Q: What privacy laws apply to any “personal information” I receive?
A: Although the following language may seem standard, it creates a very high bar for you to meet your contractual obligations:“The Receiving Party will collect, use, store, disclose, dispose of , provide access to and otherwise handle Personal Information received, collected or accessible to the Receiving Party hereunder in accordance with all privacy laws applicable to such information.”If some of the information you receive is personal information of an EU citizen, for example, you will then be required to be compliant as per Europe’s General Data Protection Regulation (GDPR), which has famously high standards. The cost of compliance might not be an amount you had originally contemplated.As NDAs are typically signed early on in the contemplation of a business relationship to give parties the confidence they need to proceed with the transaction, this point will usually be negotiated later on in larger agreements that will supersede the NDA (such as a Master Services Agreement or MSA).
Q: Who is responsible for ensuring compliance with privacy laws?
A: There may be a positive obligation placed upon you to preserve personal information and confirm that you are compliant - it may be worthwhile to confirm that your practices are indeed compliant through your own audit. Keep an eye out for language such as the following which may create a right for the counterparty to audit your business practices:”[counterparty] or a third party authorized by it may, during normal business hours, from time to time on prior written notice, enter upon any premises of Company at which Personal Information is stored or used and audit the procedures, processes and information pertaining to Company’s compliance with this Agreement”.
Q: What is my jurisdiction, and what effect will it have on my agreement?
“All rights and obligations hereunder will be governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflicts of law provisions of such jurisdictions.”
When conducting business with parties from out of province or out of the country, it is generally preferable to choose your home jurisdiction if possible. This can reduce costs and ensure that your local lawyer is qualified to give you advice on your agreement. Ultimately, this will help parties determine the outcome for procedural matters and legal issues that may arise between them.
As an additional note, if your website is purely informational, and does not actually collect, handle, store, or distribute information about users, then your main concern would be to simply inform users that third-parties (e.g. Google) may be using cookies on your site, which you do not have control over.
You may wish toconsult with counsel to determine what the best course of action is for your business.
Q: What is a digital distributor and how does it affect my agreement?
A: If you are offering your services through an app hosted on a “digital distribution platform” such as the AppStore, Google Play Store, or Microsoft Store (to name a few), users will often need to agree to those platforms’ own TOUs and Privacy Policies, which may contain provisions which allow your app to access user data collected by the digital distributor.
In addition, digital distributors may mandate certain clauses be included within the privacy policies and TOUs of apps listed on their platform. These can affect the manner in which user data is collected, handled, stored and distributed.
If you are not, and do not intend to be listed on a digital distribution platform, you may wish to consult counsel to tailor the terms of your agreement to your needs.
Q: Can formatting your document increase how enforceable it is?