Privacy person icon
USA | All Industries

Google Cloud Data Processing Addendum Mapping - U.S. State Privacy Laws

This page is designed to help you understand Google’s approach to supporting customer compliance with US State Privacy Laws where Google is acting as a processor of customer data (including customer personal data) to provide, secure and monitor Google Cloud, which includes Google Cloud Platform, Google Workspace, Looker (original) and Google SecOps Services. 

We focus on the Consumer Rights, General Business/Controller Obligations, and Service Provider/Processor related obligations within these state laws, as these are areas where we recognize customers may need Google’s support to ensure their compliance. For each requirement, we provide commentary to help you understand how the contractual commitments in the Cloud Data Processing Addendum, together with the functionality of the Google Cloud Services, allow you to address the relevant requirement. For ease of reference, in the sections below, we have summarized and consolidated the “topics” into high level descriptions, given the similarities in many of the applicable state laws. We also map these descriptions to the relevant state laws.

Note that each state law uses different defined terms. For clarity, on this page we refer to the Customer as a "controller" or "business", Google as a "service provider" or "processor", and an individual Customer End User as a "consumer".

In this page we address the following laws:

  • California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) and CCPA Regulations
  • Colorado’s Colorado Privacy Act (CPA) and CPA Regulations
  • Connecticut’s Data Privacy Act (CTDPA) as amended by SB 3
  • Delaware Personal Data Privacy Act (DPDPA)
  • Florida’s Digital Bill of Rights (FDBR)
  • Iowa’s Consumer Data Protection Act (IACDPA)
  • Indiana’s Consumer Data Protection Act (INCDPA)
  • Montana’s Consumer Data Privacy Act (MTCDPA)
  • Oregon’s Consumer Privacy Act (OCPA)
  • Tennessee’s Information Protection Act (TIPA)
  • Texas’ Data Privacy and Security Act (TDPSA
  • Utah’s Consumer Privacy Act (UCPA)
  • Virginia’s Consumer Data Protection Act (VCDPA)

Consumer Rights

Access Right

Consumers may request that a business disclose the personal information collected about the consumer.

Customers may access their data (including their end users’ data) on Google Cloud at any time. If Google receives a request from a consumer relating to customer personal data, our privacy team will advise the requester to submit the request to you, the Google Cloud customer. Google Cloud customers can then take control of responding to these requests as per their internal procedures and requirements.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 9.1 (Access; Rectification; Restricted Processing; Portability), Section 9.2 (Data Subject Requests), and Section 12.1 (Cloud Data Protection Team) of the General Terms of the CDPA.


Correction Right

Consumers may request that a business correct inaccuracies in the consumer's personal data.

Google provides functionality to enable customers to access, rectify, and restrict the processing of their customer data as well as retrieve or delete data. For example, Customers can use the following functionality of Google Cloud Platform and Google Workspace: 

Cloud Console: A web-based graphical user interface that customers can use to manage their Google Cloud resources. 

Admin Console: A web-based graphical user interface that customers can use to manage their Google Workspace resources. 

gcloud Command Tool: A tool that provides the primary command-line interface to Google Cloud. A command-line interface is a user interface to a computer’s operating system. 

Applicable States: CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 9.1 (Access; Rectification; Restricted Processing; Portability) and Section 9.2 (Data Subject Requests) of the General Terms of the CDPA.


Deletion Right

Consumers may request that a business delete the consumer's personal data.

Google provides functionality to enable customers to delete customer data using the services. For more information about data deletion on Google Cloud Platform, see this page. For Google Workspace (including Google Workspace for Education), see our help center articles on Delete or remove a user from your organization and Delete your organization's Google Account.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 6 (Data Deletion) of the General Terms of the CDPA.


Portability Right

Consumers may request that a business export the consumer's personal data.

Google provides functionality to enable customers to export their data using the services. 

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 9.1 (Access; Rectification; Restricted Processing; Portability) of the General Terms of the CDPA.


Opt-out Right

Consumers may request that a business export the consumer's personal data.

This is a customer responsibility based on its own business operations. Google commits to only access or use customer data (including customer personal data) to provide, secure and monitor the services in accordance with the contract terms.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions), Section 7.1.2 (Access and Compliance), and Section 9.1 (Access; Rectification; Restricted Processing; Portability) of the General Terms of the CDPA.


Right to Limit the Use of Sensitive Data

Consumers may limit the purposes for which a business uses their sensitive information.

Customer determines the purposes for which customer personal data is processed using the Services. Google commits to only process customer data as instructed by customer. 

Applicable States: CA

CDPA Reference: Section 9.1 (Access; Rectification; Restricted Processing; Portability) of the General Terms of the CDPA.


Parental Exercise of Child Rights

With respect to the processing of personal data belonging to a known child, a parent or legal guardian of the child may exercise the consumer rights on behalf of the child.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A


Methods for Submitting Rights Requests

Businesses must establish a process for consumers to submit requests to invoke their privacy rights.

Refer to Process for Responding to Rights Requests.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A


Opt-out Signals

A consumer may designate another person to act on their behalf to opt out of the processing of certain personal data.

Refer to Opt-out Right.

Applicable States: CA, CO, CT, MT, OR, TX

CDPA Reference: N/A


Process for Responding to Rights Requests

Businesses must respond to consumer requests without undue delay and not later than 45 days from receipt.

While this is ultimately the responsibility of customers, if Google receives a request from a consumer relating to their customer personal data, Google’s Cloud Data Protection Team will advise the requester to submit the request to you, the Google Cloud customer. Google Cloud customers can then take control for responding to these requests as per their internal procedures and requirements.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 9.2 (Data Subject Requests) of the General Terms of the CDPA.


Verification of Requests

Businesses must verify the identity of consumers who make requests to exercise their rights. 

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO

CDPA Reference: N/A 


Rights Appeal Process

Businesses must establish an internal process for appealing their decision not to take action on a consumer request.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: N/A


Rights Request Flow Down Requirements

Businesses that receive consumer requests to delete the consumer’s personal information must notify any service providers to delete the consumer’s personal information.

This is a customer responsibility based on its own business operations. Google provides customers with the ability to delete customer data at any time using the functionality of the services. See Row 3 (Deletion Right).

Applicable States: CA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) and Section 6 (Data Deletion) of the General Terms of the CDPA.


Minimization and Purpose Limitation

A business’ collection and use of a consumer’s personal information should be limited to what is reasonably necessary to achieve the purposes for which the personal information was collected or processed.

Customers decide what information to put into the services and which services to use, how to use them, and for what purpose. Google commits to only access or use customer data to provide, secure and monitor the services in accordance with the contract terms. 

Applicable States: CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) and Section 7.1.2 (Access and Compliance) of the General Terms of the CDPA.


Data Security

Businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

In addition to the Security Measures described in Appendix 2 of the CDPA, Google provides functionality to enable customers to implement additional safeguards to protect personal information, which may require proper configuration of features in the cloud under customer management.

Google manages the security of its infrastructure (i.e., the hardware, software, networking and facilities that support the services). Google recognizes that customers need to review our internal controls as part of their risk assessment. To assist, Google undergoes several independent third-party audits on at least an annual basis to provide independent verification of our operations and internal controls. Google commits to comply with at least the following key international standards during the term of our contract with you:

Google also provides detailed information to customers about our security practices at:

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 7.1 (Google’s Security Measures, Controls and Assistance), Section 7.3 (Customer’s Security Responsibilities and Assessment), Section 7.4 (Compliance Certifications and SOC Reports) of the General Terms, and Appendix 2 (Security Measures) of the CDPA.


Discrimination Due to Exercise of Rights

Businesses cannot discriminate against consumers who exercise their rights.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A


Discriminatory Processing

A business may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, TN, TX, VA

CDPA Reference: N/A 


Sensitive Data Consent / Opt-out Requirements

A business may not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of a known child, in accordance with COPPA.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A 


Other Consent Obligations

A business may not use data collected by a device (eg voice or facial recognition) for the purpose of surveillance without consent.

This is a customer responsibility based on its own business operations.

Applicable States: FL

CDPA Reference: N/A 


Minors - Consent for Sales / Sharing / Targeted Advertising

A business cannot process the personal data of a minor for targeted advertising or a sale, without consent.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CT, MT, OR

CDPA Reference: N/A 


Notice at Collection

A business must provide consumers with a notice at or before personal information is collected.

This is a customer responsibility based on its own business operations.

Applicable States: CA

CDPA Reference: N/A 


Privacy Notice

Businesses must provide consumers with a privacy notice that explains how their personal data will be processed and their consumer rights.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A


Other Transparency Obligations

Disclosures to consumers must be accessible and understandable.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, FL

CDPA Reference: N/A

 

Disclosure of Sales and Targeted Advertising

A business must disclose sales of personal information or targeted advertising and offer an opt-out.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A


Processing De-identified Data and Pseudonymous Data

A business using deidentified data must take reasonable measures to ensure such data cannot be associated with a consumer and require any recipients of such deidentified data to comply with this obligation.

This is a customer responsibility based on its own business operations. Google commits to only access or use customer data to provide, secure and monitor the services in accordance with the contract terms.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) of the General Terms of the CDPA.


Data Protection Assessments

A business must conduct a data protection assessment for certain processing activities.

Google commits to providing reasonable cooperation and assistance to customers in conducting their data protection impact assessments. For Google Cloud Platform or Google Workspace Services, please see Google’s DPIA resource page to learn more about what a DPIA is, and whether you need a DPIA for your use of those services.

Applicable States: CO, CT, DE, FL, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 8 (Impact Assessments and Consultations) of the General Terms of the CDPA.


Restriction on Resale of Personal Information

A third party shall not sell personal information that was sold to it by a business.

Google does not sell your customer data, ever. Google will only access or use customer data to provide, secure, and monitor the services in accordance with the contract terms.

Applicable States: CA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) of the General Terms of the CDPA.


Training & Recordkeeping Requirements

Businesses are required to train employees to handle consumer inquiries and maintain records of consumer requests and responses for 24 months.

This is a customer responsibility based on its own business operations.

Applicable States: CA

CDPA Reference: Section 12.2 (Google’s Processing Records) of the General Terms of the CDPA.

Contracting Requirements for All Sales, Sharing, or Disclosures of Personal Information to Service Providers or Contractors

A business that sells personal information of a consumer must enter into a contract with the third party with certain requirements.

Google does not purchase customer personal data or sell customer personal data to any third parties. Google requires our subcontractors to meet the same high standards that we do. In particular, Google requires our subcontractors to comply with our contract with you and to only access and use your data to the extent required to perform the obligations subcontracted to them and Google remains responsible for any subcontracted obligations.

Applicable States: CA

CDPA Reference: Section 11.3 (Requirements for Subprocessor Engagement) of the General Terms of the CDPA.


Controller / Processor Status

Whether a party is a controller or a processor with respect to specific processing of personal data is a fact based determination that depends on the context in which personal data is to be processed.

For purposes of Google Cloud, Google is acting as a processor of customer personal data. Customer is either a controller or processor, as applicable.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 4.1 (Roles of the Parties) of the General Terms of the CDPA.


Contract Requirement

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

The customer’s contract, which includes the Cloud Data Processing Addendum, governs Google’s data processing procedures with respect to processing on behalf of customer.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Appendix 1 (Subject Matter and Details of Data Processing) of the CDPA.


Limitations on Data Use

A contract between a controller and a processor shall set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

Google commits to only process customer personal data in accordance with the CDPA including Appendix 1, which describes the subject matter and duration of the processing, nature and purpose of the processing and categories of data. 

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) and Section 7.1.2 (Access and Compliance) of the General Terms, and Appendix 1 (Subject Matter and Details of Data Processing) of the CDPA.


Impose a Duty of Confidentiality on Employees

The contract between a controller and a processor will ensure that each person processing personal data is subject to a duty of confidentiality.

Customers may access their data (including their end users’ data) on Google Cloud at any time. If Google receives a request from an individual (e.g., a customer end user) relating to customer personal data, our privacy team will advise the requester to submit the request to you, the Google Cloud customer. Google Cloud customers can then take control of responding to these requests as per their internal procedures and requirements.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 7.1.2 (Access and Compliance) of the General Terms, and Section 4 (Personnel Security) in Appendix 2 (Security Measures) of the CDPA.


Audit Requirement

The contract between a controller and a processor will ensure that the processor provides the business with information to demonstrate compliance with the processor’s obligations, upon request, and to undergo independent audits annually using accepted control frameworks.

Google supports customer compliance by making relevant security documentation available for customer review and undergoing several independent third-party audits on at least an annual basis to provide independent verification of our operations and internal controls. Google’s Compliance Reports Manager page provides easy, on-demand access to these critical compliance resources, at no additional cost. Key resources include our latest ISO/IEC certificates, SOC reports, and self assessments.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 7.4 (Compliance Certifications and SOC Reports) and Section 7.5 (Reviews and Audits of Compliance) of the General Terms of the CDPA.


Assist with Controller Obligations

A processor will adhere to the instructions of the business and assist the business with: taking into account the nature of processing and the information available to the processor, responding to consumer rights requests.

Google commits to assist customers with consumer requests in Section 9 of the General Terms of the CDPA.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: See responses in the Consumer Rights and Business / Controller Responsibilities sections, above. Section 9 (Access; Data Subject Rights; Data Export) and Section 9.2.2 (Google’s Data Subject Request Assistance) of the General Terms of the CDPA.


Assist with Controller Obligations

A processor will adhere to the instructions of the business and assist the business with: taking into account the nature of processing and the information available to the processor, meeting its obligations with respect to the security of processing the personal data and in relation to the notification of a security breach.

Google implements and maintains technical, organizational, and physical measures to protect the customer data against unauthorized disclosure or access. Google provides customers with notification of, and details about, a data incident promptly and without undue delay. Google also makes additional security controls available to customers. 

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TX, UT, VA

CDPA Reference: Section 7.1 (Google’s Security Measures, Controls and Assistance), Section 7.1.4 Google’s Security Assistance), Section 7.2 (Data Incidents), Section 7.2.1 (Incident Notification), and Section 7.3 (Customer’s Security Responsibilities and Assessment.) of the General Terms, and Appendix 2 (Security Measures) of the CDPA.


Assist with Controller Obligations

Taking into account the nature of processing and the information available to the processor, a processor will adhere to the instructions of the business and assist the business by: providing information necessary to conduct data protection assessments.

Google commits to assist customers with data protection assessments in Section 8 of the General Terms of the CDPA. In addition, for Google Cloud Platform and Google Workspace, Google maintains DPIA Resource Center to assist customers.

Applicable States: CA, CO, CT, DE, FL, IN, MT, OR, TX, VA

CDPA Reference: Section 8 (Impact Assessments and Consultations) of the General Terms of the CDPA.


Subcontractor Objection Right

A subcontractor handling personal data cannot be engaged unless the business has the opportunity to object.

Google provides customers with a notice including information about any new subprocessor engagement and the opportunity to object by terminating the agreement for its convenience. Given the one-to-many nature of our services, Google is unable to operationalize an approval process for each individual customer. Google requires our subcontractors to meet the same high standards that we do and Google remains responsible for any subcontracted obligations. In particular, Google requires our subcontractors to comply with our contract with you and to only access and use your data to the extent required to perform the obligations subcontracted to them.

Applicable States: CO, CT, DE 

CDPA Reference: Section 11.1 (Consent to Subprocessor Engagement), Section 11.3 (Requirements for Subprocessor Engagement), and Section 11.4 (Opportunity to Object to Subprocessors) of the General Terms of the CDPA.


Delete or Return Data upon Termination / Completion of Services

The contract between a controller and a processor will ensure that the processor returns or destroys all customer personal data at the end of the provision of services.

Google will delete all customer data (including customer personal data) at the end of the term in accordance with applicable law and within a maximum period of 180 days. Additional details of Google’s data deletion process and commitments can be found in the CDPA and Data Deletion on Google Cloud documentation.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 6.1 (Deletion by Customer) and Section 6.2 (Return or Deletion When Term Ends) of the General Terms of the CDPA.


Notify the Controller if Obligations can no longer be met

A processor must notify the business if it determines that it can no longer meet its obligations under the CCPA.

Google will notify customers if it is unable to meet its obligations under the CCPA, unless such notice is prohibited by applicable law.

Applicable States: CA

CDPA Reference: Section 3 (Compliance) of the CCPA subsection in Appendix 3 (Specific Privacy Laws) of the CDPA.

Take the next step

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Get started for free
Google Cloud
send_spark
    DocsSupport
    Console
    Sign in
    Security
    HomeIntel and expertiseSecOpsCloud securitySecurity resources
    Incident Response Assistance
    Contact Us
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Google Cloud products
    • Browse over 100 products. New customers get $300 in free credits to run, test, and deploy workloads. All customers can use 25+ products for free, up to monthly usage limits.
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud