Over the past decade, companies across many sectors have grown accustomed to entering into data processing agreements with their vendors and suppliers that include certain provisions prescribed by law. Some sectoral privacy laws have imposed certain contractual rules for some time.(1) That said, a catalyst for making this a more widespread practice was the EU General Data Protection Regulation (GDPR), which went into effect in 2018. In particular, Article 28 of the GDPR sets out certain minimum contractual terms that must be included whenever a controller entrusts personal data to a processor (C2P terms). These terms have become even more commonplace in recent years thanks to emerging privacy laws in other jurisdictions (including state privacy laws in the United States), which include this same requirement for agreements between controllers and processors, and impose the same or similar core C2P terms.