Book a demo Log in / Sign up

Data Controller DPA Template for the United States

Generate a bespoke document

  • England and Wales
  • Scotland
  • Northern Ireland
  • Ireland
  • United States
  • Alabama (USA)
  • Alaska (USA)
  • Arizona (USA)
  • Arkansas (USA)
  • California (USA)
  • Colorado (USA)
  • Connecticut (USA)
  • Delaware (USA)
  • Florida (USA)
  • Georgia (USA)
  • Hawaii (USA)
  • Idaho (USA)
  • Illinois (USA)
  • Indiana (USA)
  • Iowa (USA)
  • Kansas (USA)
  • Kentucky (USA)
  • Louisiana (USA)
  • Maine (USA)
  • Maryland (USA)
  • Massachusetts (USA)
  • Michigan (USA)
  • Minnesota (USA)
  • Mississippi (USA)
  • Missouri (USA)
  • Montana (USA)
  • Nebraska (USA)
  • Nevada (USA)
  • New Hampshire (USA)
  • New Jersey (USA)
  • New Mexico (USA)
  • New York (USA)
  • North Carolina (USA)
  • North Dakota (USA)
  • Ohio (USA)
  • Oklahoma (USA)
  • Oregon (USA)
  • Pennsylvania (USA)
  • Rhode Island (USA)
  • South Carolina (USA)
  • South Dakota (USA)
  • Tennessee (USA)
  • Texas (USA)
  • Utah (USA)
  • Vermont (USA)
  • Virginia (USA)
  • Washington (USA)
  • West Virginia (USA)
  • Wisconsin (USA)
  • Wyoming (USA)
  • Austria
  • Denmark
  • France
  • Germany
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Australia
  • New Zealand
  • Singapore
  • Hong Kong
  • India
  • Malaysia
  • Pakistan
  • United Arab Emirates
  • Qatar
  • Saudi Arabia
  • South Africa
  • Nigeria
  • Canada
  • Brasil
  • Monaco
  • Bermuda
  • Cayman Islands
  • Gibraltar
  • Isle of Man
  • Mauritius

What is a Data Controller DPA?

The Data Controller DPA is essential when organizations share personal data for processing purposes in the United States. This agreement is particularly crucial given the complex landscape of US privacy laws, including state-specific regulations like CCPA and federal requirements. The Data Controller DPA defines critical aspects such as data handling procedures, security requirements, breach notifications, and compliance obligations. It's particularly important for organizations processing sensitive data or operating across multiple jurisdictions, and should be updated regularly to reflect evolving privacy regulations.

Frequently Asked Questions

Is a Data Controller DPA legally binding under US privacy laws?

Yes, a Data Controller DPA is legally binding in the United States when properly executed between parties. Under CCPA/CPRA, FTC Act Section 5, and sector-specific regulations like HIPAA, these agreements create enforceable contractual obligations for data handling, security measures, and breach notification procedures. Failure to comply can result in regulatory penalties and breach of contract claims.

What are the consequences of operating without a Data Controller DPA in the United States?

Operating without a proper DPA exposes both parties to significant regulatory and legal risks under US privacy law. You may face CCPA/CPRA penalties up to $7,500 per violation, FTC enforcement actions for unfair practices, and potential HIPAA sanctions if handling health data. Additionally, you lose contractual protections for liability allocation and breach response procedures.

Which US privacy laws require Data Controller DPAs?

CCPA/CPRA explicitly requires contracts between businesses and service providers handling personal information, with specific mandatory clauses. While HIPAA requires Business Associate Agreements for covered entities, general data processing often falls under FTC Act Section 5 unfair practices standards. Many state privacy laws like Virginia CDPA and Connecticut CTDPA also mandate similar contractual protections.

How is a Data Controller DPA different from a Business Associate Agreement under HIPAA?

A Data Controller DPA covers general personal information under laws like CCPA/CPRA and FTC Act requirements, while a Business Associate Agreement specifically governs protected health information under HIPAA. BAAs have stricter security requirements and breach notification timelines, whereas DPAs focus more broadly on consumer privacy rights and data handling obligations across various data types.

How long does it typically take to negotiate a Data Controller DPA?

Negotiating a Data Controller DPA typically takes 2-6 weeks depending on the complexity of data processing activities and parties' risk tolerance. Simple processing arrangements may be finalized in 1-2 weeks, while complex multi-jurisdictional arrangements involving sensitive data categories can take 2-3 months. Legal review and compliance verification with CCPA/CPRA requirements often extends timelines.

What are the most common mistakes in US Data Controller DPAs?

Common mistakes include failing to include CCPA/CPRA mandatory contract provisions, inadequate data breach notification procedures, unclear liability allocation between controller and processor, and missing specific security requirements. Many agreements also fail to address cross-border data transfers, data retention periods, and audit rights required under various US privacy regulations.

Can a Data Controller DPA protect my business from CCPA compliance violations?

A properly drafted DPA provides significant protection by clearly defining each party's compliance responsibilities under CCPA/CPRA and other US privacy laws. However, it doesn't eliminate liability entirely - both controllers and processors remain independently responsible for their respective obligations. The agreement primarily helps allocate risks, establish breach procedures, and demonstrate good faith compliance efforts to regulators.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

LinkedIn

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

LinkedIn

Jurisdiction

United States

Reviewed by

Swetha Meenal & Imad Mohammed Nazar

Publisher

GenieAI

Category

Data Protection Agreement

Sector

Business

Cost

Free to use

Last updated

About the Data Controller DPA

When your organization shares personal data with third-party processors in the United States, you need a comprehensive Data Processing Agreement (DPA) to establish clear legal responsibilities and ensure compliance with applicable privacy laws. This agreement serves as the cornerstone of your data protection strategy, defining how personal information is handled, secured, and protected throughout the processing relationship.

When do you need this document?

You require a Data Controller DPA whenever you engage a third party to process personal data on your behalf. This includes relationships with cloud service providers, marketing agencies, payroll processors, customer support vendors, and IT service companies. The agreement is particularly critical if you're subject to California's CCPA/CPRA requirements, handle financial data under GLBA regulations, or process healthcare information governed by HIPAA. Organizations operating across multiple states need robust DPAs to address varying state privacy laws, while companies serving EU residents must incorporate GDPR compliance provisions even within US-based processing arrangements.

Key legal considerations

Your DPA must clearly define the scope and purpose of data processing, ensuring processors only handle data for specified business purposes. Include detailed security requirements covering technical and organizational measures, data encryption standards, and access controls. Establish comprehensive breach notification procedures that meet both federal and state-specific timelines, typically requiring notification within 72 hours of discovery. Address data subject rights provisions, particularly for California residents under CCPA/CPRA, including rights to deletion, correction, and data portability. Include audit rights allowing you to verify processor compliance, and establish clear data retention and deletion schedules. Liability allocation clauses should address potential regulatory fines and breach-related damages.

Legal requirements in United States

US data processing agreements must comply with a complex web of federal and state regulations. The CCPA and CPRA set the de facto national standard, requiring specific contractual provisions for service providers including restrictions on data use, retention limitations, and consumer rights implementation. FTC Act Section 5 mandates reasonable data security measures and prohibits deceptive privacy practices, making security provisions legally enforceable. Sector-specific laws impose additional requirements: GLBA demands safeguards for financial information and customer notification procedures, while HIPAA requires business associate agreements with specific administrative, physical, and technical safeguards for protected health information. Many states have enacted their own privacy laws with unique requirements, such as Virginia's Consumer Data Protection Act and Colorado's Privacy Act, necessitating state-specific compliance provisions in your DPA.

GOVERNING LAW

Applicable law

This Data Controller DPA is drafted to comply with United States law. Key legislation includes:

CCPA/CPRA: California Consumer Privacy Act and California Privacy Rights Act - serve as de facto national standards for data privacy protection in the US, even for businesses not based in California

FTC Act: Federal Trade Commission Act Section 5 concerning unfair or deceptive practices in data handling and privacy protection

GLBA: Gramm-Leach-Bliley Act - Required consideration when handling financial data, sets standards for financial institutions' collection and disclosure of personal information

HIPAA: Health Insurance Portability and Accountability Act - Mandatory consideration when handling healthcare data, establishes standards for protected health information

GDPR: General Data Protection Regulation - While EU-based, must be considered if handling EU residents' data and often used as a global best practice standard

VCDPA: Virginia Consumer Data Protection Act - State-specific privacy legislation that provides Virginia residents with data protection rights

CPA: Colorado Privacy Act - State-specific privacy legislation that establishes requirements for data protection in Colorado

CTDPA: Connecticut Data Privacy Act - State-specific privacy legislation that provides privacy rights to Connecticut residents

UCPA: Utah Consumer Privacy Act - State-specific privacy legislation that establishes data protection requirements in Utah

PCI DSS: Payment Card Industry Data Security Standard - Must be considered if handling payment card data, establishes security standards for payment processing

NIST Cybersecurity Framework: National Institute of Standards and Technology framework providing guidelines for private sector cybersecurity and data protection

ISO 27001: International standard for information security management systems, providing requirements for establishing, implementing, and maintaining information security

Explore 208,390+ legal templates

Explore 208,390+ legal templates

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it