Skip to main content

Unfortunately we don't fully support your browser. If you have the option to, please upgrade to a newer version or use Mozilla Firefox, Microsoft Edge, Google Chrome, or Safari 14 or newer. If you are unable to, and need support, please send us your feedback.

We'd appreciate your feedback.Tell us what you think!

Elsevier
Publish with us

U.S. Privacy Laws Addendum to Elsevier Data Processing Addendum

Last updated: October 1, 2025

A. To the extent that Elsevier is processing on behalf of the Subscriber any personal information in scope of the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and its implementing regulations (“CCPA”):

  1. Elsevier is prohibited from selling or sharing such personal information it collects pursuant to the Agreement;

  2. The specific business purpose for which Elsevier is processing personal information pursuant to the Agreement is to provide, manage, operate and secure the services under the Agreement, and the Subscriber is disclosing the personal information to Elsevier only for the limited and specified business purpose set forth in the Agreement;

  3. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any purpose other than for the business purpose specified in the Agreement or as otherwise permitted by the CCPA;

  4. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement for any commercial purpose other than the business purposes specified in the Agreement, unless expressly permitted by the CCPA;

  5. Elsevier is prohibited from retaining, using, or disclosing the personal information that it collected pursuant to the Agreement outside the direct business relationship between Elsevier and the Subscriber, unless expressly permitted by the CCPA;

  6. Elsevier is required to comply with all applicable sections of the CCPA, including – with respect to the personal information that Elsevier collected pursuant to the Agreement – providing the same level of privacy protection as required of businesses by the CCPA;

  7. Elsevier grants the Subscriber the right to take reasonable and appropriate steps to ensure that Elsevier uses the personal information that it collected pursuant to the Agreement in a manner consistent with the Subscriber’s obligations under the CCPA;

  8. Elsevier is required to notify the Subscriber after it makes a determination that it can no longer meet its obligations under the CCPA;

  9. Elsevier grants the Subscriber the right, upon notice, to take reasonable and appropriate steps to stop and remediate Elsevier’s unauthorized use of personal information; and

  10. Elsevier is required to enable the Subscriber to comply with consumer requests made pursuant to the CCPA or the Subscriber is required to inform Elsevier of any consumer request made pursuant to the CCPA that they must comply with and provide the necessary information to Elsevier to comply with the request.

B. To the extent that Elsevier is processing on behalf of the Subscriber any personal data in scope of any other U.S. state data privacy laws, Elsevier shall:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;

  2. At the direction of the Subscriber, delete or return all personal data to the Subscriber as requested at the end of the provision of the services under the Agreement, unless retention of the personal data is required by law;

  3. Upon reasonable request of the Subscriber, make available to the Subscriber all information in its possession necessary to demonstrate its compliance with the obligations under the law;

  4. Allow, and cooperate with, reasonable assessments by the Subscriber or its designated assessor; alternatively, Elsevier may arrange for a qualified and independent assessor to conduct an assessment of Elsevier’s policies and technical and organizational measures in support of the obligations under the law using an appropriate and accepted control standard or framework and assessment procedure for such assessments. Elsevier shall provide a report of such assessment to the Subscriber upon request; and

  5. Engage any subcontractor, subject to any applicable right of objection, pursuant to a written contract in accordance with laws that require the subcontractor to meet the obligations of Elsevier with respect to the personal data;

The parties shall, taking into account the context of the processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures.

Elsevier shall, where required, (i) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, considering the volume and nature of the personal data, and (ii) stop processing data on request by the Subscriber made in accordance with a consumer’s authenticated request.