Ask SawyerBETA

Data Processing Agreement Law in the United States

If you handle health data, children's data, financial data, or federal contract data, federal law requires a specific data processing agreement. There is no general federal requirement for other personal data. These sector-specific agreements must contain specific clauses, and parties remain liable for regulatory violations regardless of contract terms.

Do I need a data processing agreement?

A data processing agreement is legally required only when you process data covered by a specific federal framework. The requirement depends entirely on the type of data you handle.

Data Type Federal Framework DPA Requirement
Protected Health Information (PHI) HIPAA Required: Business Associate Agreement (45 C.F.R. § 164.504(e))
Children's personal information (under 13) COPPA Required: Written assurances from service providers (16 C.F.R. § 312.8)
Customer financial information GLBA Required: Contractual safeguards from service providers (16 C.F.R. § 314.4(f))
Federal "system of records" data Privacy Act (FAR) Required: FAR Privacy Act clauses (48 C.F.R. § 24.104)
Other personal data No comprehensive federal law No general federal DPA requirement

What happens if I don't have a required data processing agreement?

Disclosing covered data without the required contractual protections violates federal law and triggers regulatory enforcement.

What must be in my data processing agreement?

Required clauses depend entirely on which federal framework applies to your data.

HIPAA Business Associate Agreements (Health Data)

Covered entities must execute a Business Associate Agreement before disclosing protected health information (PHI). The agreement must include (45 C.F.R. § 164.504(e)(2)):

Required Element Regulatory Citation
Permitted and required uses and disclosures of PHI 45 C.F.R. § 164.504(e)(2)(i)
Prohibition on unauthorized use or disclosure 45 C.F.R. § 164.504(e)(2)(ii)(A)
Safeguards for electronic PHI 45 C.F.R. § 164.504(e)(2)(ii)(B)
Breach reporting to covered entity 45 C.F.R. § 164.504(e)(2)(ii)(C)
Subcontractor flow-down obligations 45 C.F.R. § 164.504(e)(2)(ii)(D)
Individual access, amendment, and accounting obligations 45 C.F.R. § 164.504(e)(2)(ii)(E)-(G)
Compliance with covered entity's Privacy Rule obligations 45 C.F.R. § 164.504(e)(2)(ii)(H)
Audit availability for HHS compliance reviews 45 C.F.R. § 164.504(e)(2)(ii)(I)
Return or destruction of PHI upon termination 45 C.F.R. § 164.504(e)(2)(ii)(J)
Termination right for material breach 45 C.F.R. § 164.504(e)(2)(iii)

Business associates must also ensure subcontractors handling electronic PHI comply with HIPAA Security Rule requirements through written contract or other arrangement (45 C.F.R. § 164.314(a)(2)(i)(B)).

COPPA Written Assurances (Children's Data)

Operators of websites or online services directed to children must obtain written assurances from service providers before permitting collection or maintenance of children's personal information. The assurances must commit the service provider to employ reasonable measures to maintain confidentiality, security, and integrity (16 C.F.R. § 312.8). Operators must also take reasonable steps to determine the service provider's capability to maintain these protections.

GLBA Service Provider Contracts (Financial Data)

Financial institutions must contractually require service providers to implement and maintain safeguards appropriate to the sensitivity of customer information (16 C.F.R. § 314.4(f)). Required safeguards include:

GLBA Thresholds

Requirement Threshold Citation
Small business exemption Fewer than 5,000 consumers 16 C.F.R. § 314.6
FTC notification trigger 500+ consumers affected 16 C.F.R. § 314.4(j)(1)
Secure disposal deadline 2 years after last use 16 C.F.R. § 314.4(c)(6)(i)

Upon discovering a notification event involving 500 or more consumers, institutions must notify the FTC within 30 days (16 C.F.R. § 314.4(j)(1)).

Privacy Act Federal Contract Clauses

Contracts requiring design, development, or operation of a federal "system of records on individuals" must include FAR 52.224-1 (Privacy Act Notification) and FAR 52.224-2 (Privacy Act) (48 C.F.R. § 24.104). These clauses apply only when the contract specifically identifies both the systems of records and the work to be performed (48 C.F.R. § 52.224-2). Contractors must flow down these clauses to all relevant subcontracts (48 C.F.R. § 52.224-2(a)(2)-(3)).

What can't I put in a data processing agreement?

Limitations on Regulatory Liability

No federal statute prohibits liability limitations in data processing agreements generally. However, regulatory liability persists regardless of contract terms:

Forum Selection and Choice-of-Law Clauses

Forum selection clauses are presumptively valid and enforceable under federal procedural law (Atlantic Marine Const. Co. v. U.S. Dist. Ct. for W. Dist. of Texas, 571 U.S. 49 (2013)), enforceable only under extraordinary circumstances such as fraud, undue influence, overweening bargaining power, or if enforcement would contravene a strong public policy of the forum state. When a transfer motion is based on a valid forum selection clause, the plaintiff's choice of forum merits no weight under federal procedural law (Atlantic Marine Const. Co. v. U.S. Dist. Ct., 571 U.S. 49 (2013)).

California Labor Code § 925 prohibits employers from requiring California-resident employees to litigate California-arising claims outside California or under non-California law. Whether this extends to CCPA-based claims in data processing contexts remains unconfirmed.

When do I need to sign a data processing agreement?

Timing Requirements

Framework Timing Requirement Citation
HIPAA BAA must be executed before PHI disclosure 45 C.F.R. § 164.502(e)
COPPA Written assurances must be obtained before permitting collection/maintenance 16 C.F.R. § 312.8
GLBA Contractual safeguards required "by contract" — timing unspecified 16 C.F.R. § 314.4(f)
Privacy Act Clauses inserted at solicitation/contract execution 48 C.F.R. § 24.104

Formal Requirements

Reasonableness Standards

The FTC may act against companies for failing to maintain "reasonable and appropriate data security for consumers' personal information where that failure causes substantial consumer injury not outweighed by countervailing benefits."

Does my state require more than federal law?

The United States lacks a comprehensive federal data privacy statute. State comprehensive privacy laws impose additional obligations that federal law does not require.

Item Value in this jurisdiction Federal Baseline
General DPA Requirement Yes, under comprehensive privacy laws (e.g., CCPA/CPRA) No, only sector-specific
Data Subject Rights Know, delete, correct, opt-out, limit use None under HIPAA, COPPA, GLBA
Processor Assistance Duties Required to help controller fulfill rights Not required under federal frameworks
Contract Terms Specific clauses mandated by state law Only sector-specific clauses required

State comprehensive privacy laws—notably California's CCPA/CPRA, with counterparts in Virginia, Colorado, Connecticut, and other jurisdictions—impose additional obligations including data subject rights (know, delete, correct, opt-out), processor assistance duties, and specific contract terms.

For a comparison of state-specific requirements, see /law/documents/data-processing-agreement. For requirements in a specific state, see /law/state/[state]/documents/data-processing-agreement/rules.

Common Pitfalls in Drafting

Importing GDPR-Style Provisions

Drafters frequently err by importing EU GDPR provisions—such as data subject access request assistance obligations, data protection impact assessments, or standard contractual clauses for international transfers—as federally mandated terms. No federal statute requires GDPR-style processor assistance for data subject requests or SCCs for domestic data processing.

Inadequate Subcontractor Flow-Down

HIPAA's explicit subcontractor requirements (45 C.F.R. § 164.504(e)(2)(ii)(D), § 164.314(a)(2)(i)(B)) and the Privacy Act's flow-down mandates (48 C.F.R. § 52.224-2(a)(3)) create liability exposure when agreements fail to impose equivalent restrictions on downstream processors. Whether GLBA requires service providers to flow down obligations to their own subcontractors remains unconfirmed.

Mischaracterizing Damages from Data Breaches

In Silverpop Systems, Inc. v. Leading Market Technologies, Inc., 641 F. App'x 849 (11th Cir. 2016), the court held that a customer's claimed damages for data breach—lost sale value of an email list—constituted consequential damages barred by the agreement's limitation clause. The court also applied the economic loss doctrine to bar standalone negligence claims where the duty to protect data arose solely from contractual confidentiality provisions, not from an independent legal duty. The limitation provision survived agreement termination as a structural term.

Because the interaction between damages limitations and regulatory enforcement depends on your specific data type and contract structure, Ask Sawyer researches federal and state law to answer questions about your facts.

Privacy Act Scope Errors

Contractors handling personal data for federal agencies may overcomply by assuming all federal contracts trigger Privacy Act obligations. The clauses apply only when the contract specifically identifies both the systems of records and the design, development, or operation work (Koch v. Schapiro, 777 F. Supp. 2d 86 (D.D.C. 2011)).

Cross-Border Framework Confusion

Organizations self-certifying under the Data Privacy Framework must maintain compliance with DPF Principles, distinct from the Department of Justice's separate regime under 28 C.F.R. Part 202 restricting transfers to "countries of concern."

Key Compliance Deadlines

Deadline Requirement
May 13, 2024 GLBA notification event reporting effective
April 8, 2025 DOJ rule on countries of concern effective

For fact-specific analysis of which federal framework applies to your data processing arrangement and what clauses your agreement must contain, Ask Sawyer researches actual law to answer questions about your facts.

Last reviewed: