This State Privacy Law Addendum (this “Addendum”) sets forth the terms under State Privacy Laws pursuant to which a Party (the “Disclosing Party”) may transmit, disclose, or otherwise make available Personal Data to the other Party (the “Receiving Party”) for the Processing Purposes further defined in Annex A. This Addendum supplements and forms part of the Agreement. This Addendum is effective as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent (i) Personal Data is subject to the State Privacy Laws; and (ii) a State Privacy Law has taken effect.
For purposes of this Addendum, the following terms will have the meaning ascribed below:
“Advertising Purposes” means all Restricted Purposes in addition to (i) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under State Privacy Laws, including any processing that involves displaying ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, (ii) creating or supplementing user profiles for such purposes, and (iii) the Controller Purposes as defined in Annex A.
“CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
“Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in State Privacy Laws.
“Restricted Processing” means Processing only for Restricted Purposes.
“Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data, including without limitation those flags or signals sent through the IAB CCPA Compliance Framework, Global Privacy Platform, or other signaling system agreed to by the Parties.
”Restricted Purposes” means advertising-related Processing for the Processor Purposes (as defined in Annex A) and that qualifies as a Business Purpose under the State Privacy Laws, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes include the Processor Purposes (as defined in Annex A) and fraud detection and prevention, each only to the extent such activity (i) is permissible for a Processor to perform under the applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising purposes.
“State Privacy Laws” means state privacy laws as applicable from time to time, including without limitation the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.
“Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross-Context Behavioral Advertising,” “Deidentified,” “De-identified Data,” “Personal Data,” “Personal Information,” “Process(-ing)” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in State Privacy Laws.
References in this Addendum to “Controller,” “Personal Data,” and “Processor” include “Business,” “Personal Information,” and “Service Provider” respectively.
With respect to the Processing of Personal Data, each Party acts as a Controller, unless a Restricted Processing Signal is present or the purpose of the Processing is Restricted Processing as defined under this Addendum, in which case Receiving Party acts as a Processor and Processes the Personal Data on behalf of Disclosing Party (which may operate as either the Controller or a Processor to another Controller).
Where Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Section 4 herein.
Each Party will:
Comply with its respective obligations under State Privacy Laws with respect to the Processing of Personal Data.
Provide Consumers with a clear and conspicuous ability to opt out of (a) the Sale or Sharing of their Personal Data, or (b) the Processing of their Personal Data for purposes of Targeted Advertising, each of (a) and (b) in compliance with State Privacy Laws. If a Consumer opts out, Disclosing Party will (i) not Process such Consumer’s Personal Data for the Controller Purposes, including Targeted Advertising purposes, and (ii) will either (a) not disclose such Consumer’s Personal Data to any Third Party; or (b) transmit a Restricted Processing Signal in conjunction with any disclosures of such Consumer’s Personal Data to any Third Party.
Not modify any Restricted Processing Signal received from a Disclosing Party.
Transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data.
Comply with requirements set out in State Privacy Laws for processing Deidentified Data, including by:
To the extent acting as a Disclosing Party:
To the extent acting as the Receiving Party, comply with:
Applicability. This Section 5 (CCPA Third Party Terms) applies only when the Receiving Party Processes Personal Data from the Disclosing Party (i) that is subject to the CCPA; and (ii) no Restricted Processing Signal is present.
Purpose Limitations. Disclosing Party makes Personal Data available to Receiving Party only for Advertising Purposes. Receiving Party will Process Personal Data only for such Advertising Purposes, and in accordance with its obligations and any restrictions in the Agreement.
CCPA Compliance; Notification of Determination of Noncompliance. Receiving Party will comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and will notify Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.
Verification of CCPA Compliance. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to demonstrate Receiving Party’s Processing of Personal Data consistent with Disclosing Party’s obligations under the CCPA:
Unauthorized Use Remediation. If Disclosing Party reasonably believes that Receiving Party is engaged in the unauthorized use of Personal Data provided by Disclosing Party, Disclosing Party may notify Receiving Party of such belief using the contact information provided in the Agreement, and the Parties will work together in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary.
Onward Disclosure Obligations. To the extent permitted by the Advertising Purposes and the Agreement, if Receiving Party makes an onward disclosure of Personal Data provided to it by Disclosing Party, including through any Sale or Sharing of the Personal Data, Receiving Party will impose terms that are substantially similar to the terms imposed on Receiving Party by Section 4 (Mutual Processing Obligations) and this Section 5 (CCPA Third Party Terms).
Applicability. This Section 6 (Processor Obligations) applies only to the extent Receiving Party Processes Personal Data with a Restricted Processing Signal present or the purpose of the Processing is Restricted Processing as defined under this Addendum.
Purpose Limitations. Receiving Party will Process Personal Data in accordance with its obligations in the Agreement and only for Restricted Purposes, as further described in Annex A. Receiving Party will not:
Assistance. Receiving Party will assist Disclosing Party, or the Controller on whose behalf Disclosing Party is acting, with State Privacy Laws compliance by:
Confidentiality. Receiving Party will treat Personal Data from Disclosing Party as confidential and subject each person that Processes such Personal Data to an appropriate obligation of confidentiality.
Further Disclosures. If Receiving Party further discloses Personal Data provided by Disclosing Party, Receiving Party will:
Deletion and Return of Personal Data. Upon the earlier of any request by Disclosing Party or without undue delay following termination of the Agreement, Data Recipient will delete, return, or de-identify in accordance with State Privacy Laws Personal Data provided to Receiving Party by Disclosing Party, unless retention of the Personal Data is required by applicable law.
Audits. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to enable Disclosing Party to audit Receiving Party’s compliance with this Section 6 (Processor Obligations):
Additional CCPA Processing Obligations. If Personal Data provided to Receiving Party by Disclosing Party is subject to the CCPA, in addition to the obligations set out in Sections 6.1 - 6.7 above, Receiving Party will:
Conflicts. Except as provided in Section 5.2, if there is any inconsistency or conflict between this Addendum and the Agreement with respect to Processing of Consumers whose Personal Data is subject to a State Privacy Law, then this Addendum will govern, regardless of whether any language in the Agreement purports to state that the Agreement is the controlling document.
Survival. This Addendum will survive any expiration or termination of the Agreement.