Google Cloud Data Processing Addendum Mapping - U.S. State Privacy Laws

Minimization and Purpose Limitation

A business’ collection and use of a consumer’s personal information should be limited to what is reasonably necessary to achieve the purposes for which the personal information was collected or processed.

Customers decide what information to put into the services and which services to use, how to use them, and for what purpose. Google commits to only access or use customer data to provide, secure and monitor the services in accordance with the contract terms. 

Applicable States: CA, CO, CT, DE, FL, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) and Section 7.1.2 (Access and Compliance) of the General Terms of the CDPA.

Data Security

Businesses must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.

In addition to the Security Measures described in Appendix 2 of the CDPA, Google provides functionality to enable customers to implement additional safeguards to protect personal information, which may require proper configuration of features in the cloud under customer management.

Google manages the security of its infrastructure (i.e., the hardware, software, networking and facilities that support the services). Google recognizes that customers need to review our internal controls as part of their risk assessment. To assist, Google undergoes several independent third-party audits on at least an annual basis to provide independent verification of our operations and internal controls. Google commits to comply with at least the following key international standards during the term of our contract with you:

• ISO/IEC 27001:2013 (Information Security Management Systems)
• SOC 2
• SOC 3

Google also provides detailed information to customers about our security practices at:

• Infrastructure security page
• Security whitepaper
• Cloud-native security whitepaper
• Infrastructure security design overview page
• Security resources page
• Cloud compliance resource page

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 7.1 (Google’s Security Measures, Controls and Assistance), Section 7.3 (Customer’s Security Responsibilities and Assessment), Section 7.4 (Compliance Certifications and SOC Reports) of the General Terms, and Appendix 2 (Security Measures) of the CDPA.

Discrimination Due to Exercise of Rights

Businesses cannot discriminate against consumers who exercise their rights.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A

Discriminatory Processing

A business may not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, TN, TX, VA

CDPA Reference: N/A 

Sensitive Data Consent / Opt-out Requirements

A business may not process sensitive data concerning a consumer without obtaining the consumer’s consent or, in the case of a known child, in accordance with COPPA.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A 

Other Consent Obligations

A business may not use data collected by a device (eg voice or facial recognition) for the purpose of surveillance without consent.

This is a customer responsibility based on its own business operations.

Applicable States: FL

CDPA Reference: N/A 

Minors - Consent for Sales / Sharing / Targeted Advertising

A business cannot process the personal data of a minor for targeted advertising or a sale, without consent.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CT, MT, OR

CDPA Reference: N/A 

Notice at Collection

A business must provide consumers with a notice at or before personal information is collected.

This is a customer responsibility based on its own business operations.

Applicable States: CA

CDPA Reference: N/A 

Privacy Notice

Businesses must provide consumers with a privacy notice that explains how their personal data will be processed and their consumer rights.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A

Other Transparency Obligations

Disclosures to consumers must be accessible and understandable.

This is a customer responsibility based on its own business operations.

Applicable States: CA, CO, FL

CDPA Reference: N/A

Disclosure of Sales and Targeted Advertising

A business must disclose sales of personal information or targeted advertising and offer an opt-out.

This is a customer responsibility based on its own business operations.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: N/A

Processing De-identified Data and Pseudonymous Data

A business using deidentified data must take reasonable measures to ensure such data cannot be associated with a consumer and require any recipients of such deidentified data to comply with this obligation.

This is a customer responsibility based on its own business operations. Google commits to only access or use customer data to provide, secure and monitor the services in accordance with the contract terms.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) of the General Terms of the CDPA.

Data Protection Assessments

A business must conduct a data protection assessment for certain processing activities.

Google commits to providing reasonable cooperation and assistance to customers in conducting their data protection impact assessments. For Google Cloud Platform or Google Workspace Services, please see Google’s DPIA resource page to learn more about what a DPIA is, and whether you need a DPIA for your use of those services.

Applicable States: CO, CT, DE, FL, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 8 (Impact Assessments and Consultations) of the General Terms of the CDPA.

Restriction on Resale of Personal Information

A third party shall not sell personal information that was sold to it by a business.

Google does not sell your customer data, ever. Google will only access or use customer data to provide, secure, and monitor the services in accordance with the contract terms.

Applicable States: CA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) of the General Terms of the CDPA.

Training & Recordkeeping Requirements

Businesses are required to train employees to handle consumer inquiries and maintain records of consumer requests and responses for 24 months.

This is a customer responsibility based on its own business operations.

Applicable States: CA

CDPA Reference: Section 12.2 (Google’s Processing Records) of the General Terms of the CDPA.

Contracting Requirements for All Sales, Sharing, or Disclosures of Personal Information to Service Providers or Contractors

A business that sells personal information of a consumer must enter into a contract with the third party with certain requirements.

Google does not purchase customer personal data or sell customer personal data to any third parties. Google requires our subcontractors to meet the same high standards that we do. In particular, Google requires our subcontractors to comply with our contract with you and to only access and use your data to the extent required to perform the obligations subcontracted to them and Google remains responsible for any subcontracted obligations.

Applicable States: CA

CDPA Reference: Section 11.3 (Requirements for Subprocessor Engagement) of the General Terms of the CDPA.

Controller / Processor Status

Whether a party is a controller or a processor with respect to specific processing of personal data is a fact based determination that depends on the context in which personal data is to be processed.

For purposes of Google Cloud, Google is acting as a processor of customer personal data. Customer is either a controller or processor, as applicable.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 4.1 (Roles of the Parties) of the General Terms of the CDPA.

Contract Requirement

A contract between a controller and a processor shall govern the processor's data processing procedures with respect to processing performed on behalf of the controller.

The customer’s contract, which includes the Cloud Data Processing Addendum, governs Google’s data processing procedures with respect to processing on behalf of customer.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Appendix 1 (Subject Matter and Details of Data Processing) of the CDPA.

Limitations on Data Use

A contract between a controller and a processor shall set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.

Google commits to only process customer personal data in accordance with the CDPA including Appendix 1, which describes the subject matter and duration of the processing, nature and purpose of the processing and categories of data. 

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 5.2 (Compliance with Customer’s Instructions) and Section 7.1.2 (Access and Compliance) of the General Terms, and Appendix 1 (Subject Matter and Details of Data Processing) of the CDPA.

Impose a Duty of Confidentiality on Employees

The contract between a controller and a processor will ensure that each person processing personal data is subject to a duty of confidentiality.

Customers may access their data (including their end users’ data) on Google Cloud at any time. If Google receives a request from an individual (e.g., a customer end user) relating to customer personal data, our privacy team will advise the requester to submit the request to you, the Google Cloud customer. Google Cloud customers can then take control of responding to these requests as per their internal procedures and requirements.

Applicable States: CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, UT, VA

CDPA Reference: Section 7.1.2 (Access and Compliance) of the General Terms, and Section 4 (Personnel Security) in Appendix 2 (Security Measures) of the CDPA.

Audit Requirement

The contract between a controller and a processor will ensure that the processor provides the business with information to demonstrate compliance with the processor’s obligations, upon request, and to undergo independent audits annually using accepted control frameworks.

Google supports customer compliance by making relevant security documentation available for customer review and undergoing several independent third-party audits on at least an annual basis to provide independent verification of our operations and internal controls. Google’s Compliance Reports Manager page provides easy, on-demand access to these critical compliance resources, at no additional cost. Key resources include our latest ISO/IEC certificates, SOC reports, and self assessments.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 7.4 (Compliance Certifications and SOC Reports) and Section 7.5 (Reviews and Audits of Compliance) of the General Terms of the CDPA.

Assist with Controller Obligations

A processor will adhere to the instructions of the business and assist the business with: taking into account the nature of processing and the information available to the processor, responding to consumer rights requests.

Google commits to assist customers with consumer requests in Section 9 of the General Terms of the CDPA.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: See responses in the Consumer Rights and Business / Controller Responsibilities sections, above. Section 9 (Access; Data Subject Rights; Data Export) and Section 9.2.2 (Google’s Data Subject Request Assistance) of the General Terms of the CDPA.

Assist with Controller Obligations

A processor will adhere to the instructions of the business and assist the business with: taking into account the nature of processing and the information available to the processor, meeting its obligations with respect to the security of processing the personal data and in relation to the notification of a security breach.

Google implements and maintains technical, organizational, and physical measures to protect the customer data against unauthorized disclosure or access. Google provides customers with notification of, and details about, a data incident promptly and without undue delay. Google also makes additional security controls available to customers. 

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TX, UT, VA

CDPA Reference: Section 7.1 (Google’s Security Measures, Controls and Assistance), Section 7.1.4 Google’s Security Assistance), Section 7.2 (Data Incidents), Section 7.2.1 (Incident Notification), and Section 7.3 (Customer’s Security Responsibilities and Assessment.) of the General Terms, and Appendix 2 (Security Measures) of the CDPA.

Assist with Controller Obligations

Taking into account the nature of processing and the information available to the processor, a processor will adhere to the instructions of the business and assist the business by: providing information necessary to conduct data protection assessments.

Google commits to assist customers with data protection assessments in Section 8 of the General Terms of the CDPA. In addition, for Google Cloud Platform and Google Workspace, Google maintains DPIA Resource Center to assist customers.

Applicable States: CA, CO, CT, DE, FL, IN, MT, OR, TX, VA

CDPA Reference: Section 8 (Impact Assessments and Consultations) of the General Terms of the CDPA.

Subcontractor Objection Right

A subcontractor handling personal data cannot be engaged unless the business has the opportunity to object.

Google provides customers with a notice including information about any new subprocessor engagement and the opportunity to object by terminating the agreement for its convenience. Given the one-to-many nature of our services, Google is unable to operationalize an approval process for each individual customer. Google requires our subcontractors to meet the same high standards that we do and Google remains responsible for any subcontracted obligations. In particular, Google requires our subcontractors to comply with our contract with you and to only access and use your data to the extent required to perform the obligations subcontracted to them.

Applicable States: CO, CT, DE 

CDPA Reference: Section 11.1 (Consent to Subprocessor Engagement), Section 11.3 (Requirements for Subprocessor Engagement), and Section 11.4 (Opportunity to Object to Subprocessors) of the General Terms of the CDPA.

Delete or Return Data upon Termination / Completion of Services

The contract between a controller and a processor will ensure that the processor returns or destroys all customer personal data at the end of the provision of services.

Google will delete all customer data (including customer personal data) at the end of the term in accordance with applicable law and within a maximum period of 180 days. Additional details of Google’s data deletion process and commitments can be found in the CDPA and Data Deletion on Google Cloud documentation.

Applicable States: CA, CO, CT, DE, FL, IA, IN, MT, OR, TN, TX, VA

CDPA Reference: Section 6.1 (Deletion by Customer) and Section 6.2 (Return or Deletion When Term Ends) of the General Terms of the CDPA.

Notify the Controller if Obligations can no longer be met

A processor must notify the business if it determines that it can no longer meet its obligations under the CCPA.

Google will notify customers if it is unable to meet its obligations under the CCPA, unless such notice is prohibited by applicable law.

Applicable States: CA

CDPA Reference: Section 3 (Compliance) of the CCPA subsection in Appendix 3 (Specific Privacy Laws) of the CDPA.