NuffSaid performs certain services on behalf of You the Subscriber in accordance with the any/all agreements under which you and your affiliates process personal information on behalf of NuffSaid (“Agreements”). This may include the collection, use, retention, or disclosure of personal information to NuffSaid that is subject to the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General (collectively the “CCPA”). The parties hereby agree to the following terms of this CCPA Annex (“Annex”) that set forth the manner in which NuffSaid may collect, use, retain, or disclose personal information.
Now, therefore, the parties agree as follows:
(a) “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General. Terms defined in the CCPA, including personal information and business purposes, carry the same meaning in this Annex.
(b) “Contracted Business Purposes” means the services described in the Agreement for which the NuffSaid receives or accesses personal information.
(c) “Authorized Persons” means the persons or categories of persons that Subscriber authorizes to provide the NuffSaid with personal information processing instructions.
NuffSaid’s CCPA Obligations
(a) NuffSaid will only collect, use, retain, or disclose personal information for the Contracted Business Purposes for which Subscriber provides or permits personal information access in accordance with Subscriber’s written instructions.
(b) NuffSaid will not collect, use, retain, disclose, or otherwise make personal information available for NuffSaid’s own commercial purposes or in a way that does not comply with the CCPA. If a law requires the NuffSaid to disclose personal information for a purpose unrelated to the Contracted Business Purpose, the NuffSaid must first inform Subscriber of the legal requirement and give Subscriber an opportunity to object or challenge the requirement, unless the law prohibits such notice.
(c) NuffSaid will limit personal information collection, use, retention, and disclosure to activities reasonably necessary and proportionate to achieve the Contracted Business Purposes or another compatible operational purpose.
(d) NuffSaid must promptly comply with any Subscriber request or instruction from Authorized Persons requiring the NuffSaid to provide, amend, transfer, or delete the personal information, or to stop, mitigate, or remedy any unauthorized processing.
(e) If the Contracted Business Purposes require the collection of personal information from individuals on Subscriber’s behalf, NuffSaid will always provide a CCPA-compliant notice addressing use and collection methods that Subscriber specifically pre-approves in writing.
(f) If the CCPA permits, NuffSaid may aggregate, deidentify, or anonymize personal information by acceptable methods, so it no longer meets the personal information definition, and may use such aggregated, deidentified, or anonymized data for its own research and development or other permitted purposes. NuffSaid will not attempt to or actually re-identify any previously aggregated, deidentified, or anonymized data and will contractually prohibit downstream data recipients from attempting to or actually re-identifying such data.
Assistance with Subscriber’s CCPA Obligations
(a) NuffSaid will reasonably cooperate and assist Subscriber with meeting Subscriber’s CCPA compliance obligations and responding to CCPA-related inquiries, including responding to verifiable consumer requests, taking into account the nature of the NuffSaid’s processing and the information available to the NuffSaid.
(b) NuffSaid must notify Subscriber immediately if it receives any complaint, notice, or communication that directly or indirectly relates either party’s compliance with the CCPA. Specifically, the NuffSaid must notify Subscriber within five (5) working days if it receives a verifiable consumer request under the CCPA.
(a) NuffSaid may use subcontractors to provide the Contracted Business Services as approved by Subscriber. Any subcontractor used must qualify as a NuffSaid under the CCPA and NuffSaid cannot make any disclosures to the subcontractor that the CCPA would treat as a sale.
(b) For each subcontractor used, NuffSaid will give Subscriber an up-to-date list disclosing:
i. The subcontractor’s name, address, and contact information.
ii. The type of services provided by the subcontractor.
iii. The personal information categories NuffSaid has (in the preceding 12 months) or intends to disclose to the subcontractor.
(c) Any subcontractor used must enter into a data processing agreement with NuffSaid substantially similar to this Annex with terms at least as restrictive as those contained herein before NuffSaid may share any personal information relating to the Contracted Business Services with the subcontractor.
(d) NuffSaid remains fully liable to Subscriber for the subcontractor’s performance of its agreement obligations.
(e) Upon Subscriber’s written request, NuffSaid will audit a subcontractor’s compliance with its personal information obligations and provide Subscriber with the audit results.
(a) Both parties will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing personal information.
(b) NuffSaid certifies that it understands this Annex’s and the CCPA’s restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties’ direct business relationship, and it will comply with them.
(c) NuffSaid warrants that it has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the Contracted Business Purposes or otherwise performing under the Agreement. NuffSaid must promptly notify Subscriber of any changes to the CCPA’s requirements that may adversely affect its performance under the Agreement.