Skip to Main

U.S. Privacy Laws Addendum

LexisNexis Legal & Professional | LexisNexis Risk Solutions

This U.S. Privacy Laws Addendum forms part of the agreement (the “Agreement”) between the LexisNexis entity (“LN”) and the customer, subscriber, licensee or other partner and any applicable affiliate (“Customer”) under which LN provides certain products or services (the "Services") and in which this U.S. Privacy Laws Addendum is referenced.

California

  1. To the extent that LN is processing on behalf of Customer any personal information in scope of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (collectively, the “CCPA”):  
    1. LN is prohibited from selling or sharing personal information it collects (as those terms are defined in the CCPA) pursuant to the Agreement;
    2. The specific business purpose (as that term is defined in the CCPA) for which LN is processing personal information pursuant to the Agreement is to provide, manage, operate and secure the Services, and Customer is disclosing the personal information to LN only for the limited and specified business purpose set forth in the Agreement;
    3. LN is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;
    4. LN is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose (as that term is defined in the CCPA) other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;
    5. LN is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between LN and Customer, unless expressly permitted by the CCPA;
    6. LN is required to comply with all applicable sections of the CCPA, including – with respect to the personal information that LN collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;
    7. LN grants Customer the right to take reasonable and appropriate steps to ensure that LN uses the personal information that it collected pursuant to the Agreement in a manner consistent with Customer’s obligations under the CCPA;
    8. LN is required to notify Customer after it makes a determination that it can no longer meet its obligations under the CCPA;
    9. LN grants Customer the right, upon notice, to take reasonable and appropriate steps to stop and remediate LN’s unauthorized use of personal information; and
    10. LN is required to enable Customer to comply with consumer requests made pursuant to the CCPA or Customer is required to inform LN of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to LN to comply with the request.
  2. To the extent that either party sells to or shares with the other any personal information in scope of the CCPA:
    1. The purposes for which the personal information is made available to and by LN is to provide, manage, operate and secure the Services under the Agreement subject to the applicable party’s applicable privacy policy;
    2. The personal information is made available to the receiving party only for the limited and specified purposes set forth in the Agreement and is required to be used only for those limited and specified purposes;
    3. The receiving party is required to comply with applicable sections of the CCPA, including – with respect to the personal information that is made available to the receiving party – providing the same level of privacy protection as required of businesses by the CCPA;
    4. The disclosing party is granted the right – with respect to the personal information that is made available to LN – to take reasonable and appropriate steps to ensure that the receiving party uses the personal information in a manner consistent with the disclosing party’s obligations under the CCPA;
    5. The disclosing party is granted the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information made available to the receiving party; and
    6. The receiving party is required to notify the other party after it makes a determination that it can no longer meet its obligations under the CCPA.

Colorado, Connecticut, Montana, Oregon, Texas, Utah and Virginia

To the extent that LN is processing on behalf of Customer any personal data in scope of the Colorado Privacy Act, Connecticut Data Privacy Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act and/or Virginia Consumer Data Protection Act, LN shall:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
  2. At Customer’s direction, delete or return all personal data to Customer as requested at the end of the provision of the Services, unless retention of the personal data is required by law;
  3. Upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate its compliance with the obligations under the foregoing laws;
  4. Allow, and cooperate with, reasonable assessments by Customer or Customer’s designated assessor; alternatively, LN may arrange for a qualified and independent assessor to conduct an assessment of LN’s policies and technical and organizational measures in support of the obligations under the foregoing laws using an appropriate and accepted control standard or framework and assessment procedure for such assessments. LN shall provide a report of such assessment to Customer upon request; and
  5. Engage any subcontractor pursuant to a written contract in accordance with the foregoing laws that requires the subcontractor to meet the obligations of LN with respect to the personal data;

and the parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

Last updated: October 1, 2024