Knowledge

< Move back
6/29/2020

Digital Edge's CCPA Law Compliance

DIGITAL EDGE DOES NOT CURRENTLY COLLECT PERSONALLY IDENTIFIABLE INFORMATION. HOWEVER, IN THE EVENT DIGITAL EDGE SHALL START COLLECTING SUCH INFORMATION, DIGITAL EDGE SHALL FOLLOW THE BELOW POLICY TO ENSURE COMPLIANCE WTH THE CCPA.

 

Definitions:

  1. “Personal information” (PII) means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

 

  1. Categories of personal information include:
    1. real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers;
    2. signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
    3. Characteristics of protected classifications under California or federal law;
    4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
    5. Biometric information;
    6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement;
    7. Geolocation data;
    8. Audio, electronic, visual, thermal, olfactory, or similar information;
    9. Professional or employment-related information;
    10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99);
    11. Inferences drawn from any of the information possessed by Digital Edge to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

 

  1. “Verifiable consumer request” means a request that is made by a consumer, (or by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the California Secretary of State, authorized by the consumer to act on the consumer’s behalf), and that Digital Edge can reasonably verify to be the consumer about whom the business has collected personal information. (For more specifics see the California Civil Code paragraph (7) of subdivision (a) of Section 1798.185)

Policy:

The Digital Edge employee responsible for enforcing and maintaining this policy is Michael Petrov, CEO.

 

Generally:

 

 

  1. Digital Edge shall maintain a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.

 

Verification Uses of PII:

 

  1. Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification.

                               

                Right to Request Disclosure:

  1. Digital Edge website shall:
    1. List all the categories of PII Digital Edge collected in past 12 months.
  2. Digital Edge request page. For any “verifiable consumer” who requests:
    1. The categories of personal information it has collected about that consumer in the past 12 months;
    2. The categories of sources from which the personal information is collected;
    3. The business or commercial purpose for collecting or selling personal information;
    4. The categories of third parties with whom the business shares personal information;
    5. The specific pieces of personal information it has collected about that consumer; or
    6. The specific pieces of personal information it has collected about that consumer.

Digital Edge shall:

  1.  promptly disclose and deliver, free of charge to the consumer, the personal information required within 45 days of the request ; and
  2. The information shall be delivered by mail or electronically.
    1. If delivered electronically the information shall be in a format that is portable and readily useable such that the consumer will be able to transmit it to a 3rd party without hindrance.

Digital Edge is not required to provide PII to a consumer more than twice in a 12 month period. However, Digital Edge should seek legal advice before denying any request.

Notice Required 100:

  1. Before or at the time the PII is collected from a consumer, Digital Edge:
    1. MUST inform the consumer as to the categories of PII to be collected;
    2. MUST inform consumer of the purposes for which the categories of PII shall be used;
    3. MUST NOT collect any additional categories of PII without providing proper notice to the consumer; and
    4. MUST NOT use PII that has already been collected for additional purposes without providing proper notice to the consumer.

 

No Duty to Retain PII for Single Use:

 

  1. Digital Edge is not required to retain PII collected for a single, one time transaction as long as the PII is not sold or retained by Digital Edge.
    1. Digital Edge is not required to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

 

Right to Delete:

 

  1. Upon a “verifiable consumer request” of a consumer, Digital Edge must delete any PII about the consumer that Digital Edge has collected about the consumer, AND direct any service providers to delete the consumer’s personal information from their records. (Note: There are exceptions, but legal advice should be sought before denying any request to delete.)
    1. Here are the Exceptions:
      1. Digital Edge and/or service provider do not need to comply with request to delete  if it is necessary for the business or service provider to maintain the consumer’s PII in order to:
        1. Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.
        2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
        3. Debug to identify and repair errors that impair existing intended functionality.
        4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
        5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
        6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
        7. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
        8. Comply with a legal obligation.
        9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

 

If Digital Edge sells PII or Must Disclose it for Business Purposes 115:

 

  1. For PII that  Digital Edge intends to sell or otherwise disclose PII for business purposes, upon request from a “verified consumer”, Digital Edge must disclose:
    1. The categories of personal information that the business collected about the consumer;
    2. For the past 12 months, the categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
    3. For the past 12 months, the categories of personal information that the business disclosed about the consumer for a business purpose.
    4. If the business has not sold consumers’ personal information, it shall disclose that fact;
    5. if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.
  2. Digital Edge shall not sell personal information about a consumer that has been sold to it by another business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt out.
  3. Digital Edge must put on site:
    1. A list of the categories of personal information Digital Edge has sold about consumers in the preceding 12 months  that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.
    2. A list of the categories of personal information Digital Edge has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

 

Right to Opt Out of Selling PII (120):

 

  1. A consumer has the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. Digital Edge cannot sell PII to anyone if the consumer opts out.
    1. Digital Edge shall maintain a clear and conspicuous link on the business’ Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information.
    2. Digital Edge shall maintain a description of a consumer’s rights pursuant to (a), (d), and (e) along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in a place on the site that is set for California –specific description of consumer privacy rights.
    3. If Digital Edge has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
    4. Minors – Digital Edge shall not sell the personal information of consumers if Digital Edge has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt in.”
  2. Digital Edge is allowed to ask a customer who has already opted out if they would authorize a sale of his or her PII as long as 12 months have passed since the opt out.
  3. Digital Edge must use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request
  4. Digital Edge shall honor the request if a consumer  authorizes another person solely to opt out of the sale of the consumer’s personal information on the consumer’s behalf.

 

Must not Discriminate :

 

  1. Digital Edge shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:
    1. Denying goods or services to the consumer;
    2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
    3. Providing a different level or quality of goods or services to the consumer, if the consumer exercises the consumer’s rights under this title;
    4. Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services;
    5. However:
      1. Nothing prohibits Digital Edge from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

 

  1. Digital Edge may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. Digital Edge  may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.
    1. If Digital Edge offers any financial incentives, Digital Edge shall notify consumers of the financial incentives;
    2. Digital Edge may enter a consumer into a financial incentive program only if the consumer gives Digital Edge prior opt-in consent pursuant to Section which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.
    3. Digital Edge shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

 

Updates and Awareness:

 

  1. The CCPA should be checked for updates every 12 months and this policy should be changed accordingly.
  2. The notices on the website should be updated and checked for accuracy every 12 months.
  3. Any employee or contractor of Digital Edge who is responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA are informed of all requirements, and also how to direct consumers to exercise their rights under the CCPA.

 

Reasonable Security Procedures:

 

The CCPA specifies damages if nonencrypted, or nonredacted information is accessed by anyone without authorization, exfiltrated, stolen, or disclosed because the security procedures of Digital Edge were not sufficient to meet the Claifornia duty to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Therefore, Digital Edge has implemented ISO27001:2013 towards this end.

Tags: CCPA compliance
Was this article helpful?

Digital Edge

Integrated cybersecurity compliance and Operations for regulated fintech and financial services.

Contact

7 Teleport Dr, Staten Island, NY 10311

sales@digitaledge.net

(718) 370-3353

Assessment Tools

Cloud assessment

Log management assessment

Help Desk assessment

Request for proposal

Complimentary Offer

Contact Us

Digital Edge Ventures, Inc.
© 2024