| Please note that this FAQ does not form part of New Relic’s Terms of Service or any other legal terms. |
At New Relic we take privacy and data protection very seriously. Our privacy and security professionals collaborate with customers and internal teams to ensure compliance with applicable data protection laws. These applicable data protection laws include the California Consumer Privacy Act (CCPA) and its implementing regulations, including the California Privacy Rights Act (CPRA).
This FAQ guide is designed to provide information about New Relic’s role and obligations under the CCPA, and assist our customers when completing our updated California Consumer Privacy Act (“CCPA”) Service Provider Addendum (“SPA”) which New Relic makes available to its customers. This document can be found here
For more information on how New Relic processes personal information, please see our General Data Privacy Notice
For more information on New Relic’s security practices, please see our Security Policy
1. What is the CCPA?
The California Consumer Privacy Act (CCPA) is a data privacy law that regulates how businesses globally are allowed to handle the personal information of California residents. CCPA applies to any for-profit businesses in the world that collects or sells the personal information of California residents while conducting business in California. The CCPA grants certain rights to California residents (“consumers”). These include the right to access or delete their personal information or to opt out of a sale of that personal information by a business.
2. What is the CPRA?
The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the CCPA, so any reference to the CCPA already includes the CPRA (also known as “CCPA 2.0”). The CCPA went into effect on January 1, 2020 and the “CCPA 2.0” which incorporates the CPRA changes went into effect on January 1, 2023.
3. What is deemed ‘personal information’?
The CCPA defines “personal information” as information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
4. What is considered a “sale” under the CCPA?
“Selling” is defined very broadly to cover most transfers of personal information for monetary or other value. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. However, unlike other transfers, a transfer to an entity that qualifies as a “service provider” under the CCPA is not considered a “sale”.
5. What is considered as “sharing” under the CPRA?
Under the CPRA “sharing” is defined as “renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by a business”.
When acting as a service provider on behalf of our customers, New Relic does not sell or share for cross-context behavioral advertising any of the categories of personal information of California residents that it processes on behalf of customers.
6. What is a business and what is a service provider under the CCPA?
Under the CCPA, a “business” is any for-profit entity that collects, and determines the purposes and means of processing California residents’ personal information while doing business in California and that also meets one of the following criteria: (i) had gross revenues exceeding $25 million as of January 1 in the preceding calendar year; or (ii) buys, sells, or shares the information of 100,000 or more consumers or households; or (iii) derives 50 percent or more of their annual revenue from selling or sharing consumers’ personal information.
A “service provider” under the CCPA is any for-profit entity that processes California residents’ personal information on behalf of a business that discloses that personal information to the service provider for a “business purpose”. In order to be considered a service provider, the entity must receive the personal information pursuant to a written contract that prohibits that entity from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract.
7. How does New Relic comply with the CCPA?
For our customers, New Relic primarily acts as a “service provider” under the CCPA. Even though it is not necessary to transmit personal information to New Relic in order to use our Services, you can and should feel comfortable sending data to us.
New Relic offers a CCPA Service Provider Addendum that supplements New Relic Terms of Service. In addition, New Relic commits to maintaining security practices appropriate to the nature of our customers’ Personal Information and to protecting the Personal Information from and against a Security Incident in line with the New Relic Security Policy.
In order that our customers may meet their obligations as a business towards their own customers and/or end users, New Relic also commits to providing assistance in responding to verified consumer requests to exercise the consumer rights granted by the CCPA.
8. What is a Service Provider Addendum and do I need to sign New Relic’s CCPA SPA?
A Service Provider Addendum (“SPA”) is a written contract (as set out above) entered into by a business and a service provider as those terms are defined under the CCPA. In order for a business to transfer personal information to a service provider and that transfer not amount to a “sale” of the personal information, the CCPA requires that businesses and service providers enter into written contracts or SPAs in order to share personal information.
New Relic’s Service Provider Addendum incorporates the obligations and restrictions set forth by the CCPA and the CPRA so that the transfer of customers’ personal information to New Relic cannot be deemed to be a “sale” under the CCPA.
If your company is subject to the CCPA and you are transmitting personal information to the New Relic services for processing, then New Relic is acting as your service provider and you should sign New Relic’s CCPA SPA and then follow the instructions set out at Section 6.
9. What about the main agreement between the parties?
The New Relic CCPA SPA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement. Customers who previously entered into an agreement without signing an SPA, can sign our current SPA at any time.
10. How can I execute the New Relic CCPA SPA?
This Addendum has been pre-signed on behalf of New Relic. To complete this Addendum, Customers should complete the information in the signature box and sign on page 3 and then send the signed document by email to dataprivacy@newrelic.com.
11. I would like to ask some questions that are not answered in this guide
For any additional information you require, you may contact your Account Executive who will be happy to assist you.
The information contained in this document does not provide legal advice. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the New Relic services- remember an SPA is only necessary if you intend to send personal information for processing.