CCPA – Suppliers, Vendors, Service Providers, Contractors & Sub-Contractors
July 2023
CALIFORNIA CONSUMER PRIVACY ACT REQUIREMENTS FOR SUPPLIERS, VENDORS, SERVICE PROVIDERS, CONTRACTORS, AND SUB-CONTRACTORS
If applicable, the following California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 provisions (“Provisions”) are incorporated into all contracts between Kenco PPC Buyer LLC (including, more specifically, its subsidiaries – Kenco Logistic Services, LLC, Management Services, LLC, Kenco Fleet Services, LLC, Kenco Transportation Management, LLC, Kenco Transportation Services, LLC, and Kenco Canada, Inc.), hereinafter referred to collectively, with its successors, assigns, affiliates, parents, subsidiaries, and/or surviving company or companies by reason of any merger or acquisition, as “Company” and Company’s suppliers, vendors, service providers, contractors, and sub-contractors (“Suppliers”). The obligations of this section of the California Privacy Law Addendum shall apply solely to the extent that Company is a business as defined under CCPA/CPRA and the personal information is covered by the CCPA/CPRA.
- Definitions. The following definitions and rules of interpretation apply within these Provisions:
- “Authorized Persons” means the persons or categories of persons that Company authorizes to provide (or permit access) to Supplier personal information for processing in accordance with their instructions.
- CCPA means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CCPA, including, without limitation, personal information and business purpose, carry the same meaning in these Provisions.
- “Contracted Business Purposes” means the services Supplier provides for Company.
- CPRA means the California Privacy Rights Act of 2020, which amended the CCPA, and any related regulations or guidance provided by the California Attorney General or the California Privacy Protection Agency, as applicable. Terms defined in the CPRA, including, without limitation, sensitive personal information and sharing, carry the same meaning in these Provisions.
- Supplier’s CCPA/CPRA Obligations
- Supplier will not sell or share personal information it collects from the Company (“Company Personal Information”).
- Supplier will only collect, retain, use, disclose, or process Company Personal Information as reasonably necessary and proportionate to achieve the Contracted Business Purposes or as otherwise permitted by the CCPA/CPRA.
- Supplier will not retain, use, or disclose Company Personal Information for any commercial purpose other than the Contracted Business Purposes, nor for any purposes outside of its direct business relationship with Company, unless expressly permitted under the CCPA/CPRA.
- Supplier shall comply with all applicable sections of the CCPA/CPRA with respect to Company Personal Information and shall provide the level of privacy protection to Company Personal Information as is required of businesses thereunder. Such compliance may include, without limitation: (a) reasonably cooperating with Company in responding to and complying with consumer requests made pursuant to the CCPA/CPRA; and (b) implementing reasonable security procedures and practices, appropriate to the nature of the Company Personal Information, to protect that information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Cal. Civ. Code § 1798.81.5.
- Supplier will promptly notify Company if it determines that it can no longer meet its obligations under applicable provisions of the CCPA/CPRA.
- Company shall have the right to take reasonable and appropriate steps to ensure that Supplier uses Company Personal Information in a manner consistent with Company’s obligations under the CCPA/CPRA. These steps may include, without limitation, manual reviews and automated scans of Supplier’s information systems, and regular internal or third-party assessments, audits, or other technical and operational testing at least once every 12 months.
- Company shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate use of Company Personal Information that is unauthorized under the CCPA/CPRA and this Addendum, including, without limitation, requiring Supplier to provide documentation verifying that it no longer retains or uses Company Personal Information of consumers that submitted to Company a valid request to delete.
- In the event Supplier is legally required to disclose Company Personal Information for a purpose unrelated to the Contracted Business Purposes, Supplier will, unless legally prohibited, inform Company of the legal requirement and give it reasonable opportunity to object to or challenge the disclosure.
- If the Contracted Business Purposes require the collection of personal information directly from consumers on Company’s behalf, Company will provide Supplier a CCPA/CPRA-compliant notice at collection that Supplier shall make available to such consumers at or before collection of such information. Supplier will not modify or alter the notice without Company’s written consent.
- Assistance with Company’s CCPA/CPRA Obligations
- Supplier shall reasonably cooperate with Company to comply with consumer requests made pursuant to the CCPA/CPRA.
- In the event Supplier receives requests directly from consumers, Supplier will promptly inform Company of such requests but not later than five (5) days following receipt and reasonably cooperate with Company in responding to them.
- Subcontracting
- If Supplier subcontracts with another person in connection with the Contracted Business Purposes, Supplier shall (a) notify Company of the engagement and (b) have a contract with such person that complies with CCPA/CPRA, including with respect to such person’s service providers or contractors.
- General
- Nothing in these requirements, whether expressed or implied, is intended to confer any rights or remedies to any person (including any consumer), other than to Company, Supplier, and their respective successors and permitted assigns. Nor shall any provisions herein give any third party any right of subrogation or action against any party to the Agreement or this Addendum.
- The parties will comply with all applicable requirements of the CCPA/CPRA when collecting, using, retaining, or disclosing personal information, including providing the same level of privacy protections required thereunder.