Data Processing Addendum for Third Parties
This Data Processing Addendum (“DPA”) is incorporated into and supplements the applicable agreement (“Agreement”) between VIZIO Services, LLC (“VIZIO”) and the company accessing VIZIO’s Data under the Agreement (the “Company”). This DPA will apply to govern the processing of Data provided under the Agreement and is intended to satisfy legal requirements under Applicable Law.
1. Definitions
Capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.
1.1. “Applicable Law” means all applicable federal, state and local laws, rules, regulations and judicial and administrative decisions relating to Personal Information and privacy. Applicable Law includes, but is not limited to: (i) the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”); (ii) the Virginia Consumer Data Protection Act of 2021, Va. Code Ann. § 59.1-571 to -581; (iii) the Colorado Privacy Act of 2021, Co. Rev. Stat. § 6-1-1301 et seq.; (iv) Connecticut Public Act No. 22-15, “An Act Concerning Personal Data Privacy and Online Monitoring”; (v) the Utah Consumer Privacy Act of 2022, Utah Code Ann. § 13-61-101 et seq.; and (vi) all other equivalent laws and regulations in any relevant jurisdiction relating to Personal Information and privacy, and as each may be amended, extended or re-enacted from time to time. Compliance with Applicable Law means compliance in a manner that meets or exceeds the requirements for each Applicable Law.
1.2. “Agreement Purpose” or “Purpose” means the sale or sharing of Data with Company pursuant to the parties’ Agreement for advertising services, use cases, or campaigns as further defined in one or more statements of work, Use Case Addenda, or the like.
1.3. “Data” means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as well as any personal information specified under Applicable Law. Solely for purposes of this DPA, and notwithstanding any provision in the Agreement to the contrary, Data specifically includes any unique identifier or online identifier, such as IP addresses, to the extent such identifier can reasonably be linked to a particular person or household.
1..4. “Data Breach” means any unauthorized or illegal access, destruction, use, modification, or disclosure of Data that would constitute a data breach under Applicable Law, including any attempt to re-identify or de-anonymize the Data or otherwise associate the Data with personal information.
2. Integration with Agreement
The terms of this DPA will supplement and amend the provisions relevant to the representations, warranties, and data privacy, data security, and confidentiality terms of the Agreement. In the event of a conflict between the terms of the DPA and the Agreement, the terms of the DPA will prevail unless this DPA specifically states otherwise.
3. Compliance with Applicable Law; Modifications to DPA
Company represents and warrants that it understands and will comply with the requirements of this DPA and Applicable Law in its collection, storage, disclosure, use, or sharing of Data.
VIZIO may change the terms and conditions of this DPA from time to time (“Modifications”) in its discretion to maintain compliance with Applicable Law, provided that VIZIO will give Company notice of the Modifications by posting an updated version of the DPA online or emailing Company. The Modifications will be effective as of the date VIZIO posts them or otherwise notifies Company of them, unless VIZIO specifies a different effective date when it makes the Modifications. Company is responsible for checking for updates to the DPA. By continuing to access or use VIZIO’s Data, Company agrees to be bound by such Modifications.
4. Purpose Limitation
Company will limit its use, retention, or disclosure of the Data solely as necessary and proportionate to fulfill the Purpose specified in the Agreement and within the scope of the direct business relationship between the parties as described in the Agreement. Company will not sell, share, or combine the Data except as specifically permitted in the Agreement.
5. Data Security
Company will implement reasonable legal, administrative, technical, and physical measures to safeguard the confidentiality and security of the Data and protect it from a Data Breach. This Section will not reduce or limit any other data security procedures or practices otherwise set forth in the Agreement.
6. Opt-outs and Deletion Requests
6.1. Company will cooperate with VIZIO in responding to consumer rights requests made pursuant to Applicable Law. Such requests may include, but are not limited to, requests to opt out of the sale or sharing of personal information by deleting Data associated with a VIZIO device or requests to delete Data to the extent such data is associated with an individual consumer. Company will cooperate with VIZIO’s instructions for such consumer rights requests in the time required by Applicable Law.
6.2. If Company claims that complying fully with its deletion obligations under this section would require disproportionate effort or would be impossible, then Company may be excused from complying to that extent, provided however that in such case Company will (a) provide written notice to VIZIO within 10 days of receiving the request, (b) provide VIZIO with a written statement for VIZIO to give to the consumer containing reasonable detail explaining how compliance would be impossible or require disproportionate effort.
7. Reasonable Steps to Ensure Compliance; Rights to Information; Remediation
7.1. Company will cooperate with VIZIO’s taking reasonable and appropriate steps to ensure that Company uses Data in a manner consistent with Company’s obligations under Applicable Law, including but not limited to reviews, assessment, testing, or other similar requests for information as the parties may agree to.
7.2. Company will promptly notify VIZIO if it determines it can no longer meet the requirements of the Agreement or Applicable Law.
7.3. Company will cooperate with VIZIO in taking reasonable and appropriate steps to stop and remediate unauthorized use of Data.
7.4. The provisions in this Section will not reduce or limit any rights of VIZIO in the Agreement, including with respect to enforcing use restrictions, auditing, or remediating data breach.
8. Subcontracting
To the extent permitted under the Agreement, if Company engages any other party to assist in processing Data, then Company will promptly provide written notice to VIZIO (without prejudice to any approval rights VIZIO may have under the Agreement); and Company will enter into a written agreement binding such party to data privacy and data security requirements no less stringent than required under this DPA and the Agreement.
9. No Other Amendments
9.1. Except as specifically modified herein, all of the other terms and conditions of the Agreement are hereby ratified and remain in full force and effect in accordance with their terms. Any reference to the Agreement will be deemed to refer to the Agreement as amended by this DPA.