California Consumer Privacy
Last Updated December 31, 2019
PURPOSE FOR ADDENDUM
This California Data Privacy Addendum, including any future modifications (the “Addendum“), forms a material part of the Company’s Privacy Policy and applies to any “personal information” (as defined under the CCPA) that we may “collect” (as defined under the CCPA) from a California “consumer” (as defined under the CCPA) through their use of the Services, whether as a guest or a registered user. If you are a California consumer, the purpose of this Addendum is to briefly describe: 1) your rights under California law; 2) describe how you may make a request for those rights to be enforced; 3) describe the categories of personal information that were “sold” (as defined under the CCPA and detailed below) by the Company in the preceding twelve (12) months; 4) the categories of personal information that were disclosed by the Company for “business purposes” (as defined under the CCPA and detailed below) by the Company in the preceding twelve (12) months; and 5) describe your rights pursuant to California “Shine the Light” law.
YOUR RIGHTS AS A CALIFORNIA CONSUMER UNDER THE CCPA
The California Consumer Privacy Act (“CCPA”) provides California consumers (essentially human beings that are California residents and are the subject of personal information) with certain data privacy rights as described below.
RIGHT TO DISCLOSURE
The CCPA requires the Company to make affirmative disclosures to data subjects about the Company’s processing activities, including disclosures about how personal information is collected, sold, and/or otherwise disclosed to third parties. All required disclosures are contained in the main body of the Company’s Privacy Policy and/or in this Addendum, as they are amended from time to time.
RIGHT TO KNOW
The Right to Know under the CCPA grants California consumers the right to be provided with certain individualized disclosures with respect to the Company’s processing of their personal information. Upon the Company’s receipt of a verified data subject request, data subjects have the right to access information related to the Company’s:
- Collection Practices: Data subjects are entitled to confirmation of whether the Company is currently processing the data subject’s personal information and/or whether the Company has collected the data subject’s personal information in the twelve (12) month period preceding the request. If so, the Company is also obligated to provide the data subject with:
- A description of the data subject’s applicable data subject rights;
- The categories of the data subject’s personal information that have been collected by the Company, specifically including the categories of personal information that were collected in the twelve (12) month period preceding the request;
- The categories of data sources from where the personal information was collected, specifically including any data sources used by the Company in the twelve (12) month period preceding the request;
- Any business purpose for collecting or selling the data subject’s personal information, including any business purpose that existed in the twelve (12) month period preceding the request;
- Any commercial purpose for collecting or selling the data subject’s personal information, including any commercial purpose that existed in the twelve (12) month period preceding the request;
- The categories of recipients that the data subject’s personal information has been shared with, specifically including categories of recipients that have received access to the data subject’s personal information in the twelve (12) month period preceding the request; and
- the specific pieces of personal information that the company has collected about the data subject, including those specific pieces collected in the twelve (12) month period preceding the request.
- Sales Practices: Data subjects are entitled to confirmation of whether the Company is currently selling the data subject’s personal information and/or whether the company has done so in the twelve (12) month period preceding the request. If the Company has not sold any of the data subject’s personal information, the Company must make a disclosure to that effect. If the Company has sold the data subject’s personal information, the Company is also obligated to provide the data subject with:
- The categories of the data subject’s personal information that were collected by the Company in the preceding twelve (12) month period;
- The categories of the data subject’s personal information that were sold by the Company in the preceding twelve (12) month period; and
- The categories of recipients to whom the data subject’s personal information was sold in the twelve (12) month period preceding the request, including a breakdown of what categories of personal information were sold by the Company to each category of recipient.
- Disclosure Practices: Data subjects are entitled to confirmation of whether the Company is currently disclosing the data subject’s personal information for business purposes and/or whether the Company has disclosed the data subject’s personal information for business purposes in the twelve (12) month period preceding the request. If the Company has not disclosed any of the data subject’s personal information for a business purpose, the Company will make a disclosure to that effect upon receipt of a verified request. If the Company has disclosed your personal information for a Business Purpose, the company is also obligated to provide you with:
- The categories of the data subject’s personal information that were collected by the Company in the preceding twelve (12) month period;
- The categories of the data subject’s personal information that the Company disclosed to a third-party for a Business Purpose in the twelve (12) month period preceding the request; and
- The categories of recipients to whom the data subject’s personal information was disclosed to for a business purpose in the twelve (12) month period preceding the request, including a breakdown of what categories of personal information were disclosed by the Company to each category of recipient.
Note: The Company does not sell the personal information of minors under sixteen (16) years of age without affirmative authorization.
RIGHT TO OPT-OUT OF THE SALE OF PERSONAL INFORMATION
The Right to Opt-Out of the Sale of Personal Information, subject to certain exceptions, enables data subjects to prohibit the Company from selling their personal information to third parties. Once the Company receives an opt-out request, the Company is prohibited from selling the data subject’s personal information to any third party unless the data subject subsequently provides the Company with express authorization stating otherwise. Once a data subject has opted out, the Company must wait at least twelve (12) months before requesting to sell a data subject’s personal information again. The Company is prohibited from discriminating against Data Subjects that exercise their right to opt-out (e.g., charging them more for products or services).
RIGHT TO DELETION
Under very specific circumstances, the CCPA entitles data subjects to have the Company stop processing their personal information and destroy such data. This right is commonly referred to as the “Right to Deletion,” the “Right to Erasure,” and/or the “Right to be Forgotten.” Generally, the Right to Deletion requires the Company to delete any personal information that the Company has collected about a data subject that is not necessary for at least one of the purposes enumerated under the CCPA. Common exceptions to the Right to Deletion include the processing of personal information that is necessary for: completion of a transaction, provision of goods and services, performance of a contract, exercising free speech rights, internal uses that are reasonably aligned with a data subject’s expectations based on their relationship with the Company, internal uses that are lawful and compatible with the context in which a data subject provided their personal information, and/or uses of personal information that are necessary for the Company to comply with legal obligations.
RIGHT TO NON-DISCRIMINATION
Under the CCPA, the Company is prohibited from discriminating against data subjects that exercise their rights, including the Right to Opt-Out of the Sale of Personal Information. Specifically, the Company cannot deny data subjects goods or services, charge data subjects different prices or rates (or otherwise impose a penalty), or provide data subjects a different quality or level of goods or services if a data subject requests to enforce their rights.
HOW TO EXERCISE RIGHTS UNDER THE CCPA
If you wish to exercise available rights detailed below, please send an e-mail sufficiently detailing such request to: privacy@oneildata.com. Please note, however, that because the Company primarily processes personal information as a “service provider” to clients that may qualify as “businesses” (both terms as defined by the CCPA), the majority of rights requested will need to be enforced by the Company’s client(s) that provided the Company with your personal information for processing under a Service Agreement – if the Company receives a request in such a situation, it will forward such request to its client(s) for further processing as required by Applicable Laws.
Please additionally note that if we receive a request from you to exercise your rights, the Company has the right to have you take reasonable steps to confirm your identity. Generally, we will attempt to match identifying information that you have already provided to us. At minimum, the Company will require you to submit your name, telephone number, physical address, and email address. The Company is not obligated to, and will not, provide any individualized information or give effect to data subject rights unless the Company can reasonably verify that the request is a “verified request” (as defined under the CCPA).
Alternatively, you may submit a Data Subject Request by calling the Company at 1-844-902-0581. As another option, you may submit a Data Subject Request by employing an authorized agent to submit a request on your behalf. In order to do this, you must provide an authorized agent with written permission to submit a request. If the Company does not receive proof from an authorized agent that you have given them permission to submit a Data Subject Request on your behalf, the Company will deny the request.
BUSINESS PURPOSES & COMMERCIAL PURPOSES FOR COLLECTING OR SELLING PERSONAL INFORMATION
Under the CCPA, the Company is required to describe its “business purposes” or “commercial purposes” for collecting or selling personal information. Under the CCPA, “collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. THE COMPANY IS NOT CURRENTLY SELLING PERSONAL INFORMATION TO THIRD PARTIES AND HAS NOT SOLD SUCH INFORMATION IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EFFECTIVE DATE OF THIS ADDENDUM.
BUSINESS PURPOSES & CATEGORIES OF INFORMATION DISCLOSED FOR BUSINESS PURPOSES
Under the CCPA, “business purpose” means “the use of personal information for a business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected.” The business purposes for which the Company may use/share personal information include:
- Auditing Purposes: The Company may use/share personal information to audit current interactions with a consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Security Purposes: The Company may use/share personal information to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity.
- Debugging Purposes: The Company may use debugging processes to identify and repair errors that impair existing intended functionality.
- Short–Term/Transient Use Purposes: The Company may use personal information for short–term, transient uses, provided personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
- Internal Research Purposes: The Company may use personal information to undertake internal research for technological development and demonstration.
- Performance of Services Purposes: The Company may use/share personal information to perform services on behalf of a business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of a business or service provider.
- Quality & Safety Purposes: The Company may use/share personal information to undertake activities to verify or maintain the quality or safety of a service, product, or device that is owned, manufactured, manufactured for, or controlled by the Company, and to improve, upgrade, or enhance the service, product, or device that is owned, manufactured, manufactured for, or controlled by the Company.
The categories of personal information that the Company disclosed about consumers for a business purpose during the preceding twelve (12) months were: (a) identifiers; (b) personal information; (c) protected classification characteristics; (d) commercial information; (e) internet activity; (f) geolocation data; and (g) professional or employment-related information.
COMMERCIAL PURPOSES & CATEGORIES OF INFORMATION DISCLOSED FOR COMMERCIAL PURPOSES
Under the CCPA, “commercial purpose” means “to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction.” “Commercial purposes” do not include purposes of engaging in speech that state or federal courts have recognized as noncommercial speech (including political speech and journalism). The commercial purposes for which the Company may use/share personal information include:
- Communication Purposes: We use your personal information to send information to you about your account, products and services, and to notify you about issues with, or changes to, the Services or our policies. We generally communicate with users via email, web chat, and/or by telephone. By using the Services, you agree that the Company and/or our agents may email, call, or text you regarding the Services, including communicating with you about your account, your interactions with the Services, and/or your transactions.
- Organizational Purposes: As the Company is part of a larger group of related companies, it may be necessary for the Company to transmit your personal information within the organizational group. Processing is necessary so that data can be shared amongst our affiliates so that each entity can carry out their legal, regulatory, and/or contractual responsibilities and/or coordinate/implement business plans, logistics, and/or operations. This is especially true because the Company’s affiliated entities may perform critical services for the Company, such as services related to: accounting, human resources, security, legal, etc.
- Operational Purposes: Processing your personal information is necessary to facilitate the day-to-day operation of our business and to allow for business planning for strategic growth. This includes: managing our relationship with you, our employees, other users/clients, vendors, business partners, and/or others; sharing intelligence with internal stakeholders; implementing training procedures; planning and allocating resources and budgets; performing data modelling; facilitating internal reporting; analyzing growth strategies; aggregating analytics; and/or processing personal information to create anonymized data (e.g., for product improvement, analytics, etc.).
- Contractual Purposes: Processing your personal information may be necessary for the Company to:
- Perform of a contract between you and the Company (e.g., to comply with the Terms of Use for our Services and/or any subsequent agreement the Company enters into with you);
- Determine what Services and/or content you should have access to based upon whether you have fulfilled your contractual obligations with the Company; and
- Conclude or perform a Service Agreement between the Company and a third party where it is in your interest for the processing to occur.
- Logistical Purposes: Processing your personal information is necessary to enable the Company’s business operations to run more efficiently, e.g., establishing how to allocate resources or to predict future demand.
- Responding to Data Subject Requests: Processing your personal information may be necessary to respond to a Data Subject Request that you submit to the Company (e.g., the Company needs to process your personal information to respond to a request related to the Right to Access).
- Research & Development Purposes: Processing your personal information is necessary for the Company to deliver and/or improve our products and services. This includes processing your personal information to determine whether a product or service is working as intended, monitoring usage and conduct, and identifying and troubleshooting issues.
- Market Intelligence & Analytical Purposes: The Company has a need to conduct market intelligence so that we can better promote our products and services by creating a better understanding of our users’ and/or customers’ preferences. This could include using diagnostic analytics to optimize products, services, and/or marketing campaigns by assessing/monitoring users’ usage of the products or services and/or conduct while using the products or services. Common metrics for evaluation could include monitoring pages and links accessed, ad performance and conversion tracking, number of posts, number of page views, patterns of navigation, time at a page, devices used, user reviews, where users are coming from, hardware used, operating system version, advertising identifiers, unique application identifiers, unique device identifiers, browser types, languages, wireless or mobile network information, etc. These metrics could be used to: personalize services and communications; determine which users should receive specialized communications based on how they use the product or service; create aggregate trend reports; determine the most effective advertising channels and messaging; and/or measure the audience for a certain communication.
- Aggregation & Anonymization Purposes: The Company may use your personal information to aggregate and/or anonymize the data for various purposes. Once aggregated or anonymized, the information will no longer be considered personal information because it will no longer be able to identify you and/or any of your devices used to access the Services. Once aggregated or anonymized, the Company may use such information for any purpose (e.g., research and development purposes), including sharing such information with third parties
- Access Purposes: The Company processes your personal information in order to determine your access rights to use the Services. In visiting, registering, and/or subscribing to the Services, you are given different levels of access to the Company’s products and services. The Company uses this information in order to inform the Services what product, services, and/or content you should be able to access. For example, an unregistered visitor to the Services will not have the same level of user rights as registered user. Processing allows the Company to quickly, efficiently, consistently, and fairly determine what Services and/or content you should be permitted to access based upon our business arrangement with you.
- Non-Payment Identification Purposes: The Company needs to process your personal information in order to identify and cancel access to the Services where the Company has not received the payments that it is properly owed.
- Personalization Purposes: We process personal information in order to enhance and personalize the “consumer experience” we offer our current and/or prospective users/customers in our products and services.
- Updating Details & Preferences: Processing your personal information may be necessary to verify the accuracy of your user data and to create a better understanding of our past, present, and/or prospective users.
- Monitoring Purposes: In order to identify recurring problems and/or analyze the patterns of behavior of users and/or customers, it is necessary for the Company to monitor your performance/behavior on our Services.
- Fraud Detection & Prevention Purposes: Processing your personal information may be necessary for the Company to help detect and prevent fraud, e.g., verifying that the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.
- Network & Information Security Purposes: Processing your personal information may be necessary for the purposes of ensuring our network and information security, e.g., monitoring users’ access to our network for the purpose of preventing cyber-attacks, inappropriate use of data, corporate espionage, hacking, system breaches, etc. This could include preventing unauthorized access to electronic communications networks and malicious code distribution and stopping “denial of service” attacks and damage to computer and electronic communication systems.
- Business Continuity & Disaster Planning Purposes: The Company processes your personal information because it is necessary to allow for the backup and protection of your information (e.g., utilizing cloud-based services to archive/protect data) in order to ensure that such information is not improperly lost or modified. Such processing is also necessary to archive/protect data in accordance with legal, regulatory, organizational, and/or contractual obligations.
- Artificial Intelligence Purposes: In processing your personal information, the Company may process your data utilizing an algorithm that helps to streamline organizational processes, e.g., our customer service department putting in place an algorithm that helps to manage customer service requests by routing customer contacts to the most appropriate part of the organization.
- Direct Marketing Purposes: Processing your personal information is necessary for direct marketing purposes to occasionally update users on the Services, including occasional communications regarding updates to our activities, products, services, and/or events.
- Displaying & Targeting Advertisements: Your personal information may be used to target ads and content on the Services and on third-party services. Some advertisements and other content may be delivered by third party advertising networks and advertisers that may use cookies and similar technologies and identifiers to collect and track information such as demographic information, inferred interests, aggregated information, and activity to assist them in delivering advertising that is more relevant to your interests. We may also provide certain customer information to service providers who will match your information in de-identified form to information provided by other third parties (e.g., cookies) in order to allow us to provide more tailored advertisements.
- Business-to-Business Marketing & Sales Purposes: The Company needs to process personal information in the context of marketing our products and services to businesses, e.g., processing the information of a business contact in order to market our products and/or services to the affected data subject’s employer.
- Due Diligence Purposes: It may be necessary for the Company to process your personal information for the purposes of conducting due diligence. This could include, for example, monitoring official watch-lists, sanction lists, and “do-not-do-business-with” lists published by governments and other official bodies globally. This could also include keyword searches of industry and reputable publications to determine if companies and individuals have been involved in or convicted of relevant offenses, such as fraud, bribery, and/or corruption.
- Industry-Specific Self-Regulation Purposes: The Company is part of several industry self-regulatory organizations, including organizations that focus on data privacy and security. Such organizations were formed in order to address various concerns, including: developing industry standards and best practices to protect the industry; sharing intelligence or concerns about individuals (e.g., industry-specific watch lists); sharing intelligence or concerns that may have a negative or detrimental impact on the industry; and/or ensuring that participants in the industry are following agreed-upon standards. We may be required to process personal information so that we may stay in compliance with these self-regulatory schemes.
- Public Security & Safety Purposes: The Company may need to use personal information to report possible criminal acts or threats to public security/safety that we identify as part of our processing activities to a competent authority.
- Compliance Purposes: The Company is subject to binding legal or regulatory obligations and may need to process your personal information in order to comply with such laws or regulations. Examples could include: complying with reporting obligations; complying with screening obligations; responding to law enforcement requests; and/or responding to judicial/regulatory agency requests.
- Other Purposes That You Have Consented To: Your personal information will also be used to fulfill any other purpose for which you provide the information or otherwise provide your consent for the Company and/or other third parties to use such information.
The categories of personal information that the Company disclosed about consumers for a commercial purpose during the preceding twelve (12) months were: (a) identifiers; (b) personal information; (c) protected classification characteristics; (d) commercial information; (e) internet activity; (f) geolocation data; and (g) professional or employment-related information.
YOUR RIGHTS AS A CALIFORNIA CONSUMER UNDER CALIFORNIA’S SHINE THE LIGHT LAW
Pursuant to California’s “Shine the Light” law, California residents may opt-out of the Company’s disclosure of personal information to third parties for such third parties’ direct marketing purposes. Note, however, opting out does not prohibit disclosures for non-marketing purposes. You may opt-out by emailing us at privacy@oneildata.com.