Regulatory compliance, particularly in the data privacy realm, is a delicate balancing act for general counsel.
Not only does it require juggling international, domestic, and industry-specific data privacy and similar laws, but it also requires constant vigilance about new rulings.
It's no surprise, then, why 66% percent of general counsel expect industry regulations to cause the biggest legal challenges this year: the heavier the compliance burden gets, the more difficult it becomes to get a complete picture of compliance risks and exposure.
In this inaugural post of our quarterly “Conversation on Compliance” series, the spotlight is primarily on data privacy: what current or upcoming legislation general counsel should be watching, which contract clauses need to be adapted, and practical tips to maintain a proactive compliance strategy.
Compliance Challenges for 2022 Q3
Determining Which Industry-Specific Regulations Apply
Some federal regulations apply to all companies, while others may be more or less relevant to your business. This is why monitoring your industry's own regulatory environment is a critical step in the compliance process.
Examples of these industry-specific regulations include:
- Family Educational Rights and Privacy Act (FERPA) — protects the privacy of students' educational records, and applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
- Health Insurance Portability and Accountability Act (HIPAA) —protects sensitive patient health information from being disclosed without the patient’s consent or knowledge, and applies primarily to healthcare providers, medical technology companies, and health insurance organizations.
- Gramm-Leach-Bliley Act (GLBA) — requires financial institutions — companies that offer financial products and/or services like loans, financial advice, or insurance — to explain how they share and protect consumers' sensitive data.
- Children's Online Privacy Protection Act (COPPA) — strictly limits the collection and use of personal information of children, and applies to operators of websites or online services targeting children under 13. Changes to COPPA may be on the horizon, too: the FTC is seeking to start strictly enforcing a long-standing law that governs kids’ online privacy, with an emphasis on algorithms used by social media platforms that target young people.
Keeping Pace with International & Data Privacy Laws
From the General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA), numerous high-profile data protection laws have emerged in recent years. But the challenge now is trying to keep up with amendments, process requirements, and deadlines for these new regulations.
Let's take a look at some of these recent changes:
- Schrems II ruling (GDPR) — with the Schrems II decision in 2020, there's been a significant amount of uncertainty and risk around transatlantic data transfers and compliance with the GDPR. Now, general counsel must get DPA amendments in place if they don’t already have them, plus understand the relationship between the separate United Kingdom GDPR and the European Union GDPR if they are operating in both regions.
- China's Personal Information Protection Law (PIPL) — last year, China enacted a data privacy law similar to the GDPR that will impact almost every business operating in, or doing business with, China. Under the PIPL -- which gives individuals informative, prescriptive, and corrective rights -- the two principal conditions for cross-border transfers are maintaining a certain level of control over the data and securing the consent of the consumer. For general counsel of companies that are already committed to satisfying the consumer rights provisions of other privacy regulations, the PIPL won't be as daunting. However, since cross-border transfers require individual consent, data processing and storage outside of China may still be challenging. While the Cyberspace Administration of China hasn't yet published a template or standard contracts similar to those for the GDPR, general counsel should expect to see them soon.
- Individual State Privacy Laws — ever since the CCPA took effect in 2020, state-level momentum for comprehensive data privacy laws is at an all-time high. Currently, only four states — California, Virginia, Colorado, and most recently, Utah — have adopted comprehensive consumer privacy legislation, but we can expect more states to follow suit in the absence of federal regulation. And even though most states lack laws as comprehensive as the CCPA, they do at least have one privacy-related law, particularly around breach notifications — so businesses should pay close attention to every state they operate in, even if they don't have a physical presence there.
- American Data Privacy and Protection Act (ADPPA) — a new bill released by congress that, if passed, would act as the United States' first comprehensive federal privacy law. It grants American citizens various rights including the right to access, correct, and delete data, as well as prevent uses of their data without consent. While it's possible that congress may not reach a decision on this in 2022, with mid-term elections approaching, businesses should be proactive and start thinking about how to comply.
Beyond Privacy: COVID-19’s Lingering Effects
As COVID-19 restrictions recede and remote employees head back to the office, questions still surround return-to-workplace COVID-19 protocols. On one hand, federal and state regulations around COVID-19 may differ. If you are operating in multiple states, carefully consider these questions: How are we going to reopen? What will our requirements be in each state we operate in? Do we need to require masks, testing, vaccines etc.?
Employee comfort is another factor to consider. Your employees may have different expectations in the workplace; some may prefer commuting or need the designated workspace, others may not. Before heading back, get a sense of how your employees feel to determine how you can create a comfortable working environment that accommodates their needs.
How Will Regulatory Compliance Challenges Affect Contracts?
The key to keeping up with the ever-evolving regulatory landscape is agile, proactive contract management. This not only means staying one step ahead of emerging legislation, but also adapting your standard contract clauses to remain in compliance.
While it's a good idea to analyze all of your contract language, we recommend paying close attention to the following clauses and related questions:
- Force Majeure — is it mutual? Is termination permitted? Can payment be delayed?
- Limitation of Liability — is it tied to a fixed dollar amount and/or a multiple of fees paid? What kind of damages are excluded? Is the clause superseded by a clause in another document, like a DPA or BAA?
- Indemnification — is this just for IP infringement claims by third parties or more? Is it “defend and pay” or “hold harmless”? What options do you have to limit damages/liability?
- Intellectual Property Rights (Feedback & Residuals) — do you have rights in residuals just during implementation and/or for custom work, or for everything during the life of the contract? Is feedback separate from residuals or should it be documented with a separate “feedback agreement” - perhaps in exchange for something of value?
- Warranty — what are you providing warranties for? What is excluded, and are any warranties tied directly to indemnification and/or limitation of liability?
- Term and Terminations — what obligations do you and/or your customer have at termination? What aspects of termination, e.g. “for convenience," impact revenue recognition?
- Assignment — what are the requirements and exceptions? What are the tax implications of cross-border assignments?
3 Practical Compliance Tips for General Counsel
Train Issue-Spotters
Your best defense against cyberattacks and data breaches already exists in your workplace: your colleagues.
Invite and encourage team members across departments to get invested in compliance and become "issue-spotters." Host seminars, conduct training, provide employee onboarding sessions, and emphasize that data privacy is a company-wide concern, not just a legal concern.
Also, give issue-spotters a way to report concerns — like a designated compliance email box — so they can easily be vetted and resolved. With more eyes on deadlines, emerging laws, and potential data privacy breaches, you create more safeguards for your company and ease the burden on legal.
Invest in Contract Lifecycle Management Software
If tracking deadlines, analyzing risks across contracts, and reporting are your toughest compliance challenges, there's a solution for you: intelligent contract lifecycle management (CLM) software.
With the right CLM tool, you can easily create attributes for specific clauses — e.g. limitation of liability, assignment, etc. — and search these terms across all of your contracts. It's not only a faster, more convenient way to analyze risk and ensure consistency across your contracts, but it also makes for simpler reporting: instead of creating a separate spreadsheet or external file, you can simply search for a specific term, download the results, and present it to leadership or compliance stakeholders.
Update Your Policies and Procedures
When it comes to compliance, half of the equation is having — and following — the right policy. Review your policy annually to ensure it's still in compliance, and answer these questions:
- What are our current policies and procedures?
- Who is responsible for what?
- How will the company operationalize this policy?
- What kind of staff training and education can we provide to keep our company current on changing regulations?
Looking at the road ahead, there are numerous developments that general counsel will need to monitor and adapt to. Stay tuned for our next quarterly installment of “Conversation on Compliance” and, in the meantime, check out our blog for more contract management trends and tips.