CCPA Data Processing Addendum
This Addendum supplements the Subscription Agreement and governs the parties’ data security, data protection matters related to the California Consumer Privacy Act of 2018 (the “Existing Agreement”). The term “Agreement” means, collectively, the Existing Agreement and this Addendum.
“CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General.
“Contracted Business Purposes” means the services described in the Appendix A for which the Service Provider receives or accesses personal information.
Service Provider’s CCPA Obligations
Service Provider shall only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Subscriber provides or permits personal information access in accordance with the Subscriber’s written instructions.
Service Provider shall not collect, use, retain, disclose, sell (as the term is defined and interpreted under the CCPA), or otherwise make personal information available for Service Provider’s own commercial purposes or in a way that does not comply with the CCPA. If a law requires the Service Provider to disclose personal information for a purpose unrelated to the Contracted Business Purpose, the Service Provider must first inform the Subscriber of the legal requirement and give the Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice.
Service Provider shall limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
Service Provider shall comply with any Subscriber request or instruction from Subscriber requiring the Service Provider to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.
If the Contracted Business Purposes require the collection of personal information from individuals on the Subscriber’s behalf, Service Provider shall provide a CCPA-compliant notice addressing use and collection methods.
Assistance with Subscriber’s CCPA Obligations
Service Provider shall reasonably cooperate and assist Subscriber with meeting the Subscriber’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the Service Provider’s processing and the information available to the Service Provider. Service Provider reserves the right to charge Subscriber at its standard rates for any such assistance.
Service Provider shall notify Subscriber if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA. Specifically, the Service Provider will notify the Subscriber within three (3) working days if it receives a verifiable consumer request under the CCPA.
Service Provider may use subcontractors to provide the Contracted Business Services. Any such a subcontractor used must qualify as a “service provider” under the CCPA, shall not “sell” personal information as defined and interpreted under CCPA, and Service Provider cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
CCPA Warranties and Certification
Both parties shall comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information.
Service Provider certifies that it understands this Agreement’s and the CCPA’s restrictions and prohibitions on “selling” personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it shall comply with them.
Service Provider hereby represents and warrants and covenants that it does not and shall not:
retain, use, disclose or otherwise process the personal information for any purpose other than for the specific purpose of performing services under the Agreement or as otherwise permitted by the CCPA, including for a “business purpose” (as this term is prescribed by the CCPA);
retain, use, disclose or otherwise process the personal information for a “commercial purpose” (as this term is prescribed by the CCPA) other than providing the services under the Agreements to Subscriber; or
use, rent, release, transfer, disclose, distribute, disseminate, make available, transfer and communicate orally, in writing, or by electronic or other means or make available or otherwise “sale” (as this term is prescribed by the CCPA) personal information for monetary or other valuable consideration.
Personal Information Processing Purposes and Details
Personal Information Categories: This Agreement involves the following types of personal information, as defined and classified in CCPA Cal. Civ. Code § 1798.140(o).
|Category||Examples||Processed under this Agreement|
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.||[YES/NO]|
|B. Personal information categories listed in the California Client Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.||[YES/NO]|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||[YES/NO]|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||[YES/NO]|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||[YES/NO]|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||[YES/NO]|
|G. Geolocation data.||Physical location or movements.||[YES/NO]|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||[YES/NO]|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||[YES/NO]|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||[YES/NO]|
|K. Inferences drawn from other personal information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||[YES/NO]|