Privacy Lawyers for Montana

A Data Processing Agreement (DPA) is a legally binding document that governs the relationship between the data controller and data processor in compliance with data protection laws such as the General Data Protection Regulation (GDPR). Here are the key provisions that should be included: 1. Scope and Purpose • Clearly define the purpose of the data processing and the nature of the data being processed. • Specify the categories of data subjects (customers, employees). • Outline the types of personal data involved. 2. Roles and Responsibilities • Define the roles of the parties (controller vs. processor). • State that the processor will act only on the documented instructions of the controller. 3. Compliance with Laws • A commitment to comply with applicable data protection laws and regulations, such as the GDPR or CCPA. 4. Confidentiality • Ensure that the processor’s personnel are subject to confidentiality obligations. • Prohibit unauthorized access or sharing of data. 5. Security Measures • Require the processor to implement appropriate technical and organizational measures to protect personal data (encryption, access controls). • Include procedures for detecting and responding to data breaches. 6. Sub-processors • Outline conditions for engaging sub-processors ( prior authorization or notification). • Ensure sub-processors comply with the same data protection obligations. 7. Data Subject Rights • Require the processor to assist the controller in responding to data subject requests (access, correction, deletion). 8. Data Transfers • Specify the conditions for transferring personal data outside the European Economic Area (EEA) or other restricted jurisdictions. • Include safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). 9. Data Breach Notification • Oblige the processor to notify the controller promptly in the event of a personal data breach. • Provide details on how incidents will be managed. 10. Audit Rights • Grant the controller or its appointed auditor the right to inspect and audit the processor’s compliance. 11. Retention and Deletion of Data • Specify the duration of processing. • Require the processor to delete or return personal data after the end of the contract or processing period. 12. Liability and Indemnification • Allocate liability for breaches or non-compliance. • Include indemnification provisions if appropriate. 13. Termination and Consequences • Address the conditions for terminating the DPA. • Define the post-termination obligations (data return or deletion). 14. Jurisdiction and Governing Law • Specify the governing law and jurisdiction for resolving disputes. 15. Annexes or Schedules • Include detailed annexes to provide additional information, such as: • A list of sub-processors. • A description of technical and organizational measures. • A record of processing activities. Legal Review Always consult a legal expert to ensure that the DPA aligns with the applicable laws and the specific needs of the parties involved.

There are myriad laws that govern privacy. In the U.S. there are the U.S. Privacy Act, HIPPA for health info, GLBA for financial, COPPA protecting children, and now more States are adding privacy laws. In 2023 alone, new consumer privacy laws will be effective in California, Colorado, Connecticut, Utah, and Virginia. Doing business internationally? The GDPR in the EU is recognized as something of a gold standard for individual privacy. The GDPR created ongoing obligations for maintains and updating privacy implementation. Companies located anywhere, not just the EU, must appoint a Data Protection Officer (“DPO”) if they have to carry out large scale, regular and systematic monitoring of people, for example online behavior tracking or large scale processing of sensitive (special category) data or data relating to crimes and criminal convictions.

This is a pretty standard document. The biggest concern is just making sure that the document reflects the reality of how customer data will be used. Usually a Privacy Policy is referenced in the terms, and is likely one of the most important documents for a CA startup.

Yes. If you sell to people in the European Union, the GDPR applies to you. It doesn’t matter where your business is based. Under Article 3, the law extends beyond Europe to cover any company that offers products or services to EU residents or tracks their behavior online. So if you accept orders from the EU, you're legally required to follow GDPR rules. The GDPR lays out key principles in Article 5. In simple terms: • You must have a lawful basis before collecting personal data (lawfulness). • Data must be collected and used fairly and transparently (fairness and transparency). • Only gather the minimum data necessary and for clear, legitimate purposes (purpose limitation and data minimisation). • Keep personal data accurate and update or correct it when needed (accuracy). • Don’t keep data longer than required for the stated purpose (storage limitation). • Protect data with appropriate technical and organizational safeguards (integrity and confidentiality). • Be able to show regulators that you comply with all of these rules (accountability). You also need to be able to prove you're doing all this if a regulator asks. When Are You Allowed to Use Customer Data? For things like shipping an order or taking payment, you’re covered by what's called the “contract” basis under Article 6(1)(b). You need info like names, addresses, and payment details to complete a sale. That’s allowed. For email marketing, things are stricter. Consent is usually required. That means a clear opt-in, like an unchecked box the customer has to actively click. Some EU countries allow limited “soft opt-in” for existing customers, but the rules vary by country. If you’re unsure, it’s safest to get clear consent before emailing EU customers with promotions. What Rights Do Customers Have Over Their Data? Articles 15–21 give EU customers a lot of control. They can: • Ask what data you have on them • Correct wrong info • Ask you to delete their data (in certain cases) • Tell you to stop using it • Opt out of marketing • Ask you to send their data to another company You need systems in place to respond to these requests quickly and efficiently. What About Cookies? The EU’s top court (in the Planet49 case) made it clear: you can’t assume consent for tracking cookies. That means: • No pre-checked boxes • No vague “we use cookies” banners • You must let users actively choose which types of cookies to allow • You need to record and prove that consent was given Your cookie banner should be easy to use and offer equal choices for accepting or rejecting cookies. How to Keep Customer Data Secure You’re expected to take technical and organizational steps to protect people’s personal data. That includes things like: • Using SSL/TLS encryption • Restricting access to databases • Having solid contracts with vendors who handle customer data If there’s a data breach, Article 33 says you must tell the relevant EU authority within 72 hours if the breach could put someone’s rights at risk. If it’s a serious risk to individuals, Article 34 says you also need to inform the affected customers. What If You Use Outside Vendors? If you work with third parties such as payment processors, email services, or cloud providers, you’re responsible for what they do with customer data. The GDPR requires you to sign Data Processing Agreements (DPAs) with them. These agreements must cover: • How they protect the data • Their legal obligations • How they’ll help you stay compliant You can’t skip this part. It’s not optional. Do You Need an EU Representative? If you regularly sell to EU customers, the answer is yes. Article 27 requires most non-EU businesses to appoint an official representative inside the EU. This rep acts as your point of contact for EU regulators and customers. You only get an exemption if: • You rarely process EU data • It’s low-risk • It doesn’t involve sensitive data But if you're actively targeting or shipping to EU customers, that exemption likely won’t apply. What Happens If You Don’t Comply? Regulators can fine you up to €20 million or 4% of your global annual revenue, whichever is higher. That said, small businesses aren’t usually hit with huge fines right away. Most EU regulators aim to help companies comply, especially if you’re clearly making an effort. But ignoring GDPR isn’t a good strategy. Being able to show you’ve taken real steps toward compliance is your best protection. Attorneys on Contracts Counsel are ready to help with GDPR compliance, including privacy policies, vendor contracts, and other legal obligations tailored to your business needs.

If your website uses cookies to track visitors, you may be subject to strict privacy laws in the United States, Europe, Canada, and beyond, including the GDPR, UK GDPR/PECR, California’s CCPA/CPRA, and Quebec’s Law 25. Failing to comply can expose businesses (even small e-commerce sites) to fines, audits, or enforcement actions. GDPR, UK GDPR, and PECR If you have users in the EU or UK, the strictest rules apply. Non-essential cookies such as analytics, advertising, or social media tracking can’t be dropped until a user has given valid consent. Valid consent under GDPR must be freely given, specific, informed, and unambiguous. That means no pre-ticked boxes, no “by continuing to browse you consent,” and no dark patterns where “Reject All” is buried or harder to find than “Accept All.” Essential cookies, like those used to keep items in a cart or for login security, don’t require consent but still must be disclosed. Users must be able to withdraw consent just as easily as they gave it, which usually means a persistent “Cookie Settings” link at the bottom of the site. ePrivacy Directive This European law creates the consent requirement for storing or accessing information on a user’s device. It works alongside the GDPR, which sets the standard for what valid consent looks like. Together they form the backbone of EU cookie regulation. California CCPA/CPRA In California, the rules are different. You don’t need opt-in consent for cookies (except for minors), but you do need to provide disclosures and an opt-out. If you allow third-party advertising or analytics cookies that could qualify as “selling” or “sharing” personal information, you’re required to display a clear “Do Not Sell or Share My Personal Information” link. You must also process the Global Privacy Control (GPC) browser signal automatically as an opt-out. For minors, there are special rules: under 13 requires parental consent for selling or sharing, and between 13 and 16 requires the user’s own opt-in. Other U.S. State Laws States like Colorado, Connecticut, and Virginia now require opt-outs for targeted advertising and profiling. Colorado goes a step further and requires honoring state-designated universal opt-out mechanisms, not just GPC. This means your systems need to detect and act on these browser signals in real time. Quebec’s Law 25 Quebec has taken a more EU-style approach. Non-essential cookies and other tracking technologies require prior, express consent. If you’re serving Canadian users, especially in Quebec, you’ll need to design your banner and policy closer to GDPR standards. What to Include in a Cookies Policy A legally compliant policy should be easy to find, typically linked in your site footer and from the banner itself. It should contain: • A plain language explanation of what cookies are and why you use them • Categories of cookies (necessary, preference, analytics, advertising) with examples and purposes • Duration of storage (session vs. persistent cookies) • Identification of third-party cookies, including names of providers and links to their policies • Instructions for users on how to manage or withdraw consent, both on your site and through browser settings • A description of how refusal of non-essential cookies may affect site functionality • Contact details for privacy inquiries and a clear “last updated” date Compliance in Practice Use a consent management platform or a tag manager configuration that blocks all non-essential cookies until consent is given in the EU, UK, and Quebec. Design your banner so “Accept All” and “Reject All” are equally visible, with a “Customize” option for granular control. Keep consent logs that record when consent was given, which categories were selected, and the version of the banner in use at the time. Regulators may ask to see this. If you’re covered by CCPA/CPRA or other U.S. state laws, make sure your systems detect and act on GPC or state-mandated universal opt-out mechanisms. If you’re relying on third-party ad tech or analytics vendors, check their contracts to confirm they’ll honor these signals downstream. Avoid cookie walls that block access unless a user accepts all cookies. European regulators generally view that as invalid because consent isn’t freely given if there’s no real choice. Review and update your policy regularly. If you change vendors, add new tracking tools, or alter how you use cookies, update the policy and refresh the banner if needed. Protect Your Business Regulators are imposing multimillion-dollar fines for cookie violations. Contracts Counsel’s privacy attorneys can draft compliant policies and consent systems tailored to your business and aligned with 2025 legal requirements.