U.S. STATE PRIVACY LAW PROCESSING ADDENDUM FOR ADVERTISING RELATIONSHIPS
1. Introduction
This U.S. State Privacy Law Processing Addendum (this “Addendum”) is entered into between Yahoo (defined below), for itself and for and on behalf of its Yahoo Affiliates (defined below) and the counterparty identified in the Agreement (defined below) (each a “Party” and collectively the “Parties”). This Addendum sets forth the terms under State Privacy Laws pursuant to which a Party (the “Disclosing Party”) may transmit, disclose, or otherwise make available Personal Data to the other Party (the “Receiving Party”) for Advertising Purposes (defined below). This Addendum supplements and forms part of any existing, current, or future agreement between Disclosing Party and Receiving Party pursuant to which Disclosing Party discloses Personal Data to Receiving Party (any such agreement being individually or together referred to as the “Agreement”). This Addendum will be effective as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent (i) a Restricted Processing Signal is present or (ii) Personal Data is subject to the State Privacy Laws and the applicable State Privacy Law has taken effect.
2. Definitions. For purposes of this Addendum, the following terms will have the meaning ascribed below:
2.1. “Advertising Purposes” means all Restricted Purposes in addition to (i) activities that constitute Targeted Advertising or Cross-Context Behavioral Advertising under State Privacy Laws, including any processing that involves displaying ads to a Consumer that are selected based on the Consumer’s cross-context behaviors, (ii) creating or supplementing user profiles for such purposes.
2.2. “CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
2.3. “Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in State Privacy Laws.
2.4. “Joint Processor” means a Processor engaged by one or more Controllers to Process Personal Data in a manner that requires combining Personal Data collected across such Businesses, such as for certain measurement activities or capping the frequency of ads shown to a Consumer across sites or services not owned or controlled by the same Business.
2.5. “MSPA” or “Multi-State Privacy Agreement” means that certain IAB First Amended Multi-State Privacy Agreement, available at https://www.iabprivacy.com/ (or its successor URL), as may be further amended, restated, supplemented or otherwise modified from time to time.
2.6. “Restricted Processing” means Processing only for Restricted Purposes.
2.7. “Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data, including without limitation those flags or signals sent through the IAB CCPA Compliance Framework, Global Privacy Platform, or other signaling system agreed to by the Parties.
2.8. “Restricted Purposes” means advertising-related Processing that qualifies as a Business Purpose, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes includes first-party advertising, contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity (i) is permissible for a Processor to perform under the applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising purposes.
2.9. “State Privacy Laws” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Indiana Consumer Data Protection Act, the Iowa Act Relating to Consumer Data Protection of 2023, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act of 2022, the Virginia Consumer Data Protection Act, and other similar data privacy and protection laws enacted by a U.S. state, in each case as amended and including any regulations promulgated thereunder.
2.10. “Yahoo” means the Yahoo entity that is the contracting party identified in the Agreement.
2.11. “Yahoo Affiliate” means an affiliate of Yahoo, which includes any of the following entities excluding Yahoo, which is the contracting party entering into this Addendum: Yahoo Ad Tech LLC, Yahoo Inc., Yahoo Holdings Inc., Yahoo Netherlands B.V. and any entity controlled by any of the foregoing
2.12. “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross-Context Behavioral Advertising,” “Deidentified,” “De-identified Data,” “Personal Data,” “Personal Information,” “Process(-ing)” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in State Privacy Laws.
2.13. References in this Addendum to “Controller,” “Personal Data,” and “Processor,” include “Business,” “Personal Information,” and “Service Provider,” respectively.
3. Roles. With respect to the Processing of Personal Data, each Party acts as a Controller, unless a Restricted Processing Signal is present, in which case Receiving Party acts as a Processor and Processes the Personal Data on behalf of Disclosing Party (which may operate as either the Controller or a Processor to another Controller) regardless of whether Receiving Party believes the Personal Data is subject to a State Privacy law. Where Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Section 4 herein.
4. Mutual Processing Obligations. Each Party will:
4.1. Comply with its respective obligations under State Privacy Laws with respect to the Processing of Personal Data.
4.2. Provide Consumers with a clear and conspicuous ability to opt out of the Sale, Sharing, or Processing of their Personal Data for purposes of Targeted Advertising, in compliance with State Privacy Laws. If a Consumer opts out, Disclosing Party will (i) not Process such Consumer’s Personal Data for Targeted Advertising purposes and (ii) will either (a) not disclose such Consumer’s Personal Data to any Third Party; or (b) transmit a Restricted Processing Signal in conjunction with any disclosures of such Consumer’s Personal Data to any Third Party.
4.3. Not modify any Restricted Processing Signal received from a Disclosing Party.
4.4. Transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data.
4.5. Comply with requirements set out in State Privacy Laws for processing Deidentified Data, including by:
4.5.1. Not attempting to re-identify any such data;
4.5.2. Using reasonable administrative, technical, and organizational measures to prevent any re-identification of any such data or any inadvertent release of any such data; and
4.5.3. Publicly committing both to maintain and use the Deidentified Data in de-identified form and not to attempt to re-identify any such data.
4.6. To the extent acting as a Disclosing Party:
4.6.1. Provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this Addendum; and
4.6.2. To the extent providing Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this Addendum and (ii) take reasonable steps to ensure compliance with such contractual obligations.
4.7. To the extent acting as a Receiving Party, comply with:
4.7.1. Section 5 (CCPA Third Party Terms) when Processing Personal Data subject to the CCPA and without a Restricted Processing Signal present.
4.7.2. Section 6 (Processor Obligations), when Processing Personal Data received with a Restricted Processing Signal present.
5. CCPA Third Party Terms
5.1. Applicability. This Section 5 (CCPA Third Party Terms) applies only when the Receiving Party Processes Personal Data from the Disclosing Party (i) that is subject to the CCPA; and (ii) no Restricted Processing Signal is present.
5.2. Purpose Limitations. Disclosing Party makes Personal Data available to Receiving Party only for Advertising Purposes. Receiving Party will Process Personal Data only for such Advertising Purposes, and in accordance with its obligations and any restrictions in the Agreement.
5.3. CCPA Compliance; Notification of Determination of Noncompliance. Receiving Party will comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and will notify Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.
5.4. Verification of CCPA Compliance. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to demonstrate Receiving Party’s Processing of Personal Data consistent with Disclosing Party’s obligations under the CCPA:
5.4.1. A copy of a certificate issued for security verification reflecting the outcome
of an audit conducted by an independent third-party auditor; or
5.4.2. Any other information the Parties agree is reasonably necessary for Disclosing Party to verify Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA, such as an attestation.
5.5. Unauthorized Use Remediation. If Disclosing Party reasonably believes that Receiving Party is engaged in the unauthorized use of Personal Data provided by Disclosing Party, Disclosing Party may notify Receiving Party of such belief using the contact information provided in the Agreement, and the Parties will work together in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary.
5.6. Onward Disclosure Obligations. To the extent permitted by the Advertising Purposes and the Agreement, if Receiving Party makes an onward disclosure of Personal Data provided to it by Disclosing Party, including through any Sale or Sharing of the Personal Data, Receiving Party will impose terms that are substantially similar to the terms imposed on Receiving Party by Section 4 (Mutual
Processing Obligations) and this Section 5 (CCPA Third Party Terms).
6. Processor Obligations
6.1. Applicability. This Section 6 (Processor Obligations) applies only to the extent Receiving Party Processes Personal Data with a Restricted Processing Signal present.
6.2. Purpose Limitations. Receiving Party will Process Personal Data in accordance
with its obligations in the Agreement and only for Restricted Purposes, as further described in Attachment 1. Receiving Party will not:
6.2.1. Process Personal Data for Targeted Advertising purposes; or
6.2.2. Sell or Share Personal Data.
6.3. Assistance. Receiving Party will assist Disclosing Party, or the Controller on whose behalf Disclosing Party is acting, with State Privacy Laws compliance by:
6.3.1. Assisting the Disclosing Party in responding to Consumer requests made pursuant to State Privacy Laws, provided that Disclosing Party must provide to Receiving Party all information necessary for it to provide such assistance or respond to a Consumer request when required by State Privacy Laws;
6.3.2. Contributing to data protection impact assessments where required by State Privacy Laws;
6.3.3. Offering reasonable notice and assistance to Disclosing Party in the event Receiving Party experiences a Data Breach, including to help Disclosing Party satisfy its Data Breach notification obligations under State Privacy Laws; and
6.3.4. Implementing reasonable security procedures and practices appropriate to the nature of the Personal Data and designed to protect such Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with State Privacy Laws.
6.4. Confidentiality. Receiving Party will treat Personal Data from Disclosing Party as confidential and subject each person that Processes such Personal Data to an appropriate obligation of confidentiality.
6.5. Further Disclosures. If Receiving Party further discloses Personal Data provided
by Disclosing Party, Receiving Party will:
6.5.1. Ensure it has in place a written agreement with any such recipient that obligates the recipient to comply with terms at least as protective as the terms set out in this Section 6 (Processor Obligations);
6.5.2. Ensure any Restricted Processing Signal is transmitted with the Personal Data to the recipient; and
6.5.3. To the extent required by State Privacy Laws, provide Disclosing Party notice of the planned transmission to any subcontractor and an opportunity to object.
6.6. Deletion and Return of Personal Data. Upon the earlier of any request by Disclosing Party or without undue delay following termination of the Agreement, Data Recipient will delete, return, or de-identify in accordance with State Privacy Laws Personal Data provided to Receiving Party by Disclosing Party, unless retention of the Personal Data is required by applicable law.
6.7. Audits. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to enable Disclosing Party to audit Receiving Party’s compliance with this Section 6 (Processor Obligations):
6.7.1. A copy of a certificate issued within 12 months of the Disclosing Party’s request reflecting the outcome of an audit conducted by an independent and qualified third-party auditor using an appropriate and accepted control standard or framework and audit procedure; or
6.7.2. Any other information or attestation the Parties agree is reasonably necessary for Disclosing Party to verify that Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA.
6.8. Additional CCPA Processing Obligations. If Personal Data provided to Receiving Party by Disclosing Party is subject to the CCPA, in addition to the obligations set out in Sections 6.1 - 6.7 above, Receiving Party will:
6.8.1. Not retain, use, or disclose the Personal Data outside of the direct business relationship with Disclosing Party or for any purpose, including Commercial Purposes, other than the Restricted Purposes, unless otherwise permitted by the CCPA.
6.8.2. Upon notice from Disclosing Party of its reasonable belief that Receiving Party is Processing Personal Data in an unauthorized manner, cooperate with Disclosing Party in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary, such as by providing documentation verifying certain practices.
6.8.3. Notify the Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.
6.8.4. Except to Process for the Restricted Purposes or as otherwise permitted by the CCPA, not combine the Personal Data provided to Receiving Party by Disclosing Party with Personal Data received from or on behalf of another person or source or that Receiving Party collects from its own interactions with Consumers. Notwithstanding the foregoing and to the extent permitted by the CCPA, Receiving Party may combine Personal Data from Disclosing Party with Personal Data provided to Receiving Party from an independent Business to the extent (i) Receiving Party is a Joint Processor to both Disclosing Party and the independent Business; and (ii) such independent Business has executed with Receiving Party terms substantially similar to the terms imposed on Receiving Party under this Section 6 (Processor Obligations).
7. Miscellaneous
7.1. Conflicts. Except as provided in Section 5.2, if there is any inconsistency or conflict between this Addendum and the Agreement, then this Addendum will govern, regardless of whether any language in the Agreement purports to state that the Agreement is the controlling document. If the Parties are both signatories to the MSPA and a disclosure of data is designated as a Covered Transaction (as defined in the MSPA), then the MSPA will govern in the event of any inconsistency or conflict between this Addendum and the MSPA. The provisions of this Addendum may not be amended, except by an agreement to specifically amend this Addendum in writing signed by the Parties.
7.2. Counterparts. This Addendum may be executed in several counterparts (including delivery via facsimile or electronic mail), each of which will be deemed to be an original but all of which together will constitute one and the same instrument.
7.3. Amendment.This Addendum may not be amended except in a writing executed by both Parties.
7.4. Survival. This Addendum will survive any expiration or termination of the Agreement.
ATTACHMENT 1: DESCRIPTION OF PROCESSING
1. Description of Processing
1.1. Nature and Purpose of Processing. Subject to any further limitations imposed by the Agreement, Receiving Party Processes the Personal Data provided to Receiving Party by Disclosing Party for the Restricted Purposes, as further described in this Addendum, including for frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability.
1.2. Types of Personal Data Processed. Subject to any further limitations imposed by the Agreement, the types of Personal Data Processed are limited to technical identifiers such as device IDs, cookie IDs, and IP addresses; commercial information; internet or other electronic network activity information; geolocation data; and inferences.