DPA (CCPA)

Effective date: April 4, 2023

This CCPA Data Processing Addendum (the “Addendum”) reflects the requirements of Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations (collectively referred to as the “California Consumer Privacy Act” or “CCPA”). This Addendum makes clear that FingerprintJS is acting as a Service Provider for CCPA purposes.

This Addendum is an addendum to the Customer Terms of Service or other electronic or mutually executed written agreement between FingerprintJS Inc. (“FingerprintJS”) and Customer (each a “Party”; collectively the “Parties”) that references it (“Agreement”) and is in effect for so long as FingerprintJS processes Personal Information (as defined in and to the extent protected by the CCPA) provided by Customer or which is collected on behalf of Customer by FingerprintJS (hereinafter, the “Personal Information”). This Addendum shall only apply and bind the Parties if and to the extent Customer is a Business under the CCPA. This Addendum prevails over any conflicting terms of the Agreement, but does not otherwise modify the Agreement. Customer enters into this Addendum on behalf of itself and, to the extent required under the CCPA, in the name and on behalf of its Authorized Affiliates (defined below).

The parties agree as follows:

  1. Definitions. All capitalized terms not defined in this Addendum shall have the meanings set forth in the CCPA.

1.1. “Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

1.2. “Authorized Affiliate” means any of Customers’ Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement.

1.3 “Control” or “Controlled” means the possession, directly or indirectly, of the power to direct or cause the direction of management and policies of an entity, whether through the ability to exercise voting power, by contract or otherwise.

1.4 “Customer” shall have the meaning ascribed to it in the Agreement.

1.5 “Service” shall have the meaning ascribed to it in the Agreement.

2. Scope and Applicability of this Addendum

2.1. This Addendum applies to the collection, retention, use, and disclosure of the Personal Information within the scope of CCPA to perform the specific Business Purpose of providing the Service to Customer pursuant to the Agreement.

2.2. Customer is a Business and appoints FingerprintJS as a Service Provider to process the Personal Information on behalf of Customer.

3. CCPA Requirements
3.1. Personal Information is disclosed by Customer only for limited and specified Business Purposes as set forth in the Agreement. Each party agrees to comply with applicable obligations under CCPA, including with respect to the Personal Information Collected pursuant to the Agreement, and shall provide the same level of privacy protection to Personal Information as required by CCPA. Customer represents and warrants that it has provided notice to Consumers, as required under the CCPA for a Business, that the Personal Information is being used or shared as set forth in the Agreement.

3.2 Customer shall have the right to take reasonable and appropriate steps to help ensure that FingerprintJS uses the Personal Information Collected pursuant to the Agreement in a manner consistent with its obligations under CCPA.

3.3 FingerprintJS shall not Sell or Share Personal Information it Collects pursuant to the Agreement.

3.4 FingerprintJS agrees not to retain, use or disclose Personal Information Collected pursuant to the Agreement (a) for any purpose or commercial purpose other than the Business Purpose(s) specified in the Agreement or as otherwise permitted by the CCPA, or (b) outside the direct business relationship between FingerprintJS and Customer, unless expressly permitted by the CCPA. Without limiting the foregoing, FingerprintJS may retain, use or disclose Personal Information (i) to retain and employ another Service Provider as a subcontractor, where the subcontractor meets the requirements for a Service Provider under the CCPA and applicable regulations, (ii) for internal use by FingerprintJS to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that FingerprintJS does not use the Personal Information to perform services on behalf of another person, (iii) to prevent, detect, or investigate detect data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement or (iv) for the purposes enumerated in California Civil Code section 1798.145, subdivisions (a)(1) through (a)(7).

3.5 FingerprintJS shall notify Customer if it makes a determination that it can no longer meet its obligations under CCPA. Upon such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.

3.6. If FingerprintJS receives a request made pursuant to the CCPA directly from a Consumer with respect to Personal Information, then FingerprintJS shall either act on behalf of Customer or in accordance with Customer’s instructions in responding to the request or inform the Consumer that the request cannot be acted upon because the request has been sent to a Service Provider. FingerprintJS is not required to comply with a request submitted by the Consumer directly to FingerprintJS to the extent FingerprintJS has collected, used, processed or retained the Personal Information in its role as a Service Provider to the Business.

3.7 FingerprintJS shall provide reasonable assistance to Customer in facilitating compliance with verifiable Consumer rights requests, including but not limited to providing the Business the Consumer’s Personal Information in FingerprintJS’ possession, which FingerprintJS obtained as a result of providing the Service to Customer, and by correcting inaccurate information, or by enabling Customer to do the same. In the event FingerprintJS has collected Personal Information pursuant to a written contract with Customer, FingerprintJS shall assist Customer through appropriate technical and organizational measures complying with the requirements of subdivisions (d) through (f) of Cal. Civ. Code 1798.100, taking into account the nature of the processing.

3.8. Upon written request by Customer, FingerprintJS shall delete (or enable Customer to delete) the Personal Information and shall notify any Service Providers, Contractors or Third Parties who may have accessed such Personal Information from or through FingerprintJS (unless the information was accessed at the direction of the Business) to delete the Personal Information, unless this proves impossible or involves disproportionate effort.

3.9 FingerprintJS shall not be required to delete any of the Personal Information to comply with a Consumer’s request if it is necessary to maintain such information in accordance with Cal. Civ. Code 1798.105(d), in which case FingerprintJS shall upon request inform Customer of the exceptions relied upon under 1798.105(d) and FingerprintJS shall not use the Personal Information retained for any other purpose than provided for by that exception.

3.10 Nothing in this Addendum shall be construed to require either party to (a) reidentify or link any information that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Information, (b) retain any Personal Information about a Consumer if, in the ordinary course of business, that information about the Consumer would not be retained, and (c) maintain information in identifiable, linkable or associable form, or collect, obtain, retain or access any data or technology, in order to be capable of linking or associating a verifiable Consumer request with Personal Information.