Data Processing Agreements Under US State Privacy Laws: What Your Vendor Contracts Need in 2026
Why Your Vendor Contracts Need a Data Processing Agreement
Every US state privacy law requires businesses that share personal data with third-party vendors to have a written contract governing how that data is handled. These contracts are called data processing agreements (DPAs), and they are not optional — they are a legal requirement.
The logic is straightforward: when you share your customers’ personal information with a vendor (a payment processor, an email marketing platform, a cloud hosting provider, an analytics tool), you remain responsible for ensuring that data is protected. A DPA establishes the rules your vendor must follow.
If you operate in multiple states, you need DPAs that satisfy the requirements of every applicable law. And the requirements are not identical — California’s CCPA uses different terminology and has different requirements than Virginia’s VCDPA or Colorado’s CPA.
Controller vs. Processor: Understanding the Roles
Before diving into DPA requirements, you need to understand two key roles that appear in every state privacy law:
- Controller (or "business" under CCPA) — The entity that determines why and how personal data is processed. This is typically your company.
- Processor (or "service provider" / "contractor" under CCPA) — The entity that processes data on behalf of the controller. This is typically your vendor.
The DPA governs the relationship between these two parties. It specifies what the processor can and cannot do with the personal data you share with them.
California’s Unique Terminology
California does not use the terms "controller" and "processor." Instead, the CCPA distinguishes between:
- Businesses — Equivalent to controllers
- Service providers — Process data on behalf of a business under a written contract, and may not sell or share the data
- Contractors — Also process data under contract, but with different contractual requirements than service providers
- Third parties — Receive data for their own purposes (not under DPA protection)
This distinction matters because the classification of your vendor determines what contractual protections are required and what the vendor can do with the data. See our CCPA compliance checklist for more on California-specific requirements.
What Every DPA Must Include: Core Requirements
While requirements vary by state, there is significant overlap. Here are the provisions that appear across most or all state privacy laws:
1. Clear Instructions on Data Processing
The DPA must specify exactly what the processor is authorized to do with the data. This includes the categories of data being processed, the purposes of processing, and the duration of the processing relationship. The processor should not process data beyond what is specified in the agreement.
2. Confidentiality Obligations
The processor must ensure that all persons authorized to process the personal data are bound by confidentiality obligations. This applies to the vendor’s employees, contractors, and any other personnel with access to the data.
3. Data Security Requirements
The processor must implement appropriate technical and organizational security measures to protect the data. Most state laws require measures that are "appropriate to the nature of the data" and the risks of processing. At minimum, this should cover encryption, access controls, incident response procedures, and regular security assessments.
4. Subprocessor Management
If your vendor uses subprocessors (their own vendors), the DPA must address this. Most states require the processor to obtain the controller’s consent before engaging subprocessors and to impose the same data protection obligations on them through a written contract.
5. Audit Rights
Several state laws require that the controller has the right to audit the processor’s compliance with the DPA. This can include the right to inspect, assess, or require the processor to arrange an independent audit. Virginia, Colorado, and Connecticut explicitly require audit provisions.
6. Assistance with Consumer Rights Requests
When a consumer exercises their rights (access, deletion, correction, portability), the processor must assist the controller in fulfilling those requests. The DPA should specify how this cooperation works, including response timelines and technical mechanisms.
7. Data Return or Deletion at Termination
When the contract ends, the processor must either return the data to the controller or delete it, at the controller’s direction. This prevents vendors from retaining your customers’ data after the business relationship ends.
8. Breach Notification
The processor must notify the controller of any data breach without unreasonable delay. The DPA should specify notification timelines, what information must be included in the notification, and any assistance the processor must provide in responding to the breach.
How DPA Requirements Differ by State
| Requirement | California (CCPA) | Virginia (VCDPA) | Colorado (CPA) | Texas (TDPSA) | Maryland (MODPA) |
|---|---|---|---|---|---|
| Written contract required | Yes | Yes | Yes | Yes | Yes |
| Purpose limitation | Yes — processing only as specified in the business purpose | Yes | Yes | Yes | Yes — stricter data minimization requirements |
| Confidentiality | Yes | Yes | Yes | Yes | Yes |
| Subprocessor consent | Implied | Yes — written consent | Yes — written consent | Yes | Yes |
| Audit rights | Not explicitly required | Yes — assessments available | Yes | Yes | Yes |
| DSAR assistance | Yes | Yes | Yes | Yes | Yes |
| Data deletion at termination | Yes — delete or return | Yes — delete or return | Yes — delete or return | Yes | Yes |
| Breach notification | Required by separate breach law | Yes | Yes | Yes | Yes |
| Sensitive data restrictions | Opt-out required for sale/sharing | Opt-in consent required | Opt-in consent required | Opt-in consent required | Strong restrictions — no sale of sensitive data |
Use our state comparison tool to see the full differences across all 21 state laws.
CCPA Service Provider Agreements vs. VCDPA-Style Processor Agreements
There is an important structural difference between how California and most other states approach vendor contracts:
California (CCPA) requires that service providers and contractors agree in their contract not to sell or share the personal information, not to retain, use, or disclose the information for any purpose other than the business purpose specified in the contract, and to comply with the CCPA’s obligations. The contract must also prohibit the service provider from combining the personal information with data obtained from other sources (with limited exceptions).
VCDPA-style states (Virginia, Colorado, Connecticut, and most other states) follow a GDPR-inspired model where the processor must act only on the controller’s documented instructions, the contract must specify the nature and purpose of processing, and the controller retains the right to audit or assess compliance.
The practical difference: California focuses on what the vendor cannot do (restrictions-based), while other states focus on what the vendor must do (obligations-based). A well-drafted DPA should cover both approaches to ensure multi-state compliance.
10-Point DPA Compliance Checklist
Use this checklist to evaluate whether your vendor contracts meet state privacy law requirements:
- Written contract exists — Verify that every vendor processing personal data has a signed, written agreement in place.
- Processing scope defined — The contract clearly states what data is being processed, for what purposes, and for how long.
- Purpose limitation included — The vendor is prohibited from using the data for any purpose beyond what is specified in the contract.
- Confidentiality obligations — All vendor personnel with data access are bound by confidentiality requirements.
- Security measures specified — The contract requires appropriate technical and organizational security measures, with specifics where possible.
- Subprocessor controls — The contract requires your consent before the vendor can share data with its own subprocessors, and requires subprocessors to be bound by equivalent protections.
- Audit or assessment rights — You have the right to verify the vendor’s compliance, either through direct audit or independent assessment reports.
- DSAR cooperation — The vendor must assist you in responding to consumer data requests (access, deletion, correction, portability) within the legally required timeframes.
- Data return/deletion at termination — The contract specifies that data will be returned or securely deleted when the relationship ends.
- Breach notification — The vendor must notify you promptly (within a specific timeframe) of any security incident affecting your data, with enough detail for you to comply with breach notification laws.
Common DPA Mistakes to Avoid
- Using a single-state template — A DPA that only addresses CCPA requirements will not satisfy Virginia or Colorado obligations. Build your DPA to meet the highest standard across all applicable states.
- Forgetting subprocessors — Many businesses sign a DPA with their vendor but fail to address the vendor’s own subprocessors. Data flows downstream, and your obligations follow.
- Not updating existing contracts — Contracts signed before 2023 likely do not reflect current state privacy law requirements. Conduct a contract audit and update legacy agreements.
- Missing DSAR assistance provisions — If a consumer requests deletion and your vendor cannot support that request, you are in violation. Ensure your DPA includes specific technical and procedural commitments for DSAR support.
- No breach notification timeline — Simply requiring "prompt" notification is insufficient. Specify a timeframe (24-72 hours is common) and require specific details in the notification. See our breach notification guide for state-specific requirements.
- Ignoring data minimization — Your DPA should limit the vendor to processing only the minimum personal data necessary for the specified purpose. This aligns with the data minimization requirements in states like Maryland and Minnesota.
Frequently Asked Questions
Do I need a separate DPA for every vendor?
You need a written agreement with every vendor that processes personal data on your behalf. This does not need to be a standalone document — many businesses include DPA provisions as an addendum or exhibit to their main service agreement. However, the privacy-specific provisions must be clearly documented regardless of format.
What is the difference between a DPA and a privacy policy?
A privacy policy is a public-facing document that tells consumers how your business collects, uses, and shares their data. A DPA is a business-to-business contract between you (the controller) and your vendor (the processor) that governs how the vendor handles data you share with them. You need both — the privacy policy for your customers and DPAs for your vendors.
Does every state require audit rights in the DPA?
Not explicitly. California’s CCPA does not require formal audit provisions in service provider agreements, though it does require the business to take reasonable steps to ensure the service provider complies. Most other states (Virginia, Colorado, Connecticut, Texas, Oregon, and others) explicitly require that the controller have the right to assess the processor’s compliance. As a best practice, include audit provisions in every DPA regardless of state.
Can my vendor use the personal data I share for their own purposes?
Generally, no. Under most state laws, a processor can only process data according to the controller’s instructions and for the purposes specified in the DPA. Under California’s CCPA, service providers are explicitly prohibited from using the data for purposes other than the business purpose specified in the contract. If a vendor uses data for their own purposes (such as building their own products or profiles), they may be reclassified as a "third party" rather than a processor, which has significant legal implications including potential violation of the law.
How often should I review my DPAs?
Review your DPAs at least annually, and whenever a new state privacy law takes effect or an existing law is amended. With new state laws activating regularly (Indiana, Kentucky, and Rhode Island became effective in 2026, and more are coming), annual reviews ensure your contracts remain current. Also review whenever you significantly change your data practices or when a vendor changes their subprocessors. Use our Privacy Law Calculator to stay current on which laws apply to your business.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.