Front and California Privacy Regulation
CCPA and CPRA
California, U.S.: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
What is the CCPA and CPRA?
The California Consumer Privacy Act (CCPA) is one of the most comprehensive privacy laws in the U.S. and introduced significant compliance requirements for organizations. In particular, the CCPA established a new set of consumer rights, additional protections for children’s data, and specific rules on the selling of personal information.
However, the framework provided by the current version of the CCPA is set to change following the passing of the California Privacy Rights Act of 2020 (CPRA) on November 3, 2020. The CPRA stipulates several amendments to the CCPA, including new consumer rights, provisions for a state privacy authority, and further obligations relating to children’s data. Although the CPRA will not become operative until January 1, 2023, many of its provisions will be applicable to personal information collected from January 1, 2022.
The following provisions will become part of the existing agreement between Customers and FrontApp, Inc., a company incorporated in Delaware, and its worldwide affiliates and subsidiaries (collectively, “Front”), for the provision of Front’s Services (“Agreement”). These provisions shall be effective on January 1, 2023 (the “Effective Date”). As of the Addendum Effective Date, the provisions shall be incorporated by reference into the Agreement whether such agreement is online or in a written agreement executed in counterparts with Front. All capitalized terms used herein but not defined shall have the meaning set forth in the Agreement. To the extent of any conflict or inconsistency between these provisions and the terms of the Agreement related to data protection, these provisions will govern.
1. Data Protection
1.1 Service provider appointment. Customer is a Business and appoints Front as its Service Provider to Collect and process the Personal Data for the Business Purpose. Front is responsible for its compliance with its obligations under this Addendum and for compliance with its obligations as a Service Provider under Applicable Data Protection Laws and the Agreement. Customer is responsible for compliance with its own obligations as a Business under Applicable Data Protection Laws and the Agreement and shall ensure that it has provided notice and has obtained (or shall obtain) all consents and rights necessary under Applicable Data Protection Laws for Front to Collect and process the Personal Data for the Business Purpose.
1.2 Business purpose. Front shall only Collect and process Personal Data as a Service Provider upon lawful documented instructions from Customer, including those in the Agreement, this Addendum, and Customer’s configuration of the Services or as otherwise necessary to provide the Services (the “Business Purpose”). Front must not process the Personal Data for any purpose other than for the Business Purpose, except where and to the extent permitted by Applicable Data Protection Laws.
1.3 Service provider certification. Front shall not: (a) Sell the Personal Data; (b) retain, use, or disclose the Personal Data for any purpose other than for the Business Purpose, including to retain, use, or disclose the Personal Data for a commercial purpose other than providing its Services under the Agreement; (c) retain, use, or disclose the Personal Data outside of the direct business relationship between Front and Customer; (d) process Personal Data for targeted and/or cross context behavioral advertising; (e) combine Personal Data with any other data if and to the extent this would be inconsistent with the limitations on Service Providers under Applicable Data Protection Laws. Front certifies that it understands the restrictions set out in this Section 1.3 and will comply with them.
1.4 Consumer’s rights. Front will, upon Customer’s instructions and at Customer’s expense: (a) use reasonable efforts to assist Customer in deleting Personal Data in accordance with a Consumer’s request (and shall instruct any service providers it has appointed to do the same) except where and to the extent permitted to retain the Personal Data pursuant to an exemption under Applicable Data Protection Laws; and (b) use reasonable efforts to assist Customer in responding to verified Consumer requests received by Customer to provide information as it relates to the Collection of Personal Data for the Business Purpose. Customer must provide the information necessary for Front to comply with a Consumer’s request. Upon Customer’s request Front will provide documentation verifying that Front no longer processes Customer Data of individuals who have made a valid Data Subject Request to delete their Personal Data.
1.5 Assistance. Front will, upon Customer’s instruction and upon proof of such a communication, provide reasonable assistance to Customer to enable Customer to respond to any correspondence, enquiry or complaint received from a Consumer or the California Attorney General in connection with the Collection and processing of the Personal Data.
Front shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Data it will process to protect the Personal Data from and against a Personal Data Breach in line with the Front Technical and Organizational Security Measures as set forth in the Data Processing Addendum. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Front will provide its System and Organization Controls (SOC) 2, Type II Report so that Customer can reasonably verify Front’s compliance with its obligations under Applicable Data Protection Laws.
3. Personal Data Breach
In the case of a Personal Data Breach, Front shall notify Customer in accordance with the Data Processing Addendum.
4. Return or Deletion of Customer Data
Front will comply with its Data Processing Addendum with respect to the return or destruction of Customer Data.
5.1 Any claims brought under or in connection with this Addendum shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
5.2 No one other than a Party to this Addendum, its successors and permitted assignees shall have any right to enforce any of the terms herein.
5.3 This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.
5.4 This Addendum shall terminate simultaneously and automatically with the termination or expiration of the Agreement.
5.5 Both Parties agree that this Addendum shall be interpreted in favor of their intent to comply with the Applicable Data Protection Laws and therefore any ambiguity shall be resolved in favor of a meaning that complies and is consistent with Applicable Data Protection Laws.
6.1 “Business”, “Collects” (and “collected” and “collection”), “Consumer”, “Business Purpose”, “Sell” (and “selling”, “sale”, and “sold”) and “Service Provider” shall have the meanings given to them in §1798.140 of the CCPA.
6.2 “Business Purpose” has the meaning given in Section 5.2 of this Addendum.
6.3 “Applicable Data Protection Law(s)” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection/security, or the Processing of Personal Data, including without limitation the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations (“CCPA”), the California Privacy Rights Act of 2020, Cal. Civ. Code § 1798.120 et seq., and its implementing regulations (“CPRA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), and the UK General Data Protection Regulation and any other corresponding laws of the United Kingdom. For the avoidance of doubt, if Front’s processing activities involving Personal Data are not within the scope of an Applicable Data Protection Law, such law is not applicable for purposes of this DPA.