OPT-OUT Jurisdiction Data Processing Addendum

v1.0 June 30, 2025

This Opt-Out Jurisdiction Data Processing Addendum ("Opt-Out DPA") forms part of and is incorporated into the ID5 ID Agreement, ID5 MSA, and/or other fully executed contractual agreement between ID5 and Company referencing this Opt-Out DPA (as applicable, the “Prime Agreement”).

This Opt-Out DPA sets out the terms and conditions that apply to the Processing of Personal Data under the Prime Agreement where such Processing is subject to Opt-Out Applicable Privacy Laws. The Parties intend that this Opt-Out DPA addresses the requirements of Opt-Out Applicable Privacy Laws, including Applicable U.S. Privacy Law such as the California Consumer Privacy Act (CCPA) as amended, acknowledging that such laws may evolve and new Opt-Out Applicable Privacy Laws may emerge globally.

  1. Definitions
    • Capitalized terms used but not defined in this Opt-Out DPA shall have the meanings given to them in the Prime Agreement.
    • In this Opt-Out DPA, the following terms shall have the meanings set out below and, where applicable, shall be interpreted consistently with the definitions provided under the relevant Opt-Out Applicable Privacy Law:
      • i) "Opt-Out Personal Data” means Personal Data Processed by either Party pursuant to the Prime Agreement where such Processing is subject to Opt-Out Applicable Privacy Laws.
      • ii) "Business", "Third Party", "Sale", "Sharing", "Consumer", "Commercial Purpose", "Service Provider", and similar terms shall have the meanings ascribed to them in the relevant Opt-Out Applicable Privacy Law (e.g., the CCPA), as applicable to the specific Processing activity.
      • “Component(s)” means the selected Components as described in the ID5 MSA and/or Order Form(s), as applicable.
  2. Scope and Applicability
    • This Opt-Out DPA applies exclusively to the Processing of Personal Data (including Collected Data and Optional Data) under the Prime Agreement that is, or in the future becomes, subject to laws other than Opt-In Applicable Privacy Laws (as defined in the Prime Agreement)
    • The applicability of this Opt-Out DPA may change in the event of a change in Appliable Privacy Laws resulting in the requirement to obtain the data subject’s explicit consent prior to the relevant processing (“Opt-In Applicable Privacy Laws”), and, instead, the Opt-In DPA (available at id5.io/legal/agreements/dpa/opt-in) will apply from the effective date of the revised Applicable Privacy Law(s) with respect to some or all Processing. As of June 2025, Opt-Out Applicable Privacy Laws include, but are not limited to, the United States and its various state laws such as CCPA/CPRA.
    • Each Party shall comply with its respective obligations under the Out-Out Applicable Privacy Laws with respect to its Processing of Opt-Out Personal Data.
    • In the event of any conflict between the terms of this Opt-Out DPA and the Prime Agreement concerning the Processing of Personal Data under Opt-Out Applicable Privacy Laws, the terms of this Opt-Out DPA shall prevail.
  3. Details of Processing
    • Subject Matter: The provision and use of any ID5 Service (which may include the ID5 ID Offering and/or any Components licensed under the Prime Agreement) by Company involving the collection and exchange of data to enable identity resolution and related services, as further described in the Prime Agreement, to the extent such Processing is subject to Opt-Out Appliable Privacy Law.
    • Duration: The Term of the Prime Agreement, subject to any post-termination data retention obligations under the Prime Agreement or applicable Opt-Out Applicable Privacy Law.
    • Retention:
      • i) ID5: ID5 will delete or otherwise permanently remove Opt-Out Personal Data within 99 days of receipt.
      • ii) Company: Company will delete or otherwise permanently remove Opt-Out Personal Data received from ID5, including ID5 IDs (encrypted and decrypted as applicable) and any Component Outputs (as described in an ID5 MSA and/or Order Form, as applicable) within thirty (30) days of receipt.
    • Data Processing Description
      • i) Categories of Data Subjects: Visitors to Digital Properties.
      • ii) Categories of Personal Data:
        1. Collected Data: As defined in the Prime Agreement, including IP address, user-agent string, page URL, timestamp, and User IDs.
        2. Optional Data: As defined in the Prime Agreement and subject to the restrictions therein, potentially including hashed email addresses or other User IDs, but excluding Directly Identifiable Data or Sensitive Data.
      • iii) Processing Activities: Collection and transmission via the ID5 API, receipt of Optional Data, creation and provision of encrypted ID5 IDs, use for identity resolution, analysis, service improvement, reporting, honoring opt-outs, all as part of providing the ID5 ID Service and/or Component(s) and fulfilling the Permitted Purpose.
      • iv) Purpose of the Processing: Each Party’s exercise of its respective rights and performance of its obligations with respect to the Permitted Purpose as defined in the Prime Agreement.
  4. Roles and Responsibilities of the Parties
    • Roles; Compliance with Law: The Parties acknowledge that under Opt-Out Applicable Privacy Laws, their specific roles may vary (e.g., Controller/Controller, Business/Third Party). Both Parties act as independent controllers (or the equivalent concept under the relevant Opt-Out Applicable Privacy Law) regarding their respective Processing activities, except where expressly stated otherwise for a specific jurisdiction herein.
    • CCPA/CPRA Specific Roles:
      • i) Where the CCPA/CPRA applies: a. Company is a "Business" and ID5 is a "Third Party" with respect to the Personal Data Processed under this Opt-Out DPA, unless ID5 is acting solely as a "Service Provider" for a specific, limited processing activity explicitly agreed upon separately in writing
      • ii) Company represents and warrants it is providing Personal Data to ID5, or permitting ID5 to collect Personal Data, in compliance with the CCPA/CPRA, including providing necessary notices and opt-out rights related to any "Sale" or "Sharing" (as defined by CCPA/CPRA) that may occur through the use of the ID5 ID Offering and/or Component(s).
      • ID5, as a Third Party, shall comply with the applicable obligations under the CCPA/CPRA, including processing the Personal Data for the Permitted Purpose consistent with the notices provided by Company to the Consumer and honoring opt-out signals passed by Company.
    • Other Opt-Out Jurisdictions: In jurisdictions governed by other Opt-Out Applicable Privacy Laws, the Parties shall comply with their respective obligations applicable to their roles under such laws, consistent with the principles of notice, opt-out, and independent processing for the Permitted Purpose(s) as outlined herein.
  5. Obligations of Company
    • Lawful Basis and Transfer: Company is solely responsible for ensuring it has a valid legal basis for the collection, Processing, and transfer of Personal Data to ID5, and permitting ID5's collection and Processing of Personal Data via the ID5 API, under all applicable Opt-Out Applicable Privacy Laws.
    • Notice to Visitors: Company shall ensure that each Digital Property provides clear, comprehensive, accurate, easily accessible and legally compliant notices to Visitors that comply with all Opt-Out Applicable Privacy Laws. Such notices must include, at a minimum:
      • i) A description of the categories of Personal Data collected (including via cookies and similar technologies like the ID5 API) and the purposes for which it is collected and Processed by Company and by third parties like ID5.
      • ii) Disclosure that Personal Data may be provided to or collected by third parties, such as ID5, who may Process the data for their own commercial purposes, including the provision and improvement of identity resolution and related advertising technology services, consistent with the Permitted Purpose under the Prime Agreement.
      • iii) Information about how Visitors can exercise their rights under Opt-Out Applicable Privacy Laws, including the right to opt-out of the "Sale" or "Sharing" of Personal Data, Profiling, Targeted Advertising, cross-context behavioral advertising, or other relevant processing activities, as applicable.
      • iv) Where required by Opt-Out Applicable Privacy Laws, specific information about ID5's processing activities and a link to the ID5 Privacy Policy and ID5 Opt-Out mechanism.
    • Visitor Choices and Opt-Outs: Company shall
      • i) Provide Visitors with the necessary mechanisms to exercise their choices including but not limited to opt-out rights as required by Opt-Out Applicable Privacy Laws.
      • ii) Accurately collect and respect Visitor Choices, including Opt-Out Requests.
      • iii) Transmit Visitor Choice Signals, including Opt-Out Requests applicable to ID5's Processing, accurately, completely, and promptly to ID5 via the mechanisms specified in the ID5 ID Requirements.
    • Data Accuracy and Minimization: Company shall use reasonable efforts to ensure that any Optional Data provided to ID5 is accurate and limited to what is necessary for the Permitted Purpose.
    • Data Protection Impact Assessments: Each Party is responsible for undertaking any Data Protection Impact Assessments or similar assessments required under applicable Opt-Out Applicable Privacy Laws for its own Processing activities. The Parties shall provide reasonable assistance to each other (at the requesting Party's expense for out-of-pocket costs) if required for such assessments related to the Processing of Opt-In Personal Data under this Opt-Out DPA.
  6. Obligations of ID5
    • Purpose Limitation: ID5 shall Process Personal Data received or collected under this Opt-Out DPA only for the Permitted Purpose as defined in the Prime Agreement, which includes ID5's own commercial purposes related to providing, operating, securing, analyzing, maintaining, and improving the ID5 ID Offering and related ID5 identity resolution products, services, and technologies (including the Component(s)), subject always to:
      • i) Compliance with applicable Opt-Out Applicable Privacy Laws.
      • ii) Compliance with the terms of the Prime Agreement and this Opt-Out DPA
      • iii) Respecting the valid Visitor Choice Signals transmitted by Company or received directly by ID5.
    • Compliance with Opt-Out Requests: ID5 shall implement and maintain technical and organizational measures to honor Opt-Out Requests communicated via valid Visitor Choice Signals transmitted by Company or received directly via the ID5 Opt-Out mechanism, in accordance with Opt-Out Applicable Privacy Laws and the ID5 ID Offering Requirements.
    • Restrictions: ID5 shall not, to the extent acting as a Third Party under CCPA, "Sell" or "Share" Personal Data received from Company if it has received a valid Opt-Out Request applicable to such data, except as otherwise permitted by the CCPA. More broadly, ID5 shall comply with restrictions on onward processing or transfer as mandated by applicable Opt-Out Applicable Privacy Laws based on received Visitor Choice Signals and choices received directly via the ID5 Opt-Out mechanism.
    • Security: ID5 shall maintain in writing a document outlining its security measures to protect Personal Data Processed under this Opt-Out DPA.
    • Confidentiality: ID5 shall ensure that its personnel authorized to Process Personal Data under this Opt-Out DPA are subject to appropriate confidentiality obligations
    • Sub-processors: ID5 may engage sub-processors consistent with the terms of the Prime Agreement. Such sub-processors shall operate as Service Providers/Processors as applicable, and their Processing shall be governed by a written agreement between ID5 and such sub- processor.
  7. Data Subject Rights
    • Recognizing that both Parties may receive requests directly from Visitors exercising their rights under Opt-Out Applicable Privacy Laws (e.g., access, deletion, correction, opt-out):
      • i) If Company receives a request relating to Personal Data Processed by ID5 under this Opt-Out DPA, Company shall, where necessary and appropriate, inform ID5 and provide necessary information to assist ID5, or direct the Visitor to ID5 as appropriate
      • If ID5 receives a request that also pertains to Personal Data held solely by Company, ID5 shall inform Company or direct the Visitor to Company as appropriate.
      • Each Party shall provide reasonable assistance to the other Party as necessary to enable the handling of data subject rights requests in accordance with Opt-Out Applicable Privacy Laws.
  8. Security Incidents. In the event of a security incident affecting Personal Data Processed under this Opt- Out DPA, the Parties shall comply with their respective notification obligations as set out in the Prime Agreement and Opt-Out Applicable Privacy Law.
  9. Miscellaneous
    • Compliance and Audit. Each Party is responsible for its own compliance with Opt-Out Applicable Privacy Laws except to the extent ID5 is reliant on Company’s performance of its obligations hereunder for ID5’s compliance. Company acknowledges ID5's right to verify Company's compliance with its obligations hereunder. The Parties each agrees to notify the other Party promptly in the event it is, or may be, unable to comply with the requirements of Opt-Out Applicable Privacy Laws
    • Governing Law. This Opt-Out DPA shall be governed by and construed in accordance with the laws of England and Wales, without prejudice to any mandatory requirements under applicable Opt-Out Applicable Privacy Laws.
    • Required Amendments. Amendments to this Opt-Out DPA shall be made in accordance with Section 8(b) of the Prime Agreement.