CCPA Compliance
CALIFORNIA CONSUMER PRIVACY ACT (CCPA) DATA PROCESSING ADDENDUM
This California Consumer Privacy Act Data Processing Addendum (this "Addendum") is entered into by and between The Data Group, LLC d/b/a BusinessRate ("Service Provider") and the undersigned Customer ("Customer"). It supplements any underlying service agreement, terms of service, or other written agreement between the parties under which Service Provider provides certain contracted services to Customer (the "Service Agreement").
WHEREAS, the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§1798.100 to 1798.199), along with related regulations or guidance ("CCPA"), imposes obligations on businesses that collect or process the personal information of California residents;
WHEREAS, Customer is a "Business" and Service Provider is a "Service Provider" under the CCPA;
WHEREAS, the parties wish to address their respective CCPA obligations and restrictions regarding personal information.
NOW, THEREFORE, in consideration of the mutual promises and covenants in the Service Agreement and this Addendum, the parties agree:
1. Definitions
1.1 CCPA
"CCPA" means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§1798.100 to 1798.199), and any related regulations or guidance. Terms defined in the CCPA (e.g., "personal information" and "business purposes") carry the same meaning when used in this Addendum.
1.2 Contracted Business Purposes
"Contracted Business Purposes" means the services described in the Service Agreement between Service Provider and Customer, as well as any additional services listed in Appendix A, for which Service Provider receives or accesses personal information.
1.3 Customer
"Customer" refers to the entity that has signed the Service Agreement with Service Provider (The Data Group, LLC d/b/a BusinessRate).
1.4 Service Provider
"Service Provider" refers to The Data Group, LLC d/b/a BusinessRate.
2. Service Provider's CCPA Obligations
2.1 Use Restricted to Contracted Business Purposes
Service Provider will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Customer provides or permits access, in line with the Service Agreement and Customer's instructions.
2.2 No Unauthorized Secondary Use
Service Provider will not collect, use, retain, disclose, sell, or otherwise make personal information available for its own commercial purposes in a way that conflicts with the CCPA. If a law or legal process compels Service Provider to disclose personal information for an unrelated purpose, Service Provider must inform Customer and offer an opportunity to object or challenge the requirement, unless prohibited by law.
2.3 Data Minimization
Service Provider will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to fulfill the Contracted Business Purposes or a compatible operational purpose.
2.4 Compliance with Customer Requests
Service Provider will promptly comply with any request or instruction from Customer regarding the provision, amendment, transfer, or deletion of personal information, or to stop, mitigate, or remedy any unauthorized processing.
2.5 CCPA-Compliant Notices
If the Contracted Business Purposes involve collecting personal information directly from individuals on Customer's behalf, Service Provider will provide a CCPA-compliant notice that Customer pre-approves in writing. Service Provider will not modify the notice without Customer's prior written consent.
2.6 Data Aggregation, Deidentification, or Anonymization
Where permitted by the CCPA, Service Provider may aggregate, deidentify, or anonymize personal information by acceptable methods, so it no longer meets the definition of personal information. Service Provider may use such aggregated, deidentified, or anonymized data for its own research and development. Service Provider will not attempt (nor allow others to attempt) to reidentify any such data and will impose the same restrictions on downstream recipients.
3. Assistance with Customer's CCPA Obligations
3.1 Reasonable Cooperation
Service Provider will reasonably cooperate with and assist Customer in meeting CCPA compliance obligations and handling CCPA-related inquiries (including verifiable consumer requests), considering the nature of Service Provider's processing and the information available.
3.2 Prompt Notification
Service Provider must notify Customer immediately if it receives any complaint, notice, or communication related to either party's CCPA compliance. Specifically, Service Provider must inform Customer within ten (10) working days if it receives a verifiable consumer request under the CCPA.
4. Subcontracting
4.1 Use of Subcontractors
Service Provider may engage subcontractors to carry out the Contracted Business Purposes.
4.2 Subcontractor List
Upon written request, Service Provider will provide Customer with an up-to-date list of subcontractors that includes:
- Name, address, and contact information
- Type of services provided
- Categories of personal information disclosed in the preceding 12 months
5. CCPA Warranties
5.1 Compliance with CCPA Requirements
Both parties will comply with all relevant CCPA requirements when collecting, using, retaining, or disclosing personal information.
5.2 Certification
Service Provider certifies it understands the restrictions and prohibitions in this Addendum and the CCPA regarding selling personal information or using it beyond the direct business relationship. Service Provider further certifies it will abide by these restrictions and prohibitions.
5.3 No Adverse Effect
Service Provider warrants it has no reason to believe any CCPA requirements prevent it from performing the Contracted Business Purposes. If the CCPA changes in a way that adversely affects Service Provider's ability to meet its obligations, Service Provider will promptly notify Customer.
Appendix A
PERSONAL INFORMATION PROCESSING PURPOSES AND DETAILS
1) Contracted Business Purposes
Advertising, marketing, CRM, payment processing, and other business management services as described in the Service Agreement.
2) Personal Information Categories
Under Cal. Civ. Code §1798.140(o), the following categories of Personal Information may be processed:
| Category | Examples | Processed Under This Agreement |
|---|---|---|
| A. Identifiers | Real name, alias, address, unique personal identifier, IP address, email, account name, etc. | YES |
| B. Personal info per Cal. Civ. Code §1798.80(e) | Name, signature, address, phone number, license or ID number, financial info, etc. | YES |
| C. Protected classification characteristics | Age (40+), race, color, ancestry, gender, etc. | YES |
| D. Commercial information | Records of products/services purchased or considered, etc. | YES |
| E. Biometric information | Fingerprints, faceprints, iris scans, etc. | NO |
| F. Internet/network activity | Browsing/search history, interaction with websites/apps/ads. | YES |
| G. Geolocation data | Physical location or movements. | YES |
| H. Sensory data | Audio, electronic, visual, thermal, etc. | NO |
| I. Professional/employment info | Job history or performance evaluations. | NO |
| J. Non-public education info | Education records (grades, transcripts, etc.). | NO |
| K. Inferences | Profile reflecting preferences, characteristics, behavior, etc. | YES |
General Provisions
1) Conflict
In the event of any inconsistency between this Addendum and the Service Agreement, this Addendum controls solely with respect to the subject matter required by the CCPA.
2) Governing Law
This Addendum and any related dispute are governed by the same law as provided in the Service Agreement.
3) Termination
This Addendum remains in effect as long as Service Provider processes personal information for Customer under the Service Agreement, unless terminated sooner by the Service Agreement or law.
4) Entire Agreement
Except as modified by this Addendum, the Service Agreement remains in full force. This Addendum overrides any prior discussions or proposals related to personal information handling to the extent of any conflict.