U.S. State Privacy Laws Addendum to Google Controller-Controller Data Protection Terms

Google and the Customer have entered into the Google Controller-Controller Data Protection Terms ("Controller Terms"), which supplement the Agreement. This U.S. State Privacy Laws Addendum to the Controller Terms (the “State Privacy Laws Addendum”) is entered into by Google and the Customer and also supplements the Agreement.

1.Introduction

This State Privacy Laws Addendum reflects the parties’ agreement on the processing of personal information and Deidentified Data (as defined below) pursuant to the Agreement in connection with Applicable State Privacy Laws (as defined below). This State Privacy Laws Addendum is effective solely to the extent Applicable State Privacy Laws apply.

2.Definitions and Interpretation

2.1“Applicable State Privacy Laws” means privacy, data security, and data protection laws and regulations within the United States applicable to the personal information processed by a party under the Agreement, which may include: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq.; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.

2.2“CCPA” means the California Consumer Privacy Act of 2018 (as amended, including as amended by the California Privacy Rights Act of 2020) together with all implementing regulations.

2.3“Deidentified Data” means “de-identified data” or “deidentified data” as defined by Applicable State Privacy Laws.

2.4 The terms “business”, “consumer”, “controller”, “household”, “personal data”, “personal information”, “process”, “processing”, “sale(s)”, “sell”, “share” and "sharing," as used in this State Privacy Laws Addendum have the meanings given in Applicable State Privacy Laws.

2.5 In this State Privacy Laws Addendum, references to “business” and “personal information” include “controller” and “personal data,” respectively, as each term is defined by Applicable State Privacy Laws.

2.6 Capitalized terms used but not defined in this State Privacy Laws Addendum will have the meanings given in the Controller Terms.

2.7 If this State Privacy Laws Addendum conflicts or is inconsistent with the remainder of the Agreement (including the Controller Terms), this State Privacy Laws Addendum will govern.

3.Applicable State Privacy Laws Terms

3.1 Mutual Terms. Each party:

3.1.1 Will not sell any personal information that it obtains from the other party in connection with the Agreement;

3.1.2 With respect to personal information received from the other party, will comply as an independent business with Applicable State Privacy Laws, and will be solely liable for such compliance;

3.1.3 Will comply with the requirements for processing Deidentified Data set out in Applicable State Privacy Laws with respect to any Deidentified Data it receives from the other party pursuant to the Agreement; and

3.1.4 Acknowledges that, to the extent Google discloses personal information to Customer pursuant to the Agreement, Google intends to disclose personal information to Customer only under an applicable exception to “sale” and “sharing,” each as defined by Applicable State Privacy Laws.

3.2 Google’s CCPA Obligations. If Customer sells or shares personal information to Google that is subject to the CCPA, Google will:

3.2.1 Process the personal information only for the limited purposes specified in the Agreement, unless otherwise permitted by the CCPA;

3.2.2 Permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Google uses the personal information in a manner consistent with a business’ obligations under the CCPA by requesting that Google attest to its compliance with Section 3.1.2 of this State Privacy Laws Addendum. Following any such request, Google will promptly provide that attestation or notice about why it cannot provide it;

3.2.3 If Customer reasonably believes that Google is engaged in unauthorized processing of the personal information, Customer will immediately notify Google of such belief via email to the Notification Email Address, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary;

3.2.4 Notify Customer if it determines that it can no longer meet its obligations under the CCPA.

4.Changes to this State Privacy Laws Addendum.

In addition to Section 10 of the Controller Terms (Changes to these Controller Terms), Google may change this State Privacy Laws Addendum without notice if the change (a) is based on applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency; and (b) does not have a material adverse impact on Customer with respect to exemptions from “sales” under the CCPA, as reasonably determined by Google.

12 December 2022