits or other damages that are more difficult to determine.
Organizations should assess the benefits of including a limitation of liability clause in their privacy agreements to protect against uncapped liability following a privacy or data security breach. However, while a limitation of liability clause may protect an organization against exorbitant damages that may otherwise be owed to consumers, it is important to note that such provisions will not protect the organization against any additional fines imposed by governmental agencies that enforce privacy and data security laws.
Additional resources
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Drafting internal privacy policies and procedures
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments, but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.