Contracts
In my prior post, I discussed Privacy Policies and when they’re needed. In B2B SaaS products, customers often sign a Terms of Service that incorporates a Privacy Policy in the agreement. However, it’s not always clear to startups when a Privacy Policy is needed or when a Data Processing Agreement (DPA) is appropriate, or when both are required. In today’s post, I draw the distinction between these two contracts and describe when they’re necessary.
Privacy Policies are public-facing legal contracts posted on apps and websites informing users of the company’s data practices. They describe what data is collected, how they’re used and shared and whom with, and user rights. The customer may be a business for a B2B product, with end users being the business’s employee or contractors, or an individual consumer for a B2C product. The purpose of a Privacy Policy is to inform users of a website or online service of the company’s data practices so that they can make an informed decision about using that website or service.
In contrast, a Data Processing Agreement is a contract between two businesses: the data controller, and most often, the data processor. The data controller is the company that is providing the data and determines why and how the data is processed. The data processor is the company that is processing the data at the request of the controller, and is often the service provider. DPAs are designed to comply with data protection laws such as GDPR and CCPA, and outline how personal data will be processed, the responsibilities of each company, and are confidential agreements between companies.
Some countries’ and regions’ privacy laws required website owners to post a privacy policy to protect the personal information of their citizens. Similarly, certain regulations such as the GDPR require a DPA between 2 entities when one entity is processing data on behalf of a controller. Regulations can be specific to geographic region where a company does business, region where their users reside, and your company industry. A general rule of thumb is that any website or online service that is publicly accessible and is collecting personal or tracking information should have a Privacy Policy. And, any business that processes personal data or personal information on behalf of another business as part of their business relationship should have a Data Processing Agreement in place. B2B SaaS businesses often will need both a Privacy Policy and a DPA, to cover data collection via its website and data processing with its customers.
To fully understand your privacy compliance obligations, it’s best to speak to an attorney well versed in privacy laws who can help you implement best practices internally as well as get these documents in place.
