Your US customers may have no choice but to require all their service providers to comply with US privacy laws. For example, one of our clients that provides web analysis services recently contracted with a large US company and the agreement presented by the US company included the following provision:
“Service Provider represents and warrants that its collection, access, use, storage, disposal and disclosure of Personal Information does and will comply with all applicable federal or state privacy and data protection laws (including, without limitation, Massachusetts 201 CMR 17), as well as all other applicable regulations and directives..”
When we reviewed the Massachusetts law, we found that it required all companies subject to that law to require their services providers that handle their data to also comply with the Massachusetts law.
What can you do?
There are several options available to you. First, push for such terms to be deleted (i.e. argue: you are a Canadian based company and shouldn’t be required to comply with US privacy laws). Where the customer is required by law to have its service providers comply with US privacy laws, you will typically not be successful in deleting such a contract provision. As a fall-back position, agree only to be bound by US privacy laws that are expressly (and in writing!) brought to your attention by the customer. By doing so, you shift the burden to the customer to educate you on the applicable US privacy laws.
Another option is to walk away from the deal. For most start-up and growth-minded businesses walking away from revenue is unthinkable, but in certain circumstances it does make the most business sense. Where the compliance costs and liability risk exceed the revenue reward, walking away is the right decision. That said, if your business model requires you to contract with US companies, sooner or later, you will have no choice but to comply and assume the liability risk.
A further option, which we are sometimes successful implementing for clients, is to accept responsibility to comply with US laws, but also to include a term in the agreement that the customer will not provide you with any personal information of its clients. For example, we were recently pleased to see the following agreement term in a contractor agreement presented to a Web analytics consulting consulting client of ours:
The parties hereby agree and acknowledge that Client does not intend hereunder to provide to Contractor any personally identifiable information, nor is Contractor permitted hereunder (including under any SOW) to access or otherwise receive any personally identifiable information.
The next best approach, and a fall-back from this position, is to include a contract term that requires the customer to bring to the service providers attention, by written notice, each time the service provider receives personal information that requires special handling under US laws.
Since lawyers may only advise on the law of the jurisdiction in which they are licensed, if you agree to comply with US privacy laws, the prudent next step is to hire a US attorney to educate you on US privacy laws and to vet your data handling processes. That said, depending upon the value of the contract, the nature of the service and the type of information you will be handling, you may decide to forego this step and either use your Canadian lawyer to provide you with guidance or you may decide to educate yourself on what is required of you under US privacy laws.
Whatever approach you take with your customer, we always recommend client’s push for the inclusion of a cap on their aggregate liability and an exclusion for certain types of damages (such as lost profits). This will not protect you against statutory liability, but it will limit your exposure to damages should your customer sue you for mishandling of personal information contrary to US privacy laws.
In the end, your decision will be based on your leverage (i.e. how badly the customer wants your service vs. how badly you want/need the customer), your risk tolerance and the value of the contract. The reward to you should outweigh the compliance cost and/or potential liability for agreeing to be bound by US privacy laws.