Requirements for Data Processor Audits Under State Data Privacy Laws

Read Time: 5 minutes

Key Takeaways: Data privacy laws in 16 states require data processors to allow for assessments of their data processing policies and procedures either by data controllers or independent assessors. Koley Jessen can conduct independent assessments for processors and can act as designated assessors for controllers.

Background: Increase in Comprehensive State Data Privacy Laws

Over the past several years, 20 states have enacted comprehensive data privacy statutes, and more states are likely to follow suit in the near future.

As of January 2025, the following states have data privacy laws in effect: California, Colorado, Connecticut, Utah, Virginia, Oregon, Florida, Texas, Montana, Nebraska, New Hampshire, Delaware, Iowa, and New Jersey. In the latter half of 2025, additional data privacy laws will go into effect in Tennessee, Minnesota, and Maryland, with Kentucky, Indiana, and Rhode Island following in 2026.

Data Privacy Laws Allow Businesses to Conduct Assessments of its Data Processors

Under state data privacy laws, a data controller is an entity that determines the purposes and means of processing a consumer’s personal information. A data processor is a third party that is distinct from the data controller and that processes personal information on behalf of the controller. All current and upcoming state data privacy laws require that processors and controllers enter into a binding contract that clearly sets forth instructions, policies, and procedures with regard to the personal data that the processor will process on behalf of the controller.  

The majority of state data privacy laws also require that processors, at the controller’s request, allow for an assessment of their policies as well as their technical and organizational framework in order to ensure that they are in compliance with the controller's requirements and the processor’s obligations under the state law. Currently, only Utah, Iowa, and California do not include this assessment requirement.

How Can Businesses Conduct These Assessments?

The state laws provide two methods for conducting processor assessments:

  1. The processor can allow the controller or the controller’s designated assessor to conduct reasonable assessments of the processor’s policies and technical and organizational measures.
  2. As an alternative, the processor may arrange for a qualified and independent assessor to conduct the assessment and the processor may then provide a report of the assessment to the controller upon request.

All of the state data privacy laws that require processor assessments allow for either option. For example, the Colorado Privacy Act (“CPA”) provides that in lieu of reasonable audits and inspections by the controller or the controller’s auditor, the processor, with the controller’s consent, may arrange for an independent contractor to conduct an audit of the processor's policies and technical and organizational measures in support of the obligations under the CPA using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable.

Processor Assessment Requirements

The state laws generally require the assessment to consider whether the processor:

  • Adheres to the instructions of the controller and assists the controller in meeting its obligations under the state privacy law;
  • Takes appropriate technical and organizational measures for the fulfillment of the controller’s obligation to respond to consumer requests;
  • Assists in meeting the controller’s obligations in relation to the security of processing of personal data;
  • Provides information to the controller as necessary for the controller to demonstrate compliance with the state privacy law and to allow the controller to conduct any data protection assessment required by the state privacy law;
  • Ensures that persons processing personal data are subject to a duty of confidentiality with respect to the personal data;
  • Engages a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
  • Implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establishes a clear allocation of the responsibilities between the processor and controller to implement the measures;
  • Allows for reasonable audits and inspections by the controller or the controller’s auditor, or the processor, with the controller’s consent, may arrange for an independent contractor to conduct an audit of the processor's policies and technical and organizational measures in support of the processor’s obligations under the state law using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable;
  • Deletes or returns all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; and
  • Enters into a contract with the controller that is binding to both parties and sets out the obligations described above.

Data Processors and Controllers Need Qualified Assessors

For businesses that act as data processors pursuant to these state laws, any data controller that the business contracts with is entitled to conduct assessments of the business’ processing activities and data privacy and security policies and procedures relevant to the processing. The possibility of repeated assessments conducted by a multitude of data controllers could be time consuming and costly for processors.

Data processors may find it more convenient and efficient to utilize an independent and qualified outside organization to perform a single assessment and create a report that can be provided to controllers when requested. Data controllers also need to take note of this requirement, as controllers need to ensure that data processors properly adhere to their obligations regarding their treatment of data. If data processors opt not to undertake an independent assessment, controllers should engage an experienced assessor to conduct an assessment of the processor's policies.

How Koley Jessen Can Help with Data Processor Assessments

Koley Jessen’s Data Privacy and Security attorneys have experience assessing data processors’ compliance under this assessment framework and can serve as a designated assessor for controllers or a qualified and independent assessor for processors. If you're interested in conducting a processor assessment under state privacy laws, please contact one of the specialists in our Data Privacy and Security Practice Area for assistance.

*Special thanks to summer associate James Brennan for his contributions to this article.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.