US Privacy Laws 2023 - Loqate (Third party & service provider)
United States of America (Service Provider and Third Parties)
The following terms apply when a Customer is subject to US Data protection Laws when sending Customer Data or receiving Results from a GBG Entity. These Local Laws are supplementary to the General Terms agreed by the Parties and referenced in the Order Form and shall together with the Product Terms apply to the provision of the Service purchased by the Customer Entity from the GBG Entity. Where there is a conflict between the General Terms and these Local Laws, these Local Laws shall take precedence.
1 DEFINITIONS
1.1 In these Local Laws, the following definitions shall apply in addition to the definitions set out in the General Terms and Product Terms unless the context expressly states otherwise:
Definitions.
“Agreement” means any written contract currently in effect between the Customer and GBG Entity, including any order forms, schedules, other amendments, or any other binding written documents.
“Applicable US Data Protection Laws” means the California Consumer Privacy Act of 2018 and its corresponding regulations (“CCPA”) and the California Privacy Rights Act and its corresponding regulations, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, Utah’s Consumer Privacy Act, the Connecticut Data Privacy Act, and any other U.S. federal, state, or local data protection and privacy laws, regulations, or guidance, as amended from time to time, that are applicable in relation to the processing of personal information under the Agreement.
“collects,” “consumer,” “processes,” “personal information”, and any other terms not defined hereunder, but which are defined under Applicable US Data Protection Laws, shall have the definition allocated to that term under the relevant Applicable US Data Protection Laws.
“CPRA” means the CCPA, as amended by the California Privacy Rights Act, and its corresponding regulations, as amended from time to time.
“Customer Personal Information” means the personal information provided by the Customer to GBG, or which GBG collected on Customer’s behalf to perform the service(s) for Customer under the Agreement.
2 CPRA Service Provider Agreement Requirements.
2.1 The terms set out in this Section 2 shall apply to: (1) all processing conducted under any of our products where you have not agreed to allow GBG to derive data or train its artificial intelligence engines, and (2) any processing we conduct when we support any products we provide to you, such as when we provide customer support.
2.2 Service Provider Obligations. GBG Entity agrees:
(a) it shall not sell or share any Customer Personal Information that it collects pursuant to the Agreement
(b) it is processing the Customer Personal Information pursuant to the Agreement, and the Customer is disclosing the Customer Personal Information to GBG Entity only for the following limited and specified Business Purpose(s) listed in Subsection (c) below;
(c) the specific Business Purpose for which GBG Entity is processing Customer Personal Information pursuant to the written Agreement with Customer is to perform services on behalf of the Customer by verifying Customer’s consumers’ information, provide customer support, as further detailed in the Agreement and in accordance with the CPRA (the “Business Purposes”). GBG Entity shall not retain, use, or disclose any Customer Personal Information that it collected pursuant to the Agreement for any purpose other than Business Purpose(s), or as otherwise permitted by the CPRA;
(d)it shall not retain, use, or disclose the Customer Personal Information that it collected pursuant to the Agreement for any purpose other than the Business Purposes, unless expressly permitted by the CPRA;
(e) it shall not retain, use, or disclose the Customer Personal Information that it collected pursuant to the Agreement for any commercial purpose other than the Business Purpose, outside the direct business relationship between the GBG Entity and the Customer, unless expressly permitted by the CPRA;
(f) it shall not retain, use or disclose the Customer Personal Information that it collected pursuant to the Agreement outside of the direct business relationship between the Customer and GBG Entity, unless expressly permitted by the CPR;.
(g) it shall comply with all applicable sections of the CPRA, including – with respect to the Customer Personal Information it collected pursuant to the Agreement—providing the same level of privacy protection as required of businesses by the CPRA. This includes using reasonable commercial efforts to cooperate with the Customer in responding to and complying with consumers’ requests made to Customer in relation to GBG Entity’s processing under the Agreement pursuant to the CPRA, and implementing reasonable security procedures and practices appropriate to the nature of the Customer Personal Information to protect it from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with the CPRA;
(h) it grants the Customer the right to take reasonable and appropriate steps to ensure that GBG Entity uses the Customer Personal Information that it collected pursuant to the Agreement in a manner consistent with the Customer’s obligations under the CPRA, at Customer’s cost. This may include ongoing manual reviews of GBG Entity’s system and regular internal or third-party assessments, audits, or other technical and operational testing once every twelve (12) months, with twenty-eight (28) days advance notice, in accordance with any audit clauses set out in the Agreement;
(i) it shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CPRA;
(j) it grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate GBG Entity’s unauthorized use of Customer Personal Information.
2.3 CPRA Subcontractors. If GBG Entity subcontracts with another person in providing services to Customer, GBG Entity shall have a contract with the subcontractor that complies with the CPRA.
2.4 California Consumer Requests.
(a) If GBG Entity receives a request made pursuant to the CPRA directly from a Consumer in regards to any processing it is conducting as a service provider, GBG Entity shall inform the Consumer that the request cannot be acted upon because the request has been sent to a service provider.
(b) GBG Entity shall enable the Customer to comply with consumer requests made pursuant to the CPRA.
3 Additional State Requirements for Processors.
3.1 The terms set out in this Section 3 shall apply to: (1) all processing conducted under any of our products where you have not agreed to allow GBG to derive data or train its artificial intelligence engines, and (2) any processing we conduct when we support any products we provide to you, such as when we provide customer support.
3.2 Scope of Processing. The parties agree that:
(a) GBG Entity shall be bound to the processing instructions, requirements, and limitations set out in the Agreement;
(b) the nature and purpose of the processing are as set out in the Agreement;
(c) the duration of the processing shall last throughout the duration in which the Agreement is in effect;
(d) the rights and obligations of both parties are set out in the Agreement;
(e) the types of personal data which are subject to GBG Entity processing depends on the product(s) you contracted to take from us under your Agreement, and may be as follows, respectively:
Product |
Consumer Personal Information Processed under the relevant Product |
Verify |
IP address, Postal Address, Geocode (only at your affirmative opt-in) |
Capture |
IP address, Postal address, and Geolocation (only at your affirmative opt-in) |
Data Maintenance |
May include the following (as set out in your order form): name, address, email, phone number |
Phone/Email Validation Services |
May include the following (as set out in your order form): phone number, email |
3.3 GBG Obligations. GBG Entity shall, in accordance with Applicable US Data Protection Laws:
(a) Adhere to Customer’s instructions.
(b) Assist Customer to meet its obligations under Applicable US Data Protection Laws. Therefore, GBG Entity shall, taking into account the nature of the processing and information available to the GBG Entity and in accordance with its obligations under Applicable US Data Protection Laws, assist the Customer by:
-
- taking appropriate technical and organizational measures, insofar as reasonably practicable;
- aiding in the fulfilment of the Customer’s obligation to respond to consumer requests to exercise their rights, insofar as such obligations are related to GBG Entity’s processing of the Customer Personal Information under the Agreement;
- helping to meet the Customer’s obligations in relation to the security of processing the Customer Personal Information and in relation to the notification of a breach of the security system;
- providing information to the Customer necessary to enable the Customer to conduct and document any data protection assessments required from Customer under Applicable US Data Protection Laws, but GBG Entity shall only be responsible for the measures that are allocated to it; and
- Notwithstanding the instructions of the Customer, GBG Entity shall ensure that each person processing the Customer Personal Information is subject to a duty of confidentiality with respect to the Customer Personal Data.
3.4 Subcontractors. GBG shall engage a subcontractor only after providing the Customer with an opportunity to object within thirty (30) days of notification to legal@gbgplc.com and pursuant to a written contract, which requires the subcontractor to meet the obligations of the GBG Entity with respect to the Customer Personal Information. If Customer does not provide such written objection within thirty (30) days of the notification date, then Customer shall be deemed to have approved the new subcontractor if it continues to utilize the relevant GBG Service. The subcontractors that will serve as sub-processors under the Agreement are set out in the following link: https://www.gbgplc.com/en/legal-and-regulatory/loqate-authorised-subprocessor-list/ , and are hereby deemed to be approved by the Customer. Customer acknowledges and understands that GBG Entity is not providing a bespoke service to Customer and GBG Entity may be unable to accommodate Customer requests in regards to specific subcontractors. Thus, if Customer objects to any subcontractor it shall have the right to terminate this Agreement within thirty (30) days of notice to GBG Entity.
3.5 Data Security. GBG Entity and Customer shall implement appropriate and technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.
3.6 GBG’s Obligations at Termination or Expiration of the Agreement.
(a) At the Customer’s selection, GBG Entity shall delete or return all Customer Personal Information at the end of the provision of the services, unless retention is required by applicable law. However, Customer agrees that GBG Entity may instead delete the Customer Personal Information if returning it is commercially unreasonable.
3.7 Customer Reviews and Audit GBG Entity shall:
(a) make available to Customer all information necessary to demonstrate compliance with its obligations under Applicable US Data Protection Laws.
(b) allow for and contribute to reasonable audits and inspections by the Customer or Customer’s designated auditor, as further detailed in the Agreement. Alternatively, Customer consents that GBG Entity may, at its discretion, arrange for a qualified and independent auditor to conduct, annually, and at GBG Entity’s expense, an audit of GBG Entity’s policies and technical and organizational measures in support of its obligations under Applicable US Data Protection Laws using an appropriate and accepted control standard or framework and audit procedure for the audits, as applicable. GBG Entity shall provide a report of the audit to Customer on request.
4 CPRA Third Party Contract Requirements (Sale of Data)
4.1 The terms set out in this Section 4 shall only apply in regards to products where you have agreed to allow GBG to derive data or train its artificial intelligence engines. For the avoidance of doubt, these Section 4 terms do not apply to any processing we conduct when we support any products we provide to you, such as when we provide customer support, which would be governed under Sections 2 and 3 above. Customer understands and acknowledges that such processing of the Customer Personal Information may be construed as a sale of Customer Personal Information to GBG Entity.
4.2 The limited and specified purpose(s) for which the Customer Personal Information is made available to the GBG Entity under the Agreement is to perform services on behalf of the Customer by verifying Customer’s consumers’ information, as further detailed in the Agreement and in accordance with the CPRA. However, the performance of such services includes retaining, utilizing, and disclosing the Customer Personal Information so that GBG Entity and its affiliates may train their artificial intelligence engines and to derive additional data for product development and improvement (for example, faster detection rates and address syntax in geographical locations) and/ or the use of de-identified Customer Personal Information with other third party data to generate fraud risk scores and/or create fraud alerts, each of which may be outside of the direct business relationship with the Customer. GBG Entity shall not use the Customer Personal Information for automated decision-making, including profiling, that could produce legal effects or have any similar effects on data subjects..
4.3 Customer is making the Customer Personal Information available to the GBG Entity only for the limited and specified purposes set forth above and within the Agreement and requires the GBG Entity to use it only for those limited and specified purposes.
4.4 GBG Entity must comply with all applicable sections of the CPRA, including—with respect to the Customer Personal Information that the Customer makes available to the GBG Entity—providing the same level of privacy protection as required of businesses by the CPRA.
4.5 GBG Entity grants the Customer the right—with respect to the Customer Personal Information that the Customer makes available to the GBG Entity—to take reasonable and appropriate steps to ensure that GBG Entity uses it in a manner consistent with the Customer’s obligations under the CPRA.
4.6 GBG Entity grants the Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information made available to the GBG Entity.
4.7 The GBG Entity shall notify the Customer after it makes a determination that it can no longer meet its obligations under the CPRA.
5 Miscellaneous
5.1 Additional US Data Protection Laws.
(a) In the event that additional applicable privacy laws are enacted, the Parties shall in good faith negotiate any additional terms that may be required thereunder.
(b) In the event the California Privacy Protection Agency makes any edits to the latest version of the CPRA regulations that are not substantive, those edits will be deemed to be incorporated herein verbatim via reference.
5.2 Applicability; Order of Precedence. The terms set out throughout this Amendment shall only apply to Customer Personal Information that is subject to the Applicable US Data Protection Laws. In the event of any conflict between the terms set out in this Amendment and those set out in the Agreement, the parties shall use good faith to interpret conflicting terms in a consistent manner. In the event of an irreconcilable conflict, the terms shall be afforded the following order of precedence: 1) this Amendment; 2) the Agreement. For the avoidance of doubt, any additional data security measures or data protection terms that were contracted into in the Agreement will not be deemed to be in conflict with this Amendment and shall continue to remain in effect throughout the Agreement term.