US State Privacy Law Processing Addendum

Dated: June 14, 2023

    1. INTRODUCTION.This State Privacy Law Processing Addendum (“Addendum”) sets forth the terms under State Privacy Laws pursuant to which a party (the “Disclosing Party”) may transmit, disclose, or otherwise make available Personal Data to the other Party (the “Receiving Party”) (altogether the “Parties”) for Advertising Purposes (defined below). This Addendum supplements and forms part of any existing, current, or future agreement between Disclosing Party and Receiving Party pursuant to which Disclosing Party discloses Personal Data to Receiving Party (any such agreement being individually or together referred to as the “Agreement”). This Addendum will be effective as of the effective date of the Agreement (“Effective Date”); provided, however, the relevant obligations apply only to the extent (i) Personal Data is subject to the State Privacy Laws; and (ii) a State Privacy Law has taken effect.
    2. DEFINITIONS. For purposes of this Addendum, the following terms will have the meaning ascribed below:
      1. Advertising Purposes” means all Restricted Purposes in addition to the purposes as identified in PubMatic’s Privacy Policy located at https://pubmatic.com/legal/privacy-policy/.
      2. CCPA” means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.
      3. Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in State Privacy Laws.
      4. Joint Processor” means a Processor engaged by one or more Controllers to Process Personal Data in a manner that requires combining Personal Data collected across such Businesses, such as for certain measurement activities or capping the frequency of ads shown to a Consumer across sites or services not owned or controlled by the same Business.
      5. Restricted Processing” means Processing only for Restricted Purposes.
      6. Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of the Sale, Sharing, or Processing for purposes of Targeted Advertising of their Personal Data, including without limitation those flags or signals sent through the IAB CCPA Compliance Framework, Global Privacy Platform, or other signaling system agreed to by the Parties.
      7. Restricted Purposes” means advertising-related Processing that qualifies as a Business Purpose, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Cross-Contextual Behavioral Advertising, Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes includes first-party advertising, contextual advertising, frequency capping, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity (i) is permissible for a Processor to perform under the applicable State Privacy Laws; and (ii) does not result in a Sale or Sharing of Personal Data or constitute Processing of Personal Data for Targeted Advertising purposes.
      8. State Privacy Laws” means the CCPA, the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring of 2022, the Indiana Consumer Data Protection Act, the Iowa Act Relating to Consumer Data Protection of 2023, the Montana Consumer Data Privacy Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act of 2022, and the Virginia Consumer Data Protection Act, in each case as amended and including any regulations promulgated thereunder.
      9. Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross-Context Behavioral Advertising,” “Deidentified,” “De- identified Data,” “Personal Data,” “Personal Information,” “Process(-ing)” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in State Privacy Laws.
      10. References in this Addendum to “Controller,” “Personal Data,” and “Processor” include “Business,” “Personal Information,” and “Service Provider” respectively.
    3. ROLES. With respect to the Processing of Personal Data, each Party acts as a Controller, unless a Restricted Processing Signal is present, in which case Receiving Party acts as a Processor and Processes the Personal Data on behalf of Disclosing Party (which may operate as either the Controller or a Processor to another Controller). Where Disclosing Party, as a Processor on behalf of a Controller, provides Personal Data to Receiving Party, the Disclosing Party will ensure that the Controller on whose behalf it is providing Personal Data has agreed to the obligations set forth in Section 4 herein.
    4. MUTUAL PROCESSING OBLIGATIONS. Each Party will:
      1. Comply with its respective obligations under State Privacy Laws with respect to the Processing of Personal Data.
      2. Provide Consumers with a clear and conspicuous ability to opt out of the Sale, Sharing, or Processing of their Personal Data for purposes of Targeted Advertising, in compliance with State Privacy Laws. If a Consumer opts out, Disclosing Party will (i) not Process such Consumer’s Personal Data for Targeted Advertising purposes and (ii) will either (a) not disclose such Consumer’s Personal Data to any Third Party; or (b) transmit a Restricted Processing Signal in conjunction with any disclosures of such Consumer’s Personal Data to any Third Party.
      3. Not modify any Restricted Processing Signal received from a Disclosing Party.
      4. Transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data.
      5. Comply with requirements set out in State Privacy Laws for processing Deidentified Data, including by:
        1. Not attempting to re-identify any such data;
        2. Using reasonable administrative, technical, and organizational measures to prevent any re-identification of any such data or any inadvertent release of any such data; and
        3. Publicly committing both to maintain and use the Deidentified Data in de- identified form and not to attempt to re-identify any such data.
      6. To the extent acting as a Disclosing Party:
        1. Provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this Addendum; and
        2. To the extent providing Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this Addendum and (ii) take reasonable steps to ensure compliance with such contractual obligations.
      7. To the extent acting as a the Receiving Party, comply with:
        1. Section 5 (CCPA Third Party Terms) when Processing Personal Data subject to the CCPA and without a Restricted Processing Signal present.
        2. Section 6 (Processor Obligations), when Processing Personal Data received with a Restricted Processing Signal present.
    5. CCPA THIRD PARTY TERMS
      1. Applicability. This Section 5 (CCPA Third Party Terms) applies only when the Receiving Party Processes Personal Data from the Disclosing Party (i) that is subject to the CCPA; and (ii) no Restricted Processing Signal is present.
      2. Purpose Limitations. Disclosing Party makes Personal Data available to Receiving Party only for Advertising Purposes. Receiving Party will Process Personal Data only for such Advertising Purposes, and in accordance with its obligations and any restrictions in the Agreement.
      3. CCPA Compliance; Notification of Determination of Noncompliance. Receiving Party will comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and will notify Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.
      4. Verification of CCPA Compliance. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to demonstrate Receiving Party’s Processing of Personal Data consistent with Disclosing Party’s obligations under the CCPA:
        1. A copy of a certificate issued for security verification reflecting the outcome of an audit conducted by an independent third-party auditor; or
        2. Any other information the Parties agree is reasonably necessary for Disclosing Party to verify Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA, such as an attestation.
      5. Unauthorized Use Remediation. If Disclosing Party reasonably believes that Receiving Party is engaged in the unauthorized use of Personal Data provided by Disclosing Party, Disclosing Party may notify Receiving Party of such belief using the contact information provided in the Agreement, and the Parties will work together in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary.
      6. Onward Disclosure Obligations. To the extent permitted by the Advertising Purposes and the Agreement, if Receiving Party makes an onward disclosure of Personal Data provided to it by Disclosing Party, including through any Sale or Sharing of the Personal Data, Receiving Party will impose terms that are substantially similar to the terms imposed on Receiving Party by Section 4 (Mutual Processing Obligations) and this Section 5 (CCPA Third Party Terms).
    6. Processor Obligations
      1. Applicability. This Section 6 (Processor Obligations) applies only to the extent Receiving Party Processes Personal Data with a Restricted Processing Signal present.
      2. Purpose Limitations. Receiving Party will Process Personal Data in accordance with its obligations in the Agreement and only for Restricted Purposes, as further described in Attachment 1. Receiving Party will not:
        1. Process Personal Data for Targeted Advertising purposes; or
        2. Sell or Share Personal Data.
      3. Assistance. Receiving Party will assist Disclosing Party, or the Controller on whose behalf Disclosing Party is acting, with State Privacy Laws compliance by:
        1. Assisting the Disclosing Party in responding to Consumer requests made pursuant to State Privacy Laws, provided that Disclosing Party must provide to Receiving Party all information necessary for it to provide such assistance or respond to a Consumer request when required by State Privacy Laws;
        2. Contributing to data protection impact assessments where required by State Privacy Laws;
        3. Offering reasonable notice and assistance to Disclosing Party in the event Receiving Party experiences a Data Breach, including to help Disclosing Party satisfy its Data Breach notification obligations under State Privacy Laws; and
        4. Implementing reasonable security procedures and practices appropriate to the nature of the Personal Data and designed to protect such Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with State Privacy Laws.
      4. Confidentiality. Receiving Party will treat Personal Data from Disclosing Party as confidential and subject each person that Processes such Personal Data to an appropriate obligation of confidentiality.
      5. Further Disclosures. If Receiving Party further discloses Personal Data provided by Disclosing Party, Receiving Party will:
        1. Ensure it has in place a written agreement with any such recipient that obligates the recipient to comply with terms at least as protective as the terms set out in this Section 6 (Processor Obligations);
        2. Ensure any Restricted Processing Signal is transmitted with the Personal Data to the recipient; and
        3. To the extent required by State Privacy Laws, provide Disclosing Party notice of the planned transmission to any subcontractor and an opportunity to object.
      6. Deletion and Return of Personal Data. Upon the earlier of any request by Disclosing Party or without undue delay following termination of the Agreement, Data Recipient will delete, return, or de-identify in accordance with State Privacy Laws Personal Data provided to Receiving Party by Disclosing Party, unless retention of the Personal Data is required by applicable law.
      7. Audits. Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to enable Disclosing Party to audit Receiving Party’s compliance with this Section 6 (Processor Obligations):
        1. A copy of a certificate issued within 12 months of the Disclosing Party’s Request reflecting the outcome of an audit conducted by an independent and qualified third-party auditor using an appropriate and accepted control standard or framework and audit procedure; or
        2. Any other information or attestation the Parties agree is reasonably necessary for Disclosing Party to verify that Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA.
      8. Additional CCPA Processing Obligations. If Personal Data provided to Receiving Party by Disclosing Party is subject to the CCPA, in addition to the obligations set out in Sections 6.1 – 6.7 above, Receiving Party will:
        1. Not retain, use, or disclose the Personal Data outside of the direct business relationship with Disclosing Party or for any purpose, including Commercial Purposes, other than the Restricted Purposes, unless otherwise permitted by the CCPA.
        2. Upon notice from Disclosing Party of its reasonable belief that Receiving Party is Processing Personal Data in an unauthorized manner, cooperate with Disclosing Party in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary, such as by providing documentation verifying certain practices.
        3. Notify the Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.
        4. Except to Process for the Restricted Purposes or as otherwise permitted by the CCPA, not combine the Personal Data provided to Receiving Party by Disclosing Party with Personal Data received from or on behalf of another person or source or that Receiving Party collects from its own interactions with Consumers. Notwithstanding the foregoing and to the extent permitted by the CCPA, Receiving Party may combine Personal Data from Disclosing Party with Personal Data provided to Receiving Party from an independent Business to the extent (i) Receiving Party is a Joint Processor to both Disclosing Party and the independent Business; and (ii) such independent Business has executed with Receiving Party terms substantially similar to the terms imposed on Receiving Party under this Section 6 (Processor Obligations).
    7. MISCELLANEOUS
      1. Conflicts. Except as provided in Section 5.2, if there is any inconsistency or conflict between this Addendum and the Agreement, then this Addendum will govern, regardless of whether any language in the Agreement purports to state that the Agreement is the controlling document. The provisions of this Addendum may not be amended, except by an agreement to specifically amend this Addendum in writing signed by the Parties.
      2. Amendment. If the NAI or PubMatic issues updates to its Template State Laws Processing Addendum (“Template”) to account for changes in State Privacy Laws, new laws related to privacy or data security, or changes in the legal landscape based on enforcement or guidance related to State Privacy Laws, the Parties agree such updates to the Template will apply to this Addendum automatically as of the date such updates take effect to the Template. Notwithstanding the foregoing, PubMatic shall not materially reduce its obligations hereunder.
      3. Survival. This Addendum will survive any expiration or termination of the Agreement.

ATTACHMENT 1: DESCRIPTION OF PROCESSING

Description of Processing

Nature and Purpose of Processing and Types of Personal Data Processed. To the extent such is set forth in the Agreement, including as may be identified in an applicable EU Data Processing Addendum, such purposes and types of Personal Data processed shall apply here. In the event such is not set forth in the Agreement then, to the extent applicable:

  1. If Disclosing Party is a channel partner or publisher, then the details set forth (a) in Annex A located at https://pubmatic.com/legal/publisher-data-processing-addendum/, as may be updated from time to time upon 30 days notice, are hereby incorporated by reference and conforming to (b) https://vendor-list.consensu.org/v2/vendor-list.json.
  2. If Receiving Party is a demand side partner, then the details set forth at Annex B located at https://pubmatic.com/legal/demand-partner-data-processing-addendum/, as may be updated from time to time upon 30 days notice, are hereby incorporated by reference.
  3. If Receiving Party is a business partner or vendor, then the details set forth at Annex 1 located at https://pubmatic.com/legal/service-provider-data-processing-addendum/, as may be updated from time to time upon 30 days notice, are hereby incorporated by reference.
  4. If Disclosing Party is a data provider of audience segments, then the details set forth at Appendix 1 and 2 located at https://pubmatic.com/legal/connect-data-protection-addendum/, as may be updated from time to time upon 30 days notice, are hereby incorporated by reference and conforming to (b) https://vendor-list.consensu.org/v2/vendor-list.json.
  5. If Receiving Party is a provider of identifiers, then the details set forth at Annex A located at https://pubmatic.com/legal/id-partner-data-protection-addendum/ , as may be updated from time to time upon 30 days notice, are hereby incorporated by reference and conforming to (b) https://vendor-list.consensu.org/v2/vendor-list.json.
  6. If Receiving Party is an advertiser or agency, then the details set forth at Annex B located at https://pubmatic.com/legal/demand-partner-data-processing-addendum/ , as may be updated from time to time upon 30 days notice, are hereby incorporated by reference.