Meredith Halama, Beatrice Botti, Kal Dhinsa
2018 brought a wave of attention to data processor relationships, including diligence, DPAs, and audits as companies sought to bring their operations into compliance with Art 28 of the GDPR. Four years later, five states now have a concept of working with processors/service providers baked into their laws. One of those states, California, imposes a litany of requirements for service provider contracts as well as diligence and ongoing oversight obligations. What is more, California law introduces a new concept of “contractors” and imposes substantial obligations for contracts governing disclosures of personal information to “third parties” — an entirely new concept under US law and an area where the law goes beyond the requirements of the GDPR. These third party contract obligations will have substantial impact on marketing and ad tech relationships in particular. In this panel, with insights from outside and in-house counsel as well as a seasoned CISO, we will break down the differences between service providers/processors, contractors, and third parties/independent controllers and evaluate considerations for working with each from a both a technical and legal perspective.
Meredith Halama, Partner, Perkins Coie
Beatrice Botti, VP, Global Data & Privacy Officer, DoubleVerify
Kal Dhinsa, Chief Information Security Officer, NDVR