This U.S. State Privacy Laws Addendum ("Addendum") supplements the Firebase Data Processing and Security Terms (the "DPST") incorporated into the agreement(s) under which Google has agreed to provide Firebase Services (as described at https://firebase.google.com/terms) which specifically reference the Firebase Data Processing and Security Terms (each, as applicable, an "Agreement"). This Addendum is effective as of the later of July 1, 2023 or the date on which the Customer accepted, or the parties otherwise agreed to, this Addendum ("Addendum Effective Date"). Capitalized terms used but not defined in this Addendum have the meanings given to them in the DPST and applicable Agreement.
This Addendum reflects the parties’ agreement on the processing of Customer Personal Data pursuant to the DPST in connection with the Applicable State Privacy Laws (as defined below), and is effective solely to the extent each Applicable State Privacy Law applies.
Definitions.
1.1. "Applicable State Privacy Laws" means (i) the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, together with all implementing regulations (the "CCPA"); (ii) Virginia’s Consumer Data Protection Act, Va. Code Ann. § 59.1-571 et seq.; (iii) the Colorado Privacy Act, Colo. Rev. Stat. § 6-1-1301 et seq., together with all implementing regulations; (iv) Connecticut’s Act Concerning Data Privacy and Online Monitoring, Pub. Act No. 22015; and (v) the Utah Consumer Privacy Act, Utah Code Ann. § 13-61-101 et seq.
1.2. "Customer Personal Data" (as defined in the DPST) also includes "personal information" as defined in Applicable State Privacy Laws.
1.3. The terms "business", "business purpose", "consumer", "controller", "personal data", "personal information", "processing", "processor", "sale", "sell", "service provider", and "share" as used in this Addendum (including the DPST to the extent it is incorporated by reference into this Addendum) have the meanings given in Applicable State Privacy Laws.
1.4. References in this Addendum (including the DPST to the extent it is incorporated by reference into this Addendum) to "controller", "data subject", and "processor" include "business", "consumer", and "service provider", respectively, as defined by Applicable State Data Privacy Laws.
Duration. Regardless of whether the applicable Agreement has terminated or expired, this Addendum will remain in effect until, and automatically expire when, the DPST expires.
Roles and Compliance; Authorization.
3.1. Processor and Controller Responsibilities. If Applicable State Privacy Laws apply to the processing of Customer Personal Data:
- Appendix 1 of the DPST describes the subject matter and details of the processing of Customer Personal Data;
- Google is a processor of Customer Personal Data under Applicable State Privacy Laws;
- Customer is a controller or processor, as applicable, of Customer Personal Data under Applicable State Privacy Laws; and
- Each party will comply with the obligations applicable to it under Applicable State Privacy Laws with respect to the processing of Customer Personal Data.
3.2. Processor Customers. If Customer is a processor:
- Customer warrants on an ongoing basis that the relevant controller has authorized: (i) the Instructions; (ii) Customer’s appointment of Google as another processor; and (iii) Google’s engagement of Subprocessors as described in DPST Section 11 (Subprocessors) and Section 10 (Requirements for Subprocessor Engagement) of this Addendum;
- Customer will immediately forward to the relevant controller any notice provided by Google under DPST Sections 7.2.1 (Incident Notification), 9.2.1 (Responsibility for Requests), 11.4 (Opportunity to Object to Subprocessor Changes) or under Section 4 (Compliance with Customer’s Instructions) of this Addendum; and
- Customer may:
- request access for the relevant controller to the SOC 2 Report in accordance with DPST Section 7.5.3 (Additional Business Terms for Reviews and Audits) and Section 6.3.2 (Additional Business Terms for Reviews and Audits) of this Addendum; and
- make available to the relevant controller any other information made available by Google under DPST Sections 10.3 (Data Centre Information) and 11.2 (Information about Subprocessors).
Compliance with Customer’s Instructions. Customer instructs Google to process Customer Data in accordance with the applicable Agreement (including the DPST and this Addendum) and applicable law only: (a) to provide, secure, and monitor the Services and TSS (if applicable); (b) as further specified via (i) Customer’s use of the Services (including the Admin Console and other Services functionality) and TSS (if applicable); (c) as documented in the form of the Agreement (including the DPST and this Addendum); and (d) as further documented in any other written instructions given by Customer and acknowledged by Google as constituting instructions under this Addendum (collectively, the "Instructions"). Google will comply with the Instructions unless prohibited by applicable law, and notify Customer if Google determines that it cannot comply with Applicable State Privacy Laws.
CCPA Prohibitions. Without prejudice to Section 4 (Compliance with Customer’s Instructions) above, with respect to Google’s processing of Customer Personal Data in accordance with the CCPA, Google will not, unless otherwise permitted under the CCPA, as reasonably determined by Google: (a) sell or share Customer Personal Data; (b) retain, use or disclose Customer Personal Data (i) other than for a business purpose under the CCPA on behalf of Customer and the specific purpose of performing the Services and TSS (if applicable), or (ii) outside of the direct business relationship between Google and Customer; or (c) combine Customer Personal Data with personal information that Google (i) receives from or on behalf of a third party or (ii) collects from its own interactions with the consumer.
Data Security.
6.1. Security Assistance. Google will (taking into account the nature of the processing of Customer Personal Data and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable State Privacy Laws, by:
- implementing and maintaining the Security Measures in accordance with DPST Section 7.1.1 (Google’s Security Measures);
- making Additional Security Controls available to Customer in accordance with DPST Section 7.1.3 (Additional Security Controls);
- complying with the terms of DPST Section 7.2 (Data Incidents); and
- providing Customer with the Security Documentation in accordance with DPST Section 7.5.1 (Reviews of Security Documentation) and the information contained in the applicable Agreement (including this Addendum).
6.2. Third Party Notifications. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident.
6.3. Reviews and Audits of Compliance.
6.3.1. Customer’s Audit Rights. Google will allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections) to verify Google’s compliance with its obligations under this Addendum (including the DPST to the extent it is incorporated by reference into this Addendum) in accordance with DPST Section 7.5.3 (Additional Business Terms for Reviews and Audits) and Section 6.3.2 (Additional Business Terms for Reviews and Audits) of this Addendum. During an audit, Google will make available all information necessary to demonstrate such compliance and contribute to the audit as described in DPST Section 7.4 (Security Certifications and Reports) and this Section 6.3.1 (Customer’s Audit Rights).
6.3.2. Additional Business Terms for Reviews and Audits. DPST Section 7.5.3 (Additional Business Terms for Reviews and Audits) will apply to any audits or requests to review SOC 2 Reports under this Addendum.
6.3.3. Customer Intervention. If Customer reasonably believes that Google is processing Customer Personal Data in a manner that exceeds the scope of the Instructions, Customer may exercise its rights under Section 6.3.1 (Customer’s Audit Rights) above or DPST Section 7.5 (Reviews and Audits of Compliance) or notify Google of such belief via the process described in DPST Section 12.1 (Google’s Representative), and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.
Data Protection Assessments. Google will (taking into account the nature of the processing and the information available to Google) assist Customer in ensuring compliance with its (or, where Customer is a processor, the relevant controller’s) data protection assessment obligations under Applicable State Privacy Laws, by:
- providing Additional Security Controls in accordance with DPST Section 7.1.3 (Additional Security Controls) and the Security Documentation in accordance with DPST Section 7.5.1 (Reviews of Security Documentation);
- providing the information contained in the applicable Agreement (including this Addendum); and
- providing or otherwise making available, in accordance with Google’s standard practices, other materials concerning the nature of the Services and the processing of Customer Personal Data (for example, help center materials).
Data Subject Request Assistance. Google will (taking into account the nature of the processing of Customer Personal Data) assist Customer in fulfilling its (or, where Customer is a processor, the relevant controller’s) obligations under Applicable State Privacy Laws to respond to requests for exercising the data subject’s rights by:
- providing Additional Security Controls in accordance with DPST Section 7.1.3 (Additional Security Controls);
- complying with DPST Sections 9.1 (Access; Rectification; Restricted Processing; Portability) and 9.2.1 (Responsibility for Requests); and
- providing the functionality of the Services.
Rectification. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be responsible for using the functionality of the Services (provided by Google as described in DPST Section 9.1 (Access; Rectification; Restricted Processing; Portability)) to rectify or delete that data if required by Applicable State Privacy Laws.
Requirements for Subprocessor Engagement. Google will engage Subprocessors in accordance with DPST Section 11 (Subprocessors). Additionally, when engaging any Subprocessor, Google will:
- ensure via a written contract that:
- the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable Agreement (including this Addendum); and
- if the processing of Customer Personal Data is subject to Applicable State Privacy Laws, the data protection obligations described in this Addendum (as referred to in Applicable State Privacy Laws, if applicable) are imposed on the Subprocessor; and
- remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.
- ensure via a written contract that:
Google’s Processing Records. Google will keep appropriate documentation of its processing activities as required by Applicable State Privacy Laws. Upon reasonable request, Customer will provide appropriate documentation of its processing activities to Google via the Admin Console or via such other means as may be provided by Google, and will use the Admin Console or such other means to ensure that all information provided is kept accurate and up-to-date.
General. All other terms and conditions of the Agreement including the DPST will remain in full force and effect. If the terms of this Addendum conflict with any other terms of the Agreement, the terms of this Addendum will govern to the extent that Applicable State Privacy Laws apply to any processing of Customer Personal Data.