US Privacy Laws Addendum

This page is intended to outline mandatory legal requirements for applicable US Privacy Laws and supplement existing agreement(s) between you and TransUnion to the extent required. This page is not intended to supersede existing agreements, addenda, amendments or exhibits which adequately address these US Privacy Laws, nor is it intended to supplement agreements to which the US Privacy Laws are inapplicable.

This US Privacy Laws Addendum (“Addendum”) supplements applicable Agreements (as defined below) made by and between Trans Union LLC and/or its affiliates and/or subsidiaries (“TransUnion”) and the legal entity TransUnion provides products and/or services to (“Customer”) (each, a “Party” and collectively, the “Parties”). This Addendum is effective as of December 31, 2023 (“Addendum Effective Date”).

The Parties agree as follows:

1. Definitions. The following terms shall have the following meanings:
   • “Agreements” means collectively: (i) any existing products and/or services agreements (including any amendments to, or exhibits, addenda, or statements of work attached thereto between the Parties, and (ii) any products and/or services agreements (including any amendments to, or exhibits, addenda, or statements of work attached thereto  between the Parties entered into subsequent to the Addendum Effective Date, unless any such subsequent agreement specifically references this Addendum by its name and the Addendum Effective Date, and indicates that this Addendum shall not be supplemental to or incorporated by reference into such subsequent agreement, or otherwise contains all applicable terms required by US Privacy Laws.
   • “Controller” shall mean the Party that determines the purposes for and means of Processing Covered Personal Information, and shall include the term “Business” as that term is defined in the CCPA.
   • “Covered Personal Information” or “CPI” means (i) Personal Information that TransUnion provides, makes available, and/or otherwise discloses to Customer pursuant to Agreements, and/or (ii) Personal Information that Customer provides, makes available, and/or otherwise discloses to TransUnion pursuant to the Agreements.
   • “Personal Information” shall be interpreted consistent with the applicable US Privacy Laws, and includes at a minimum “Personal Information” or “Personal Data” as defined in the applicable US Privacy Laws.
   • “Process” or “Processing” means any operation or set of operations that are performed on data or on sets of data, whether or not by automated means, or as otherwise defined by applicable US Privacy Laws.
   • “US Privacy Laws” mean any and all applicable US federal or state information privacy laws (as amended) or any regulations or guidance issued pursuant thereto, including but not limited to the California Consumer Privacy Act, Cal. Civ. Code 1798.100 et seq., as amended including by the California Privacy Rights Act (the “CCPA”); the Virginia Consumer Data Protection Act, Code of Virginia title 59.1, Chapter 52 (the “VCDPA”); the Colorado Privacy Act, Colorado Rev. Stat. 6-1-1301 et seq. (the “CPA”); the Utah Consumer Privacy Act, Utah Code 13-61-101 et seq. (the “UCPA”); the Connecticut Act Concerning Personal Data Protection and Online Monitoring, Conn. Gen. Stat. § 42-515 et seq. (the “PDPOM”); the Iowa Act Relating to Consumer Data Protection, Senate File 262 (2023) (“ICDP”); guidance issued by the U.S. Federal Trade Commission pursuant to its authority under Section 5 of the FTC Act, 15 U.S.C. § 45 (“FTCA”); the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”); the Children’s Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (“COPPA”); the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. (“GLBA”); and any other applicable federal or state laws or regulations regarding information privacy that are in effect or will come into effect during the term of the Agreements.  TransUnion reserves all rights and asserts all exceptions and exemptions to which it is entitled under US Privacy Laws. Further, TransUnion reserves the right to make updates to this Addendum in order to comply with any modifications, amendments, or updates to applicable US Privacy Laws.
   • “Processor” shall mean the Party that Processes Covered Personal Information on behalf of the Controller pursuant to the Agreements, and shall include the term “Service Provider” as that term is defined in the CCPA.
   • The terms “business,” “commercial purpose,” “controller,” “processor,” “sale,” “sell,” “service provider,” and “share” shall have the meanings given to those terms or equivalent terms as set forth in the US Privacy Laws. In the event of a conflict in the meanings of terms among the US Privacy Laws, the Parties agree that the meanings of each applicable law applies.
2. Relation to Agreements. This Addendum is supplemental to and incorporated by reference into the Agreements; provided, however, that this Addendum is not intended to supersede the Agreements and instead merely clarifies various obligations under the Agreements and at law to facilitate the Parties’ respective compliance with applicable US Privacy Laws in respect to the products and/or services identified in the Agreements. For the avoidance of doubt, this Addendum is not intended to supersede existing provisions, terms or conditions in any Agreements regarding the Parties’ use or rights with respect to Covered Personal Information except to the extent that such provisions, terms, or conditions are inconsistent with US Privacy Laws. Except as set forth herein, all provisions of the Agreements remain in full force and effect.
3. Application and Scope.
   • For purposes of the Agreements relating to the TransUnion products and/or services, where TransUnion is a Processor and Customer is a Controller ("Processor-Controller Agreements"), as applicable, the Parties agree that with respect to the Processor-Controller Agreements, all Sections of this Addendum except sub-paragraphs (b) of this Section 3 (Application and Scope) and Section 7 (Controller Requirements) shall apply to TransUnion’s Processing of Covered Personal Information pursuant to the applicable Agreements.
   • For the purposes of the Agreements relating to the TransUnion products and/or services  where TransUnion and Customer each act as independent Controllers with respect to Covered Personal Information provided by one Party (“ CPI Disclosing Party”) to the other Party (“CPI Receiving Party”) pursuant to the applicable Agreements (“Controller-Controller Agreements”), as applicable, the Parties agree that as to Controller-Controller Agreements: (i) all Sections of this Addendum except sub-paragraphs (a) of this Section 3 (Application and Scope), Section 4 (Processor Requirements), Section 5 (Sub-processors), and Section 6 (Verification & Assessments) shall apply to the CPI Receiving Party’s  Processing of the Covered Personal Information pursuant to the applicable Agreements.
4. Processor Requirements.
   • Controller instructs Processor to Process the Covered Personal Information for limited and specified purposes in connection with the provision of the products and/or services. The details of Processing are defined in the Agreements.
   • Processor shall: (i) comply with the applicable US Privacy Laws and this Addendum while providing the products and/or services, (ii) provide the level of privacy protection required by the applicable US Privacy Laws, and (iii) provide Controller with reasonably-requested assistance to enable Controller to fulfill its own obligations under the applicable US Privacy Laws.
   • Processor further agrees that, to the extent required by applicable US Privacy Laws:
     • any Processing of Controller’s Covered Personal Information is not for monetary or other valuable consideration, but instead, to support services pursuant to the Agreements, and therefore does not constitute a sale or share of Controller’s Covered Personal Information to Processor;
     • in the course of making available or providing Controller with the services identified in the Agreements, it will act as a Processor to Controller with respect to Controller’s Covered Personal Information, and Controller shall have the exclusive authority to determine the purposes for and means of Processing the Covered Personal Information;
     • it shall not sell or share Covered Personal Information;
     • it shall not collect, retain, use, disclose or otherwise Process Controller’s Covered Personal Information:
       • for any purpose (including a commercial purpose) other than for the specific purpose of performing the services and obligations for the benefit of Controller as specified in the Agreements; or
       • outside of the direct business relationship between Processor and Controller;
     • it shall not, to the extent prohibited by the applicable US Privacy Laws, combine Controller’s Covered Personal Information received from Controller with Personal Information from other Controllers;
     • it shall comply with the applicable US Privacy Laws in connection with its receipt, use, handling, Processing, access to and storage of Controller’s Covered Personal Information;
     • it shall maintain reasonable security measures with respect to Controller’s Covered Personal Information;
     • where Controller informs Processor of a consumer request made pursuant to Privacy Law regarding Controller’s Covered Personal Information and provides Processor with information necessary to comply with such a request, Processor shall reasonably cooperate with and reasonably assist Controller in responding to and fulfilling such requests; and
     • it shall ensure each person acting for or on behalf of Processor Processing Controller’s Covered Personal Information is subject to a duty of confidentiality.
   • When the Agreements expire, Processor agrees to discontinue Processing Covered Personal Information and delete Covered Personal Information without undue delay unless otherwise instructed by Controller or required by law to retain the Covered Personal Information.
5. Sub-Processors. Subject to the Agreements, Controller provides general authorization for Processor to allow sub-Processors to Process Covered Personal information in furtherance of the Agreements, provided that Processor shall require that Processor’s sub-processors who collect, store, transmit, or otherwise Process Controller’s Covered Personal Information on Processor’s behalf agree in writing to: (a) substantially similar restrictions and requirements that apply to Processor with respect to Controller’s Covered Personal Information, and (b) to comply with applicable US Privacy Laws. Processor shall provide a list of sub-processors that Process Controller’s Covered Personal Information upon written request from Controller where required by applicable US Privacy Laws.
6. Verification & Assessments.
   • Upon the reasonable request of Controller, Processor shall make available to Controller all information in Processor’s possession necessary to demonstrate Processor’s compliance with this Addendum, subject to any similar terms in the Agreement.
   • If applicable, Processor shall, upon the reasonable request of Controller, provide Controller with such assistance and information as is reasonably necessary to enable Controller to carry out privacy impact assessments required under applicable US Privacy Laws.
   • Controller shall have the right to take reasonable and appropriate steps to ensure Processor’s compliance with this Addendum, subject to any similar terms in the Agreement.
   • Processor agrees to notify Controller without undue delay if Processor determines that it can no longer meet its obligations under applicable US Privacy Laws. Upon receiving notice from Processor in accordance with this subsection, Controller may direct Processor to take steps as reasonable and appropriate to remediate unauthorized Processing of Covered Personal Information.
7. Controller Requirements. The Parties acknowledge and agree that, to the extent required by applicable US Privacy Laws:
   • CPI Disclosing Party provides Covered Personal Information to CPI Receiving Party only for limited and specified purposes defined in the Agreements in connection with the provision of the products and/or services. CPI Receiving Party agrees to use the Covered Personal Information only for such limited and specified purposes.
   • CPI Receiving Party shall comply with the applicable US Privacy Laws and provide the level of privacy protection required by the applicable US Privacy Laws.
   • CPI Disclosing Party shall have the right to take reasonable and appropriate steps to help ensure that CPI Receiving Party’s use of Covered Personal Information is consistent with applicable US Privacy Laws.
   • CPI Receiving Party agrees to notify CPI Disclosing Party without undue delay if Receiving Party determines that it can no longer meet its obligations under applicable US Privacy Laws. Upon receiving notice from Receiving Party in accordance with this subsection, CPI Disclosing Party may direct CPI Receiving Party to take steps as reasonable and appropriate to remediate unauthorized Processing of Covered Personal Information.