Privacy Documentation for Vendors

Here is a high-level summary of the various contract requirements that may apply to your vendors under data privacy laws.

Where to Find Privacy Documentation

Privacy documentation is often publicly available on a vendor’s website. Here are the most common places to look.

  1. Data Processing Agreement (Most common)

    Sometimes called a data protection agreement or a data processing addendum, a DPA forms part of the agreement between the vendor and its business customers, and usually has all of their privacy documentation in one place.

  2. Master Service Agreement (Less common)

    The service agreement, terms of service, subscription agreement, etc., is the main agreement between a vendor and its business customers. It may have some of the contractual language you’re looking for, or may help you find the DPA.

  3. Privacy Policy (Rare)

    While most vendor websites have a privacy policy, it usually just applies to data they collect from website visitors, not to data processed on behalf of their customers.

If none of these sources yield any results, you can always contact the vendor directly to ask for assistance.

Read more about finding privacy documentation


CA Data Recipients Contract (CCPA)

The CCPA requires a contract covering disclosures of personal information to any service provider, contractor, or third party (if they sell or share personal information to the third party). 

The contract must:

  • State that the personal information is being disclosed for limited and specific purposes;
  • Require the recipient to comply with applicable obligations under the CCPA;
  • Grant the business the right to take reasonable steps to ensure the recipient’s compliance;
  • Require the recipient to notify the business if it can no longer meet its CCPA obligations; and
  • Grant the business the right to take reasonable steps to stop and remediate unauthorized use of personal information.

Service Provider Contracts (CCPA)

Under the CCPA, a “service provider” is a data recipient that processes on behalf of a business. Disclosures to service providers are treated a little differently—for example, they are not considered a “sale.” In order to be considered a service provider, the vendor and your business must have a written agreement with certain privacy assurances.

This includes agreeing not to:

  • Sell or share the personal information;
  • Retain, use, or disclose the personal information for any other purposes other than the business purposes specified in the contract, or outside of the direct business relationship between the two parties; or
  • Combine the personal information received from the business with personal information from other sources.

Note: The same requirements apply to contractors.

Read more about CCPA service providers


Data Processor Contracts (GDPR)

The GDPR requires any recipient processing personal data on behalf of a business to have contractual guarantees regarding how it handles this data. Many U.S. state privacy laws have adopted very similar contractual requirements. 

Though the requirements are lengthy, here are some of the most important aspects:

  • Only processing personal data according to the documented instructions of the data controller (i.e., the business);
  • Ensuring that anyone who handles the personal data has a duty of confidentiality;
  • Providing assistance with data privacy requests;
  • Implementing appropriate security measures.

Read more about data processors


International Data Transfers (GDPR)

Any transfers of Europeans’ data to countries outside of the UK/European Economic Area (including to the United States) are considered unsafe unless certain safeguards are in place. Some countries (such as Canada and Japan) have been the subject of “adequacy decisions,” meaning the EU has decided that they have sufficient privacy protections; otherwise the “data exporter” and the “data importer” must have some kind of contractual arrangement for protecting the data, usually in the form of Standard Contractual Clauses (SCCs).

The United States has a conditional adequacy decision: Transfers to companies that have agreed to participate in the EU-U.S. Data Privacy Framework (DPF) are considered safe transfers. If the U.S. company is not a DPF participant, then it must use SCCs.

Read more about international data transfers

Search the DPF participant list


Global Privacy Platform Agreements

TrueVault uses the Global Privacy Platform (GPP) developed by the IAB, to perform browser-based opt-outs, because it is a widely used industry standard. It relies on a cookie placed on the consumer’s browser to communicate the opt-out to downstream recipients.

However, this is only considered a compliant way of doing opt-outs if those downstream recipients have agreed to respect the GPP standard. The easiest way to determine if a vendor has agreed is to check if they have signed the IAB’s Multi-State Privacy Agreement (MSPA). If not, you must check to see if they have otherwise agreed in writing to respect the GPP standard (as is the case with Google), or if they have some alternate opt-out method that you must implement.

View the IAB’s list of GPP participants