U.S. STATE PRIVACY LAWS ADDENDUM

This Data Processing Addendum (this “Addendum”) by and between Customer and Amazon is effective as of the later of (a) the effective date of the Agreement (as defined below) between Amazon and Customer (b) the effective date of the earliest applicable U.S. Privacy Law (the “Addendum Effective Date”). This Addendum supplements the Amazon Publisher Services Agreement, as updated from time to time between Customer and Amazon, governing the processing of Customer Personal Data by Amazon in connection with its performance of advertising services (each, the “Agreement”). This Addendum automatically expires upon the termination of the Agreement. All capitalized terms will have the meaning given to them in Section 6 of this Addendum, and if not defined in Section 6, then as defined in the Agreement. “Customer” means the applicable entity or entities that enter into or are bound by the Agreement with Amazon.

1. Data Processing Instructions

   1. Amazon will act as processor in relation to Customer Personal Data and Customer will act as controller in relation to Customer Personal Data.
   2. Amazon will only process Customer Personal Data in accordance with the instructions agreed under the relevant Agreement, unless Customer’s instructions infringe the U.S. State Privacy Laws or other applicable law. Customer shall ensure that its instructions comply with all laws, rules and regulations applicable in relation to the Customer Personal Data, and that the processing of Customer Personal Data in accordance with Customer’s instructions will not cause Amazon to be in breach of the U.S. State Privacy Laws or other applicable law.  
   3. The parties agree that the Agreement and this Addendum is Customer’s complete and documented instructions in relation to Customer Personal Data. Any additional instructions require prior written agreement between Amazon and Customer.
   4. The terms “processor”, “controller”, and “process” have the meanings ascribed to them under the applicable U.S. State Privacy Law; provided that, the term “processor” is in the case of Personal Data subject to the CCPA replaced with the term “service provider”, and the term “controller” is in the case of such Personal Data replaced with the term “business”, each as defined in the CCPA.
      
      
2. Customer's Obligations
   
   Customer will comply with all laws and regulations applicable to it and binding on it in the performance of this Addendum, including the U.S. State Privacy Laws. Customer acknowledges and agrees that its  obligations under the U.S. State Privacy Laws include, as applicable and without limitation, (i) having a lawful justification (legal basis) for processing Customer Personal Data, including for the purposes agreed under the Agreement; (ii) publishing (or ensuring the publication of) privacy notices informing and notifying end users about the processing of Customer Personal Data by Amazon; and (iii) implementing (or ensuring the implementation of) technical and organizational measures to protect Customer Personal Data against the risks that are presented by the processing of such Customer Personal Data, including the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.

3. Amazon's Obligations

   1. Confidentiality. Amazon will treat all Customer Personal Data as confidential information, in accordance with its confidentiality undertakings to Customer in the Agreement or a separate non-disclosure agreement, as applicable. All Amazon personnel processing Customer Personal Data will be subject to a duty of confidentiality with respect to the Customer Personal Data.
   2. Compliance with Law. Amazon will comply with the applicable U.S. State Privacy Laws in its processing of Customer Personal Data.
   3. Technical and Organizational Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and limited purposes of the processing as set forth in the Agreement, Amazon will implement and maintain technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data. These measures will be appropriate to the level of risk presented by the processing of Customer Personal Data on the rights of data subjects.
   4. Sub-processing. Customer agrees that Amazon may use sub-processors to fulfill its contractual obligations under this Addendum or to provide certain services on its behalf. Amazon will enter into a written agreement with any such sub-processor and impose comparable obligations on the sub-processor as are imposed on Amazon under this Addendum.  To the extent required under applicable U.S. State Privacy Laws, Customer may notify Amazon of Customer’s objection to the use of a certain subprocessor by Amazon for processing Customer Personal Data, in which case the Parties will discuss potential alternatives, and if they do not reach agreement on one, Amazon may terminate the applicable processing of Customer Personal Data and/or the relevant Agreement in whole or in part, without any liability or further obligation to Customer.
   5. Deletion of Customer Personal Data. Upon the earlier to occur of the termination or expiry of the Agreement or at Customer’s request, Amazon will as soon as reasonably practicable delete all Customer Personal Data from Amazon’s systems, unless applicable law requires or the Agreement permits Amazon to store copies of Customer Personal Data.

4. Controller Review

   1. Customer may request information regarding Amazon’s controls relating to Customer Personal Data, to the extent required by applicable U.S. State Privacy Laws to reasonably verify Amazon’s compliance with its obligations under this Addendum, and only in relation to Customer Personal Data. Customer is not entitled to receive (i) information about any data other than Customer Personal Data or any system, hardware, software, technology, know-how, program, process, or policy that does not involve Customer Personal Data; (ii) any data the disclosure of which could compromise security of Amazon’s systems, or cause Amazon to breach its obligations under the U.S. State Privacy Laws or other applicable laws and regulations, or its privacy and security commitments to other parties; or (iii) any data that would reveal any of Amazon’s proprietary information.
   2. Amazon may make available to Customer document(s) evidencing an audit or review performed, or certification awarded, by an independent institution (e.g., accounting auditor, controller, internal or external data protection officer, IT security department, privacy auditor, quality auditor) (the “Report”), in which case Customer may exercise its review right under this Addendum by review of such a Report. The Report will constitute Amazon’s confidential information, subject to the confidentiality provisions of the Agreement or an NDA, as applicable.

5. Additional CCPA Provisions.

   1. To the extent Amazon acts as a service provider to Customer for the processing of the Customer Personal Data subject to the CCPA:

      1. The parties acknowledge that Customer is disclosing the Customer Personal Data to Amazon only for the limited and specified business purposes set forth in the Agreement, and Amazon will not retain, use, or disclose the Customer Personal Data for any purpose, including any commercial purpose, other than for such purposes, or as otherwise permitted by the CCPA.

      2. Amazon will:

         1. not “sell" or “share” (as each is defined in the CCPA) the Customer Personal Data;
         2. not combine the Customer Personal Data with Personal Data that Amazon receives from, or on behalf of, another person or persons, or collects from its own interaction with consumers, except to perform the business purpose(s) as set forth in the applicable Agreement or as otherwise permitted by the CCPA; 
         3. provide the level of privacy protection for the Customer Personal Data that is required of the Customer by the CCPA;
         4. notify Customer if Amazon determines it can no longer meet its obligations under the CCPA, in which case Customer maintains the right to order Amazon to suspend or discontinue the applicable processing of the Customer Personal Data, to the extent necessary to stop or remediate unauthorized use of Customer Personal Data; and
         5. Customer will notify Amazon of any data subject request regarding Customer Personal Data that a data subject is entitled to make pursuant to the CCPA, and Customer will provide the information that would be necessary for Amazon to comply with the request or to assist Customer with complying with the request (which may, for the avoidance of doubt, be accomplished by providing applicable self-service functionality to Customer).
         6. In case Amazon receives any data subject request regarding Customer Personal Data from a data subject, Amazon may, at its election, (x) request direction for how to handle the Customer Personal Data request from Customer; or (y) inform the data subject that Amazon as a service provider cannot act upon the request, and Amazon may, at its election, direct the data subject to Customer instead.

6. Definitions.

All capitalized terms will have the meaning given to them in Section 6 of this Addendum, and if not defined in Section 6, then as defined in the Agreement:

“Amazon Data” means Personal Data that is (i) any unique identifier generated by Amazon or its Affiliates representing a unique user of the Sites; (ii) pre-existing Amazon data used by Amazon or its Affiliates pursuant to an applicable campaign; or (iii) any unique referral tags or URLs generated by Amazon or its Affiliates.

“CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time, including by the California Privacy Rights Act of 2020, and any implementation or successor thereof, including any rules and regulations promulgated thereunder.

“Covered Product” means a product or service, each as described in the Agreement, for which Amazon acts as data processor under this Addendum, for example, relevant services under Transparent Ad Marketplace, Unified Ad Marketplace, Publisher Audiences, or Connections Marketplace.  

“CPA” means the Colorado Privacy Act, as may be amended from time to time, and any implementation or successor thereof, including any rules and regulations promulgated thereunder.

“CTDPA” means the Connecticut Data Privacy Act, as may be amended from time to time, and any implementation or successor thereof, including any rules and regulations promulgated thereunder.

“Customer Personal Data” means Personal Data processed by Amazon on behalf of Customer as part of the Covered Products as specified in the Agreement. Customer Personal Data excludes Amazon Data and Performance Data.

“Personal Data” has the meaning given to it under: (i) CCPA for the term “personal information” or (ii) CPA, CTDPA, and VCDPA for the term “personal data”, when and as those laws are applicable.

“VCDPA” means the Virginia Consumer Data Protection Act, as may be amended from time to time, and any implementation or successor thereof, including any rules and regulations promulgated thereunder.