Google and the Customer have entered into the Google Measurement Controller-Controller Data Protection Terms (the “Controller Terms”), which supplement the Agreement. This U.S. State Privacy Laws Controller Addendum to the Controller Terms (this “State Privacy Laws Controller Addendum”) is entered into by Google and the Customer and also supplements the Agreement. This Addendum will be effective as of the later of January 1, 2023 or the date on which Customer clicked to accept or the parties otherwise agreed to this Addendum.
Google may offer and Customer may enable certain in-product settings, configurations or other functionality for the Measurement Services relating to restricted data processing, as described in supporting documentation available at business.safety.google/rdp, as updated from time to time (“Restricted Data Processing”). This State Privacy Laws Controller Addendum sets out the data protection provisions relating to the Data Sharing Setting only (when Restricted Data Processing is not enabled) and does not otherwise apply to the provision of the Measurement Services. Customer is solely liable for its compliance with each of the Applicable State Privacy Laws in its use of Google services, including Restricted Data Processing.
This State Privacy Laws Controller Addendum reflects the parties’ agreement on the processing of Customer Personal Data and Deidentified Data (as defined below) pursuant to the Data Sharing Setting in connection with the Applicable State Privacy Laws (as defined below), and is effective solely to the extent each Applicable State Privacy Laws applies.
2. Definitions and Interpretation.
2.1 “Applicable State Privacy Laws” means, as applicable: (a) the CCPA; (b) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (c) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (d) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (e) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
2.2 “CCPA” means California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations.
2.3 “Deidentified Data” means data information that is “deidentified” (as that term is defined by the CCPA) and “de-identified data” (as defined by other Applicable State Privacy Laws), when disclosed by one party to the other.
2.4 The terms “business”, “consumer”, “controller”, “personal data”, “personal information”, “process”, “processing”, “sale(s)”, and “sell”, as used in this State Privacy Laws Controller Addendum have the meanings given in the Applicable State Privacy Laws.
2.5 Capitalized terms used but not defined in this State Privacy Laws Controller Addendum will have the meanings given in the Controller Terms.
3. Applicable State Privacy Law Terms.
3.1 Deidentified Data. Each party will comply with the requirements for processing Deidentified Data set out in the Applicable State Privacy Laws, with respect to any Deidentified Data it receives from the other party pursuant to the Data Sharing Setting.
3.2 Google’s CCPA Obligations. With respect to Customer Personal Data processed without Restricted Data Processing enabled pursuant to the Data Sharing Setting, and to the extent that CCPA applies to the processing of Customer Personal Data:
- (a) Google will process such Customer Personal Data pursuant to the Data Sharing Setting, as further described in the Agreement and supporting documentation (e.g., help center articles), or as otherwise permitted under the CCPA, and the parties agree that Customer is making such Customer Personal Data available to Google for such purposes;
- (b) Google will allow audits to verify Google’s compliance with its obligations under this State Privacy Laws Controller Addendum as follows:
- (i) Customer may conduct an audit to verify Google’s compliance with its obligations under this State Privacy Laws Controller Addendum by requesting and reviewing (1) a certificate issued for security verification reflecting the outcome of an audit conducted by a third party auditor (e.g., ISO/IEC 27001 certification or a comparable certification or other security certification of an audit conducted by a third-party auditor agreed by Customer and Google) within 12 months as of the date of Customer’s request and (2) any other information Google determines is reasonably necessary for Customer to verify such compliance.
- (ii) Alternatively, Google may, at its sole discretion and in response to a request by Customer, initiate a third-party auditor to verify Google’s compliance with its obligations under this State Privacy Laws Controller Addendum. During such an audit, Google will make available to the third-party auditor all information necessary to demonstrate such compliance. Where Customer requests such an audit, Google may charge a fee (based on Google’s reasonable costs) for any audit. Google will provide Customer with further details of any applicable fee, and the basis of its calculation, in advance of any such audit. Customer will be responsible for any fees charged by any third-party auditor to execute any such audit.
- (iii) Nothing in this State Privacy Laws Controller Addendum will require Google either to disclose to Customer or its third-party auditor, or to allow Customer or its third-party auditor to access:
- (1) any data of any other customer of a Google Entity;
- (2) any Google Entity’s internal accounting or financial information;
- (3) any trade secret of a Google Entity;
- (4) any information that, in Google's reasonable opinion, could: (A) compromise the security of any Google Entity’s systems or premises; or (B) cause any Google Entity to breach its obligations under the Applicable State Privacy Laws or its security and/or privacy obligations to Customer or any third party; or
- (5) any information that Customer or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Customer’s obligations under the Applicable State Privacy Laws;
- (c) Google will notify Customer if Google makes a determination that it can no longer meet its obligations under the CCPA;
- (d) If Customer reasonably believes that Google is processing Customer Personal Data in an unauthorized manner, Customer has the right to notify Google of such belief via the methods described at privacy.google.com/businesses/processorsupport, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary; and
- (e) Google will comply with applicable obligations under CCPA and will provide the same level of privacy protection as is required by CCPA.
4. Changes to this State Privacy Laws Controller Addendum.
In addition to Section 9 of the Controller Terms (Changes to these Controller Terms), Google may change this State Privacy Laws Controller Addendum without notice if the change (a) is based on applicable law, applicable regulation, a court order, or guidance issued by a governmental regulator or agency or (b) does not have a material adverse impact on Customer under the Applicable State Privacy Laws, as reasonably determined by Google.
1 January 2023