U.S. DPA

This US DPA governs Personal Data Processing under U.S. privacy laws, including State Privacy Laws. Unless defined herein, capitalized terms have the meanings in the DPA. This US DPA supersedes conflicting DPA terms. 

This US DPA includes the following Attachments, each of which are part of this US DPA as applicable.

• Attachment 1: Description of Processing for Restricted Purposes
• Attachment 2: DOJ Rule on Preventing Access to Americans’ Bulk Sensitive Personal Data

1. The IAB’s Multi-State Privacy Agreement

In the event both Parties have signed the IAB’s Multi-State Privacy Agreement (the “MSPA”), available at https://www.iabprivacy.com, and in the event of a conflict between the MSPA and this US DPA, the terms of the MSPA shall supersede and control. 

2. Definitions

For purposes of this US DPA, the following terms will have the meaning ascribed below:

2.1. “Advertising Purposes” means the Processing Purposes under this US DPA, including all Restricted Purposes in addition to:

(i) activities that constitute Targeted Advertising under State Privacy Laws, 

(ii) creating or modeling audiences, or

(iii) creating or supplementing user profiles for such purposes. 

2.2. “CCPA" means the California Consumer Privacy Act of 2018, as amended, including as amended by the California Privacy Rights Act of 2020, and any regulations promulgated thereunder.

2.3. “Data Breach” means “breach of the security of the system,” “security breach,” “breach of security,” “breach of system security,” and other analogous terms referenced in State Privacy Laws.

2.4. “Restricted Processing” means Processing only for Restricted Purposes.

2.5. “Restricted Processing Signal” means any flag or signal indicating that a Consumer has opted out of:

(i) the Sale or Share of their Personal Data, 

(ii) use of their Personal Data for purposes of Targeted Advertising, 

(iii) profiling in furtherance of decisions that produce legally or similarly significant effects, or 

(iv) any other Processing Purpose for which a Consumer has an opt-out right under applicable State Privacy Laws or other applicable U.S. Data Protection Laws.

including those flags or signals sent through the IAB GPP or any other signaling system, including without limitation technical signaling systems designed to transmit UOOM signals. 

2.6. “Restricted Purposes” means advertising-related Processing that qualifies as a Business Purpose, including Processing for purposes of auditing; security and integrity; debugging; short term, transient uses; analytics; providing advertising or marketing services that do not include Targeted Advertising, or profiling; internal research; and efforts to improve quality and safety. Restricted Purposes include as applicable, first-party advertising, contextual advertising, frequency capping, ad selection and sequencing, measurement, fraud detection and prevention, and ensuring and measuring viewability, each only to the extent such activity:

(i) is permissible for a Processor to perform under the applicable State Privacy Laws,

(ii) does not result in a Sale or Sharing of Personal Data, 

(iii) is not Processing of Personal Data for Targeted Advertising purposes, or 

(iv) is not profiling in furtherance of decisions that produce legally or similarly significant effects.

2.7. “Targeted Advertising” includes Cross-Context Behavorial Advertising as defined under the CCPA and otherwise has the meaning set forth in applicable State Privacy Laws.

2.8. “UOOMs” means “Universal Opt-Out Mechanisms” or “Opt-Out Preference Signals” required under applicable State Privacy Laws for the transmission of Consumer opt-out signals and implemented to accurately pass applicable Consumer Choices to Adagio via tools recognized as valid by applicable Supervisory Authorities, including as applicable the Global Privacy Control available at: https://globalprivacycontrol.org.  

2.9. “Business,” “Business Purpose,” “Commercial Purpose,” “Consumer,” “Controller,” “Cross-Context Behavioral Advertising,” “Deidentified,” “De-identified Data,” “Personal Data,” “Personal Information,” “Process(-ing)” “Processor,” “Sale,” “Sell,” “Service Provider,” “Share,” “Targeted Advertising” and “Third Party” shall have the meanings ascribed to them in State Privacy Laws.

2.10. "Controller," references in this US DPA to “Controller,” “Personal Data,” and “Processor” include “Business,” “Personal Information,” and “Service Provider” respectively.

2.11. “State Privacy Laws,” means the CCPA and all other equivalent or similar U.S. state laws and regulations relating to Personal Data, in each case as amended from time to time and including any regulations promulgated thereunder, including without limitation: 

• Colorado Privacy Act
• Connecticut’s Act Concerning Data Privacy and Online Monitoring
• Delaware Personal Data Privacy Act 
• Indiana Consumer Data Protection Act [Effective Jan. 1, 2026]
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act [Effective January 1, 2026]
• Maryland Online Data Privacy Act of 2024 [Effective October 1, 2025]
• Minnesota Consumer Data Privacy Act 
• Montana Consumer Data Privacy Act, Mont. Code 
• Nebraska Data Privacy Act
• New Hampshire Privacy Law
• New Jersey Privacy Act
• Oregon Consumer Privacy Act
• Rhode Island Data Transparency & Privacy Protection Act [Effective January 1, 2026]
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act
• Virginia’s Consumer Data Protection Act

3. Roles 

With respect to the Processing of Personal Data, each Party acts as a Controller in its capacity as the Disclosing Party or the Receiving Party, as applicable, unless a Restricted Processing Signal is present or the Processing by the Receiving Party is otherwise solely for Restricted Purposes, in which case Receiving Party acts as a Processor and Processes the Personal Data on behalf of Disclosing Party (which may operate as either the Controller or a Processor to another Controller). For clarity, where Adagio acts as a Processor, it shall only be responsible for Processing activities within its direct control.

4. Mutual Processing Obligations

Each Party will:

4.1. Comply with its respective obligations under State Privacy Laws with respect to the Processing of Personal Data.

4.2. Provide Consumers with a clear and conspicuous ability to opt out of the Sale, Sharing, or Processing of their Personal Data for purposes of Targeted Advertising, in compliance with State Privacy Laws. If a Consumer opts out, Disclosing Party will (i) not Process such Consumer’s Personal Data for Targeted Advertising purposes and (ii) will either (a) not disclose such Consumer’s Personal Data to any Third Party; or (b) transmit a Restricted Processing Signal in conjunction with any disclosures of such Consumer’s Personal Data to any Third Party. Each Party shall be responsible for implementing its own opt-out mechanisms and maintaining records of Consumer choices.

4.3. Not modify any Restricted Processing Signal received from a Disclosing Party.

4.4. Transmit all Restricted Processing Signals received in conjunction with Personal Data to any recipients of such Personal Data.

4.5. Comply with requirements set out in State Privacy Laws for processing Deidentified Data, including by:

4.5.1. Not attempting to re-identify any such data;

4.5.2. Using reasonable administrative, technical, and organizational measures to prevent any re-identification of any such data or any inadvertent release of any such data; and

4.5.3. Publicly committing both to maintain and use the Deidentified Data in de-identified form and not to attempt to re-identify any such data.

4.6. To the extent acting as a Disclosing Party:

4.6.1. Provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this US DPA; and

4.6.2. To the extent providing Personal Data originally collected by another Controller, (i) contractually obligate such Controller to provide all notices and obtain any consents required by State Privacy Laws necessary to permit each Party to Process Personal Data in accordance with this US DPA and (ii) take reasonable steps to ensure compliance with such contractual obligations.

4.7. To the extent acting as a Receiving Party, comply with:

4.7.1. Section 5 (CCPA Third Party Terms) when Processing Personal Data subject to the CCPA and without a Restricted Processing Signal present.

4.7.2. Section 6 (Processor Obligations), when Processing Personal Data received with a Restricted Processing Signal present.

5. CCPA Third Party Terms

5.1. Applicability

This Section 5 (CCPA Third Party Terms) applies only when the Receiving Party Processes Personal Data from the Disclosing Party (i) that is subject to the CCPA; and (ii) no Restricted Processing Signal is present.

5.2. Purpose Limitations

Disclosing Party makes Personal Data available to Receiving Party only for Advertising Purposes. Receiving Party will Process Personal Data only for such Advertising Purposes, and in accordance with its obligations and any restrictions in the Agreement.

5.3. CCPA Compliance; Notification of Determination of Noncompliance

Receiving Party will comply with applicable obligations under the CCPA, including by providing an appropriate level of privacy protection as required by the CCPA, and will notify Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.

5.4. Verification of CCPA Compliance

Upon Disclosing Party’s reasonable request, but no more than once per calendar year unless required by law, Receiving Party will provide the following to Disclosing Party to demonstrate Receiving Party’s Processing of Personal Data consistent with Disclosing Party’s obligations under the CCPA:

5.4.1. A copy of a certificate issued for security verification reflecting the outcome of an audit conducted by an independent third-party auditor; or

5.4.2. Any other information the Parties agree is reasonably necessary for Disclosing Party to verify Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA, such as an attestation.

5.5. Unauthorized Use Remediation

If Disclosing Party reasonably believes that Receiving Party is engaged in the unauthorized use of Personal Data provided by Disclosing Party, Disclosing Party may notify Receiving Party of such belief using the contact information provided in the Agreement, and the Parties will work together in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary.

5.6. Onward Disclosure Obligations

To the extent permitted by the Advertising Purposes and the Agreement, if Receiving Party makes an onward disclosure of Personal Data provided to it by Disclosing Party, including through any Sale or Sharing of Personal Data, Receiving Party will impose terms that are substantially similar to (a) the terms imposed on Receiving Party by Section 4 (Mutual Processing Obligations) and this Section 5 (CCPA Third Party Terms).

6. Processor Obligations

6.1. Applicability

This Section 6 (Processor Obligations) applies only to the extent Receiving Party Processes Personal Data with a Restricted Processing Signal present that has been delivered to Receiving Party or the Processing by the Receiving Party is otherwise solely for Restricted Purposes. For avoidance of doubt, Receiving Party shall have no obligations under this Section 6 where a Restricted Processing Signal is not passed in the bidstream or other data feed, including where a consent management platform removes or truncates such signal, or where technical limitations or third-party actions prevent the accurate transmission of such signal.

6.2. Purpose Limitations

Receiving Party will Process Personal Data in accordance with its obligations in the Agreement and only for Restricted Purposes, as further described in Attachment 1. Receiving Party will not:

6.2.1. Process Personal Data for Targeted Advertising purposes; or

6.2.2. Sell or Share Personal Data.

6.3. Assistance

Receiving Party will assist Disclosing Party with State Privacy Laws compliance by:

6.3.1. Assisting the Disclosing Party in responding to Consumer requests made pursuant to State Privacy Laws, provided that Disclosing Party must provide to Receiving Party all information necessary for it to provide such assistance or respond to a Consumer request when required by State Privacy Laws;

6.3.2. Contributing to data protection impact assessments where required by State Privacy Laws;

6.3.3. Offering reasonable notice and assistance to Disclosing Party in the event Receiving Party experiences a Data Breach, including to help Disclosing Party satisfy its Data Breach notification obligations under State Privacy Laws; and

6.3.4. Implementing reasonable security procedures and practices appropriate to the nature of the Personal Data and designed to protect such Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with State Privacy Laws.

6.4. Confidentiality

Receiving Party will treat Personal Data from Disclosing Party as confidential and subject each person that Processes such Personal Data to an appropriate obligation of confidentiality.

6.5. Further Disclosures

If Receiving Party further discloses Personal Data provided by Disclosing Party, Receiving Party will:

6.5.1. Ensure it has in place a written agreement with any such recipient that obligates the recipient to comply with terms at least as protective as the terms set out in this Section 6 (Processor Obligations);

6.5.2. Ensure any Restricted Processing Signal is transmitted with the Personal Data to the recipient; and

6.5.3. To the extent required by State Privacy Laws, provide Disclosing Party notice of the planned transmission to any subcontractor and an opportunity to object.

6.6. Deletion and Return of Personal Data

Upon the earlier of any request by Disclosing Party or without undue delay following termination of the Agreement, Data Recipient will delete, return, or de-identify in accordance with State Privacy Laws Personal Data provided to Receiving Party by Disclosing Party, unless retention of the Personal Data is required by applicable law.

6.7. Audits

Upon Disclosing Party’s reasonable request, Receiving Party will provide the following to Disclosing Party to enable Disclosing Party to audit Receiving Party’s compliance with this Section 6 (Processor Obligations):

6.7.1. A copy of a certificate issued within 12 months of the Disclosing Party’s Request reflecting the outcome of an audit conducted by an independent and qualified third-party auditor using an appropriate and accepted control standard or framework and audit procedure, provided that such audit shall not occur more than once per calendar year unless required by law; or

6.7.2. Any other information or attestation the Parties agree is reasonably necessary for Disclosing Party to verify that Receiving Party’s Processing is consistent with Disclosing Party’s obligations under the CCPA.

6.9. Additional CCPA Processing Obligations

If Personal Data provided to Receiving Party by Disclosing Party is subject to the CCPA, in addition to the obligations set out in Sections 6.1 - 6.7 above, Receiving Party will:

6.8.1. Not retain, use, or disclose the Personal Data outside of the direct business relationship with Disclosing Party or for any purpose, including Commercial Purposes, other than the Restricted Purposes, unless otherwise permitted by the CCPA.

6.8.2. Upon notice from Disclosing Party of its reasonable belief that Receiving Party is Processing Personal Data in an unauthorized manner, cooperate with Disclosing Party in good faith to stop or remediate the allegedly unauthorized use of such Personal Data, as necessary, such as by providing documentation verifying certain practices.

6.8.3. Notify the Disclosing Party without undue delay if Receiving Party determines it can no longer meet its obligations under the CCPA.

6.8.4. Except to Process for the Restricted Purposes or as otherwise permitted by the CCPA, not combine the Personal Data provided to Receiving Party by Disclosing Party with Personal Data received from or on behalf of another person or source or that Receiving Party collects from its own interactions with Consumers.

7. Cross-Border Transfers

Where the Disclosing Party (a US entity) provides the Receiving Party (a non-US entity) with access to Personal Data, the terms in Attachment 2 below apply (DOJ Rule on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern).

8. Prohibited Data Transfers

Publisher represents, warrants and covenants that it will not transfer or disclose to Adagio any Personal Data that cannot be used for the Processing Purposes under applicable Data Protection Laws in the United States. Publisher further represents, warrants and covenants that it will not transfer or disclose to Adagio any Sensitive Personal Data for the Processing Purposes or Personal Data for any Secondary Purposes without first obtaining and maintaining documented Explicit Consent of the Consumer for such Processing. Publisher shall indemnify and hold harmless Adagio for any breach of these representations, warranties and covenants. 

9. Miscellaneous

Except as provided in Section 5.2, if there is any inconsistency or conflict between this US DPA and the Agreement, then this US DPA will govern, regardless of whether any language in the Agreement purports to state that the Agreement is the controlling document.  The provisions of this US DPA may not be amended, except by an agreement to specifically amend this US DPA in writing signed by the Parties. To the extent the Parties continue to Process Personal Data subject to applicable Data Protection Laws in the United States, this US DPA will survive any expiration or termination of the Agreement.