Joint Data Controller Agreement Template for the United States

Generate a bespoke document

Trusted by 200k+ teams

4.7 Capterra
4.8 Product Hunt
4.6 Trustpilot

What is a Joint Data Controller Agreement?

The Joint Data Controller Agreement is essential when two or more organizations jointly determine how personal data will be processed. This document is particularly important in the United States, where multiple federal and state privacy laws may apply. The agreement defines each party's obligations regarding data protection, security measures, and compliance with applicable regulations. It should be used whenever organizations share decision-making authority over data processing activities, ensuring clear allocation of responsibilities and liability.

Reviewed by

Swetha Meenal

Legal Engineer, GenieAI

Swetha Meenal profile photo

A lawyer, legal researcher and legal tech founder, Swetha has built AI products deployed inside Tier 1 firms and enterprises. She ensures GenieAI's alignment with the latest regulation and executes testing on the legal robustness of Genie output.

Reviewed by

Imad Mohammed Nazar

Legal Engineer, GenieAI

Imad Mohammed Nazar profile photo

A Skadden-trained M&A lawyer, Imad advised on cross-border transactions and contractual risk before moving into legal AI. He reviews GenieAI's output for compliance and enforceability across our 150+ supported jurisdictions, as well as facilitating external benchmarking.

Jurisdiction

United States

Publisher

GenieAI

Sector

Business

Cost

Free to use

Last updated

About the Joint Data Controller Agreement

A Joint Data Controller Agreement is a critical legal document that establishes the framework when two or more organizations share responsibility for determining how personal data is processed. Under United States privacy law, this agreement becomes essential whenever multiple parties jointly make decisions about data collection, processing purposes, or security measures. The document ensures compliance with federal regulations while clearly defining each party's obligations and liabilities.

When do you need this document?

You need a Joint Data Controller Agreement whenever your organization collaborates with other entities on data processing activities where both parties have decision-making authority. This commonly occurs in business partnerships, joint ventures, research collaborations, or shared marketing initiatives. Healthcare organizations sharing patient data under HIPAA, financial institutions collaborating under GLBA requirements, or companies conducting joint market research all require this agreement. The document is also essential when multiple organizations share customer databases, conduct joint analytics projects, or participate in data-sharing consortiums.

Key legal considerations

The agreement must clearly delineate each controller's specific responsibilities to avoid legal gaps and compliance failures. Key provisions include data subject rights procedures, ensuring individuals can exercise their privacy rights regardless of which controller they contact. Security obligations must be detailed, specifying technical and organizational safeguards each party must implement. Liability allocation clauses are crucial, determining which party bears responsibility for different types of data breaches or regulatory violations. The agreement should address data retention periods, deletion procedures, and protocols for handling regulatory investigations. Cross-border data transfer provisions become important if any controller operates internationally, requiring additional safeguards for data leaving the United States.

Legal requirements in United States

Under the FTC Act Section 5, controllers must avoid unfair or deceptive data practices, making transparency and accuracy obligations paramount in joint processing arrangements. HIPAA-covered entities must ensure business associate agreements complement joint controller arrangements when health information is involved. Financial institutions subject to GLBA must maintain privacy notice consistency and safeguarding requirements across all controlling parties. COPPA compliance becomes complex in joint arrangements involving children's data, requiring coordinated parental consent procedures. State privacy laws like the California Consumer Privacy Act (CCPA) and Virginia Consumer Data Protection Act add additional compliance layers, requiring the agreement to address varying state-specific requirements. The document must establish clear procedures for regulatory reporting, breach notifications, and cooperation with enforcement authorities across multiple jurisdictions.

GOVERNING LAW

Applicable law

This Joint Data Controller Agreement is drafted to comply with United States law. Key legislation includes:

FTC Act: Federal Trade Commission Act, particularly Section 5, which governs unfair or deceptive practices and establishes FTC's privacy and data security enforcement authority

HIPAA: Health Insurance Portability and Accountability Act - Federal law governing protection of medical information and health data

GLBA: Gramm-Leach-Bliley Act - Federal law governing the protection of financial data and privacy obligations for financial institutions

FCRA: Fair Credit Reporting Act - Federal law regulating the collection, dissemination, and use of consumer credit information

COPPA: Children's Online Privacy Protection Act - Federal law governing the collection and use of personal information from children under 13

FERPA: Family Educational Rights and Privacy Act - Federal law protecting the privacy of student education records

CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act - Comprehensive state privacy laws providing California residents with data privacy rights

VCDPA: Virginia Consumer Data Protection Act - Comprehensive privacy law providing Virginia residents with data protection rights

CPA: Colorado Privacy Act - State law establishing privacy rights for Colorado residents and obligations for businesses processing their personal data

CTDPA: Connecticut Data Privacy Act - State law providing privacy protections and rights for Connecticut residents

UCPA: Utah Consumer Privacy Act - State privacy law establishing data protection requirements and consumer rights in Utah

State Breach Laws: Various state-specific data breach notification laws requiring notification of affected individuals in case of data breaches

GDPR Considerations: General Data Protection Regulation implications if EU residents' data is processed, organizations have EU operations, or services are offered to EU residents

Controller Responsibilities: Definition of roles and responsibilities of each joint controller in data processing activities

Data Sharing Framework: Specific arrangements and protocols for sharing data between joint controllers

Security Measures: Required technical and organizational security measures to protect shared data

Data Subject Rights Management: Procedures for handling data subject requests and exercising of privacy rights

Breach Notification Procedures: Protocols for handling and reporting data breaches, including timeline and responsibility allocation

Liability Allocation: Clear definition of how liability is distributed between joint controllers in case of non-compliance or data incidents

Compliance Documentation: Requirements for maintaining records of processing activities and demonstrating compliance with applicable laws

Genie's Security Promise

Genie is the safest place to draft. Here's how we prioritise your privacy and security.

Your data is private:

We do not train on your data; Genie's AI improves independently

All data stored on Genie is private to your organisation

Your documents are protected:

Your documents are protected by ultra-secure 256-bit encryption

We are ISO27001 certified, so your data is secure

Organizational security:

You retain IP ownership of your documents and their information

You have full control over your data and who gets to see it