Privacy Lawyers for Colorado

A Data Processing Agreement (DPA) is a legally binding document that governs the relationship between the data controller and data processor in compliance with data protection laws such as the General Data Protection Regulation (GDPR). Here are the key provisions that should be included: 1. Scope and Purpose • Clearly define the purpose of the data processing and the nature of the data being processed. • Specify the categories of data subjects (customers, employees). • Outline the types of personal data involved. 2. Roles and Responsibilities • Define the roles of the parties (controller vs. processor). • State that the processor will act only on the documented instructions of the controller. 3. Compliance with Laws • A commitment to comply with applicable data protection laws and regulations, such as the GDPR or CCPA. 4. Confidentiality • Ensure that the processor’s personnel are subject to confidentiality obligations. • Prohibit unauthorized access or sharing of data. 5. Security Measures • Require the processor to implement appropriate technical and organizational measures to protect personal data (encryption, access controls). • Include procedures for detecting and responding to data breaches. 6. Sub-processors • Outline conditions for engaging sub-processors ( prior authorization or notification). • Ensure sub-processors comply with the same data protection obligations. 7. Data Subject Rights • Require the processor to assist the controller in responding to data subject requests (access, correction, deletion). 8. Data Transfers • Specify the conditions for transferring personal data outside the European Economic Area (EEA) or other restricted jurisdictions. • Include safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). 9. Data Breach Notification • Oblige the processor to notify the controller promptly in the event of a personal data breach. • Provide details on how incidents will be managed. 10. Audit Rights • Grant the controller or its appointed auditor the right to inspect and audit the processor’s compliance. 11. Retention and Deletion of Data • Specify the duration of processing. • Require the processor to delete or return personal data after the end of the contract or processing period. 12. Liability and Indemnification • Allocate liability for breaches or non-compliance. • Include indemnification provisions if appropriate. 13. Termination and Consequences • Address the conditions for terminating the DPA. • Define the post-termination obligations (data return or deletion). 14. Jurisdiction and Governing Law • Specify the governing law and jurisdiction for resolving disputes. 15. Annexes or Schedules • Include detailed annexes to provide additional information, such as: • A list of sub-processors. • A description of technical and organizational measures. • A record of processing activities. Legal Review Always consult a legal expert to ensure that the DPA aligns with the applicable laws and the specific needs of the parties involved.

You are smart to consider GDPR, but also should consider US Privacy Policies in connection with the agreement. There are several states the already have GDPR level of privacy policies and over 20 states with bills introduced as well. A well formed policy will consider the data collected, where it is stored and how it is transferred, who has access to the data, the purpose of the data for use in the app, the ability to sell or reuse the data for additional purposes, and when the data should be deleted. This process should be contemplated and consistent within employee manuals, data access procedures, and implemented in master services agreements across all vendors, subcontractors, and suppliers. One final note is that you need to practice what you write, because a published privacy policy that is not followed may be considered a deceptive trade practice by the FTC resulting in fines on top of the costs of a breach.

If your website uses cookies to track visitors, you may be subject to strict privacy laws in the United States, Europe, Canada, and beyond, including the GDPR, UK GDPR/PECR, California’s CCPA/CPRA, and Quebec’s Law 25. Failing to comply can expose businesses (even small e-commerce sites) to fines, audits, or enforcement actions. GDPR, UK GDPR, and PECR If you have users in the EU or UK, the strictest rules apply. Non-essential cookies such as analytics, advertising, or social media tracking can’t be dropped until a user has given valid consent. Valid consent under GDPR must be freely given, specific, informed, and unambiguous. That means no pre-ticked boxes, no “by continuing to browse you consent,” and no dark patterns where “Reject All” is buried or harder to find than “Accept All.” Essential cookies, like those used to keep items in a cart or for login security, don’t require consent but still must be disclosed. Users must be able to withdraw consent just as easily as they gave it, which usually means a persistent “Cookie Settings” link at the bottom of the site. ePrivacy Directive This European law creates the consent requirement for storing or accessing information on a user’s device. It works alongside the GDPR, which sets the standard for what valid consent looks like. Together they form the backbone of EU cookie regulation. California CCPA/CPRA In California, the rules are different. You don’t need opt-in consent for cookies (except for minors), but you do need to provide disclosures and an opt-out. If you allow third-party advertising or analytics cookies that could qualify as “selling” or “sharing” personal information, you’re required to display a clear “Do Not Sell or Share My Personal Information” link. You must also process the Global Privacy Control (GPC) browser signal automatically as an opt-out. For minors, there are special rules: under 13 requires parental consent for selling or sharing, and between 13 and 16 requires the user’s own opt-in. Other U.S. State Laws States like Colorado, Connecticut, and Virginia now require opt-outs for targeted advertising and profiling. Colorado goes a step further and requires honoring state-designated universal opt-out mechanisms, not just GPC. This means your systems need to detect and act on these browser signals in real time. Quebec’s Law 25 Quebec has taken a more EU-style approach. Non-essential cookies and other tracking technologies require prior, express consent. If you’re serving Canadian users, especially in Quebec, you’ll need to design your banner and policy closer to GDPR standards. What to Include in a Cookies Policy A legally compliant policy should be easy to find, typically linked in your site footer and from the banner itself. It should contain: • A plain language explanation of what cookies are and why you use them • Categories of cookies (necessary, preference, analytics, advertising) with examples and purposes • Duration of storage (session vs. persistent cookies) • Identification of third-party cookies, including names of providers and links to their policies • Instructions for users on how to manage or withdraw consent, both on your site and through browser settings • A description of how refusal of non-essential cookies may affect site functionality • Contact details for privacy inquiries and a clear “last updated” date Compliance in Practice Use a consent management platform or a tag manager configuration that blocks all non-essential cookies until consent is given in the EU, UK, and Quebec. Design your banner so “Accept All” and “Reject All” are equally visible, with a “Customize” option for granular control. Keep consent logs that record when consent was given, which categories were selected, and the version of the banner in use at the time. Regulators may ask to see this. If you’re covered by CCPA/CPRA or other U.S. state laws, make sure your systems detect and act on GPC or state-mandated universal opt-out mechanisms. If you’re relying on third-party ad tech or analytics vendors, check their contracts to confirm they’ll honor these signals downstream. Avoid cookie walls that block access unless a user accepts all cookies. European regulators generally view that as invalid because consent isn’t freely given if there’s no real choice. Review and update your policy regularly. If you change vendors, add new tracking tools, or alter how you use cookies, update the policy and refresh the banner if needed. Protect Your Business Regulators are imposing multimillion-dollar fines for cookie violations. Contracts Counsel’s privacy attorneys can draft compliant policies and consent systems tailored to your business and aligned with 2025 legal requirements.

This is a pretty standard document. The biggest concern is just making sure that the document reflects the reality of how customer data will be used. Usually a Privacy Policy is referenced in the terms, and is likely one of the most important documents for a CA startup.

Online platforms can modify their terms of service and privacy policies without advance notice if: (1) Their terms explicitly allow such changes, and (2) Users continue using the platform after changes are made. However, modifications may still be challenged if they are unconscionable or violate privacy laws, particularly if they significantly impact user rights or data protection. While platforms may have the right to make unannounced changes, the enforceability depends on the specific modifications and their compliance with applicable regulations.