Data Processing Agreement Law in the United States
If you handle health data, children's data, financial data, or federal contract data, federal law requires a specific data processing agreement. There is no general federal requirement for other personal data. These sector-specific agreements must contain specific clauses, and parties remain liable for regulatory violations regardless of contract terms.
Do I need a data processing agreement?
A data processing agreement is legally required only when you process data covered by a specific federal framework. The requirement depends entirely on the type of data you handle.
| Data Type | Federal Framework | DPA Requirement |
|---|---|---|
| Protected Health Information (PHI) | HIPAA | Required: Business Associate Agreement (45 C.F.R. § 164.504(e)) |
| Children's personal information (under 13) | COPPA | Required: Written assurances from service providers (16 C.F.R. § 312.8) |
| Customer financial information | GLBA | Required: Contractual safeguards from service providers (16 C.F.R. § 314.4(f)) |
| Federal "system of records" data | Privacy Act (FAR) | Required: FAR Privacy Act clauses (48 C.F.R. § 24.104) |
| Other personal data | No comprehensive federal law | No general federal DPA requirement |
What happens if I don't have a required data processing agreement?
Disclosing covered data without the required contractual protections violates federal law and triggers regulatory enforcement.
- HIPAA: Disclosure of PHI without a compliant Business Associate Agreement violates the Privacy Rule (45 C.F.R. § 164.502(e)). The HHS Office for Civil Rights may impose civil monetary penalties.
- COPPA: Permitting a service provider to collect or maintain children's personal information without written assurances violates COPPA (16 C.F.R. § 312.8). The FTC may pursue civil penalties.
- GLBA: Failing to contractually require service providers to implement safeguards violates the GLBA Safeguards Rule (16 C.F.R. § 314.4(f)). The FTC enforces through Section 5 of the FTC Act.
- Privacy Act: Contracting for design, development, or operation of a federal system of records without the required FAR clauses violates federal acquisition regulations (48 C.F.R. § 24.104).
What must be in my data processing agreement?
Required clauses depend entirely on which federal framework applies to your data.
HIPAA Business Associate Agreements (Health Data)
Covered entities must execute a Business Associate Agreement before disclosing protected health information (PHI). The agreement must include (45 C.F.R. § 164.504(e)(2)):
| Required Element | Regulatory Citation |
|---|---|
| Permitted and required uses and disclosures of PHI | 45 C.F.R. § 164.504(e)(2)(i) |
| Prohibition on unauthorized use or disclosure | 45 C.F.R. § 164.504(e)(2)(ii)(A) |
| Safeguards for electronic PHI | 45 C.F.R. § 164.504(e)(2)(ii)(B) |
| Breach reporting to covered entity | 45 C.F.R. § 164.504(e)(2)(ii)(C) |
| Subcontractor flow-down obligations | 45 C.F.R. § 164.504(e)(2)(ii)(D) |
| Individual access, amendment, and accounting obligations | 45 C.F.R. § 164.504(e)(2)(ii)(E)-(G) |
| Compliance with covered entity's Privacy Rule obligations | 45 C.F.R. § 164.504(e)(2)(ii)(H) |
| Audit availability for HHS compliance reviews | 45 C.F.R. § 164.504(e)(2)(ii)(I) |
| Return or destruction of PHI upon termination | 45 C.F.R. § 164.504(e)(2)(ii)(J) |
| Termination right for material breach | 45 C.F.R. § 164.504(e)(2)(iii) |
Business associates must also ensure subcontractors handling electronic PHI comply with HIPAA Security Rule requirements through written contract or other arrangement (45 C.F.R. § 164.314(a)(2)(i)(B)).
COPPA Written Assurances (Children's Data)
Operators of websites or online services directed to children must obtain written assurances from service providers before permitting collection or maintenance of children's personal information. The assurances must commit the service provider to employ reasonable measures to maintain confidentiality, security, and integrity (16 C.F.R. § 312.8). Operators must also take reasonable steps to determine the service provider's capability to maintain these protections.
GLBA Service Provider Contracts (Financial Data)
Financial institutions must contractually require service providers to implement and maintain safeguards appropriate to the sensitivity of customer information (16 C.F.R. § 314.4(f)). Required safeguards include:
- Written risk assessment identifying internal and external risks (16 C.F.R. § 314.4(b))
- Access controls limiting users to necessary information (16 C.F.R. § 314.4(c)(1))
- Encryption in transit and at rest, or effective compensating controls (16 C.F.R. § 314.4(c)(3))
- Multi-factor authentication unless equivalent controls approved (16 C.F.R. § 314.4(c)(5))
- Secure disposal no later than two years after last use (16 C.F.R. § 314.4(c)(6)(i))
- Monitoring and logging of authorized user activity (16 C.F.R. § 314.4(c)(8))
- Annual penetration testing and semi-annual vulnerability assessments (16 C.F.R. § 314.4(d)(2))
- Written incident response plan (16 C.F.R. § 314.4(h))
GLBA Thresholds
| Requirement | Threshold | Citation |
|---|---|---|
| Small business exemption | Fewer than 5,000 consumers | 16 C.F.R. § 314.6 |
| FTC notification trigger | 500+ consumers affected | 16 C.F.R. § 314.4(j)(1) |
| Secure disposal deadline | 2 years after last use | 16 C.F.R. § 314.4(c)(6)(i) |
Upon discovering a notification event involving 500 or more consumers, institutions must notify the FTC within 30 days (16 C.F.R. § 314.4(j)(1)).
Privacy Act Federal Contract Clauses
Contracts requiring design, development, or operation of a federal "system of records on individuals" must include FAR 52.224-1 (Privacy Act Notification) and FAR 52.224-2 (Privacy Act) (48 C.F.R. § 24.104). These clauses apply only when the contract specifically identifies both the systems of records and the work to be performed (48 C.F.R. § 52.224-2). Contractors must flow down these clauses to all relevant subcontracts (48 C.F.R. § 52.224-2(a)(2)-(3)).
What can't I put in a data processing agreement?
Limitations on Regulatory Liability
No federal statute prohibits liability limitations in data processing agreements generally. However, regulatory liability persists regardless of contract terms:
- HHS may impose civil monetary penalties for HIPAA violations regardless of contractual limitations (45 C.F.R. § 160.402(c) establishes agency liability)
- The FTC enforces COPPA and GLBA through civil penalties independent of contract terms
- The TEFCA Common Agreement explicitly states its accountability sections "shall not be construed as a hold-harmless or indemnification provision"
Forum Selection and Choice-of-Law Clauses
Forum selection clauses are presumptively valid and enforceable under federal procedural law (Atlantic Marine Const. Co. v. U.S. Dist. Ct. for W. Dist. of Texas, 571 U.S. 49 (2013)), enforceable only under extraordinary circumstances such as fraud, undue influence, overweening bargaining power, or if enforcement would contravene a strong public policy of the forum state. When a transfer motion is based on a valid forum selection clause, the plaintiff's choice of forum merits no weight under federal procedural law (Atlantic Marine Const. Co. v. U.S. Dist. Ct., 571 U.S. 49 (2013)).
California Labor Code § 925 prohibits employers from requiring California-resident employees to litigate California-arising claims outside California or under non-California law. Whether this extends to CCPA-based claims in data processing contexts remains unconfirmed.
When do I need to sign a data processing agreement?
Timing Requirements
| Framework | Timing Requirement | Citation |
|---|---|---|
| HIPAA | BAA must be executed before PHI disclosure | 45 C.F.R. § 164.502(e) |
| COPPA | Written assurances must be obtained before permitting collection/maintenance | 16 C.F.R. § 312.8 |
| GLBA | Contractual safeguards required "by contract" — timing unspecified | 16 C.F.R. § 314.4(f) |
| Privacy Act | Clauses inserted at solicitation/contract execution | 48 C.F.R. § 24.104 |
Formal Requirements
- HIPAA: Written business associate agreement required (45 C.F.R. § 164.504(e))
- COPPA: Written assurances required (16 C.F.R. § 312.8)
- GLBA: Contractual safeguards required "by contract" (16 C.F.R. § 314.4(f))
- Federal contracts: FAR clauses mandated for solicitation and contract (48 C.F.R. § 24.104)
Reasonableness Standards
The FTC may act against companies for failing to maintain "reasonable and appropriate data security for consumers' personal information where that failure causes substantial consumer injury not outweighed by countervailing benefits."
Does my state require more than federal law?
The United States lacks a comprehensive federal data privacy statute. State comprehensive privacy laws impose additional obligations that federal law does not require.
| Item | Value in this jurisdiction | Federal Baseline |
|---|---|---|
| General DPA Requirement | Yes, under comprehensive privacy laws (e.g., CCPA/CPRA) | No, only sector-specific |
| Data Subject Rights | Know, delete, correct, opt-out, limit use | None under HIPAA, COPPA, GLBA |
| Processor Assistance Duties | Required to help controller fulfill rights | Not required under federal frameworks |
| Contract Terms | Specific clauses mandated by state law | Only sector-specific clauses required |
State comprehensive privacy laws—notably California's CCPA/CPRA, with counterparts in Virginia, Colorado, Connecticut, and other jurisdictions—impose additional obligations including data subject rights (know, delete, correct, opt-out), processor assistance duties, and specific contract terms.
For a comparison of state-specific requirements, see /law/documents/data-processing-agreement. For requirements in a specific state, see /law/state/[state]/documents/data-processing-agreement/rules.
Common Pitfalls in Drafting
Importing GDPR-Style Provisions
Drafters frequently err by importing EU GDPR provisions—such as data subject access request assistance obligations, data protection impact assessments, or standard contractual clauses for international transfers—as federally mandated terms. No federal statute requires GDPR-style processor assistance for data subject requests or SCCs for domestic data processing.
Inadequate Subcontractor Flow-Down
HIPAA's explicit subcontractor requirements (45 C.F.R. § 164.504(e)(2)(ii)(D), § 164.314(a)(2)(i)(B)) and the Privacy Act's flow-down mandates (48 C.F.R. § 52.224-2(a)(3)) create liability exposure when agreements fail to impose equivalent restrictions on downstream processors. Whether GLBA requires service providers to flow down obligations to their own subcontractors remains unconfirmed.
Mischaracterizing Damages from Data Breaches
In Silverpop Systems, Inc. v. Leading Market Technologies, Inc., 641 F. App'x 849 (11th Cir. 2016), the court held that a customer's claimed damages for data breach—lost sale value of an email list—constituted consequential damages barred by the agreement's limitation clause. The court also applied the economic loss doctrine to bar standalone negligence claims where the duty to protect data arose solely from contractual confidentiality provisions, not from an independent legal duty. The limitation provision survived agreement termination as a structural term.
Because the interaction between damages limitations and regulatory enforcement depends on your specific data type and contract structure, Ask Sawyer researches federal and state law to answer questions about your facts.
Privacy Act Scope Errors
Contractors handling personal data for federal agencies may overcomply by assuming all federal contracts trigger Privacy Act obligations. The clauses apply only when the contract specifically identifies both the systems of records and the design, development, or operation work (Koch v. Schapiro, 777 F. Supp. 2d 86 (D.D.C. 2011)).
Cross-Border Framework Confusion
Organizations self-certifying under the Data Privacy Framework must maintain compliance with DPF Principles, distinct from the Department of Justice's separate regime under 28 C.F.R. Part 202 restricting transfers to "countries of concern."
Key Compliance Deadlines
| Deadline | Requirement |
|---|---|
| May 13, 2024 | GLBA notification event reporting effective |
| April 8, 2025 | DOJ rule on countries of concern effective |
For fact-specific analysis of which federal framework applies to your data processing arrangement and what clauses your agreement must contain, Ask Sawyer researches actual law to answer questions about your facts.