Effective Date: January 1, 2020
This Privacy Notice for California Residents supplements the information contained in Draper Goren Holm, LLC (“we,” “us,” “our” or “Company”) https://drapergorenholm.com/privacy and applies solely to all visitors, users, and others who reside in the State of California (”consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this notice.
Information We Collect
Our Website collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (”personal information”). In particular, Company’s website (drapergorenholm.com) has collected the following categories of personal information from its consumers within the last twelve (12) months:
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.Some personal information included in this category may overlap with other categories.||YES|
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||NO|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||YES|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||YES|
|G. Geolocation data.||Physical location or movements.||NO|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||YES|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.||NO|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||NO|
|K. Inferences drawn from other personal information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||NO|
Personal information does not include:
Company obtains the categories of personal information listed above from the following categories of sources:
Use of Personal Information
We may use or disclose the personal information we collect for one or more of the following business purposes:
Sharing Personal Information
Company may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We share your personal information with the following categories of third parties:
Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Company has disclosed the following categories of personal information for a business purpose:
Category A: Identifiers.
Category B: California Customer Records personal information categories.
Category C: Protected classification characteristics under California or federal law. Category D: Commercial information.
Category F: Internet or other similar network activity.
Category H: Sensory data.
We disclose your personal information for a business purpose to the following categories of third parties:
Sales of Personal Information
In the preceding twelve (12) months, Company has not sold personal information in the following categories of personal information:
Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that Company disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you:
Deletion Request Rights
You have the right to request that Company delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.
Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.
We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time up to 90 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically in .PDF, .TXT, or .DOC format.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Personal Information Sales Opt-Out and Opt-In Rights
If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time.
To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by emailing us at firstname.lastname@example.org
You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to your personal information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires your prior opt in consent, which you may revoke at any time.
Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to email@example.com or write us at:
Draper Goren Holm Group, LLC
1112 Montana Ave, Suite 384
Santa Monica, CA 90402
Changes to Our Privacy Notice
Company reserves the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
Draper Goren Holm Group, LLC
1112 Montana Ave, Suite 384
Santa Monica, CA 90402
CALIFORNIA’S CONSUMER PRIVACY ACT OF 2018 SECTION-BY-SECTION NOTICE REQUIREMENT SUMMARY
The following chart identifies and summarizes the primary statute sections relating to the CCPA’s generalized notice or disclosure requirements.
|CCPA Section||General Notice or Information Disclosure Summary|
|Cal. Civ. Code § 1798.100(b)||Must inform consumers, before or at the point of collection:
Prohibits collection of additional personal information categories or using collected personal information for additional purposes without providing this required notice.
|Cal. Civ. Code § 1798.105(b)||Must disclose the consumer’s deletion right.Cross-references Section 1798.130 for the disclosure requirement.|
|Cal. Civ. Code § 1798.110(c)||If a business collects personal information about a consumer, it must disclose:
Cross-references Section 1798.130(a)(5)(B) for the disclosure requirement.
NOTE: While Section 1798.110(c)(5) does list “the specific pieces of personal information the business has collected about that consumer” as a required piece of information in the online privacy disclosure, this is likely a statutory drafting error (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): History of the CCPA). Businesses should probably interpret this requirement as referring to the consumer’s specific information (access) rights and not as a requirement to include individual personal information in the online privacy notice (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): Specific Information Rights).
|Cal. Civ. Code § 1798.115(c)||If a business sells personal information or discloses personal information for a business purpose, it must disclose the personal information categories:
Cross-references Section 1798.130(a)(5)(C) for the disclosure requirement.
|Cal. Civ. Code § 1798.115(d)||A third-party purchaser of a consumer’s personal information cannot resell that information unless the consumer receives explicit notice and an opportunity to opt- out.Cross-references Section 1798.120 establishing the consumer’s personal information sales opt-out and opt-in rights.|
|Cal. Civ. Code § 1798.120(b)||If a business sells personal information to third parties, it must provide notice to consumers that:
Cross-references Section 1798.135(a) for notice requirements.
|Cal. Civ. Code § 1798.125(b)(2) and (3)||If a business offers financial incentives for personal information collections, sales, or deletions, it must notify consumers of the financial incentives and clearly describe material terms.Cross-references Section 1798.135 for notice requirements.|
|Cal. Civ. Code § 1798.130||Primary section discussing both general and specific notice requirements. Cross-references:
Subsections related to general or public disclosures and notices described below.
|Cal. Civ. Code § 1798.130(a)(1)||Must make available two or more designated methods for submitting verified consumer requests for information disclosures required under:
Contact methods must include, at minimum:
|Cal. Civ. Code § 1798.130(a)(5)||Must disclose the following information:
The lists must use the 11 categories enumerated in the personal information definition in Section 1798.140(o) that most closely describe the personal information.
Disclosure must occur:
Must update this information at least once every 12 months.
|Cal. Civ. Code § 1798.135||Disclosures and operational requirements for the consumer’s sale opt-out and opt-in rights, established in Section 1798.120.Subsections related to general or public disclosures and notices described below.NOTE: While Section 1798.125 (non-discrimination right) cross-references this section for its notice requirement, this section does not directly address or reference Section 1798.125 ‘s disclosure requirements.|
|Cal. Civ. Code § 1798.135(a)(1)||If a business sells personal information, it must provide a clear and conspicuous link on the business’s internet homepage to a webpage titled “Do Not Sell My Personal Information,” that enables the consumer or authorized representative to opt-out of personal information sales, in a form reasonably accessible to consumers.Must not require consumers to create an account to exercise their opt-out rights.|
|Cal. Civ. Code § 1798.135(a)(2)||If a business sells personal information, it must include a description of the consumer’s opt-out/opt-in right under Section 1798.120 and a link to the “Do Not Sell My Personal Information” webpage in:
|Cal. Civ. Code § 1798.135(b)||Gives businesses the option of providing the “Do Not Sell My Personal Information” notice and links required by this section on a separate and additional California- specific website homepage, instead of the general public homepage, if the business takes reasonable steps to ensure California consumers land on the California homepage instead of the general homepage.|
|Cal. Civ. Code § 1798.140(d)||Business purpose definition.|
|Cal. Civ. Code § 1798.140(e)||Collects definition.|
|Cal. Civ. Code § 1798.140(f)||Commercial purposes definition.|
|Cal. Civ. Code § 1798.140(i)||Designated methods for submitting requests definition.|
|Cal. Civ. Code § 1798.140(l)||Homepage definition.|
|Cal. Civ. Code § 1798.140(o)||Personal information definition, including the 11 enumerated categories.|
|Cal. Civ. Code § 1798.140(t)||Sales definition.|
|Cal. Civ. Code § 1798.185||Establishes the California Attorney General’s rulemaking authority, including for the CCPA’s different notice requirements.|
COMPARISON OF KEY REQUIREMENTS UNDER THE CCPA AND THE GDPR
(Note, this is not a comprehensive list of all measures required under the CCPA or GDPR)
|Who is Regulated?||Any for-profit entity doing business in California, that meets one of the following:
The law also applies to any entity that:
Parts of the CCPA apply specifically to:
|Data controllers and data processors:
||The scope and territorial reach of the GDPR is much broader.Substantially different in parties regulated.|
|Who is Protected?||Consumers, defined as California residents that are either:
|Data subjects, defined as identified or identifiable persons to which personal data relates.||Substantially different in approach, but similarly broad in effect.Both laws focus on information that relates to an identifiable natural person, however the definitions differ.Both have potential extraterritorial effects that businesses located outside the jurisdiction must consider.|
|What Information is Protected?||Personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household.The statutory definition includes a list of specific categories of personal information.Personal information does not include certain publicly available government records. The CCPA also excludes certain personal information covered by other sector specific legislation from its coverage scope.||Personal data is any information relating to an identified or identifiable data subject.The GDPR prohibits processing of defined special categories of personal data unless a lawful justification for processing applies.||Substantially similar. However, the CCPA definition also includes information linked at the household or device level.|
|Anonymous, Deidentified, Pseudonymous, or Aggregated Data||The CCPA does not restrict a business’s ability to collect, use, retain, sell, or disclose a consumer information that is deidentified or aggregated.However, the CCPA establishes a high bar for claiming data is deidentified or aggregated Pseudonymous data may qualify as personal information under the CCPA because it remains capable of being associated with a particular consumer or household. However, the statute does not clearly categorize or exclude pseudonymous data as personal information.||Pseudonymous data is considered personal data.Anonymous data is not considered personal data.While the GDPR does not mention deidentified data, the CCPA definition is similar to GDPR’s concept of anonymous data.||The CCPA and GDPR pseudonymization definitions are very similar and both require technical controls to prevent reidentification to qualify.The CCPA primarily discusses pseudonymization in the context of using personal information collected from a consumer for other purposes, for research. It does not appear to help businesses generally avoid the CCPA’s requirements.At this point, it is unclear how different the position under the GDPR is.|
|Privacy Notice / Information Right||Businesses must inform consumers about:
Further notice is required to:
The CCPA requires that businesses provide specific information to consumers and establishes delivery requirements.
Third parties must also give consumers explicit notice and an opportunity to opt out before re-selling personal information that the third party acquired from another business.
|Data controllers must provide detailed information about its personal data collection and data processing activities. The notice must include specific information depending on whether the data is collected directly from the data subject or a third party.||Similar disclosure requirements, but differences in the specific information required and the delivery methods.The CCPA notice requirements on personal information disclosed or sold to third parties only covers the 12 months preceding the request.|
|Security||The CCPA does not directly impose data security requirements. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law.||The GDPR requires data controllers and data processors to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk.||Substantially similar in statutory approach though reasonable security measures may vary to some extent according to an organization’s circumstances and regulator interpretation.|
|Opt-Out Right for Personal Information Sales||Businesses must enable and comply with a consumer’s request to opt-out of the sale of personal information to third parties, subject to certain defenses.Must include a “Do Not Sell My Personal Information” link in a clear and conspicuous location on a website homepage.Must not request reauthorization to sell a consumer’s personal information for at least 12 months after the person opts-out.||The GDPR does not include a specific right to opt-out of personal data sales.However, the GDPR does contain other rights a data subject may use to obtain a similar result in certain circumstances. For example, it does permit data subjects, at any time, to:
This allows data subjects to opt- out of third-party sales that support marketing purposes or rely on consent for their legal processing basis.
|Children||The CCPA prohibits selling personal information of a consumer under 16 without consent.Children aged 13 – 16 can directly provide consent. Children under 13 require parental consent.Importantly, protections provided by the federal Children’s Online Privacy Protection Act (COPPA) still apply on top of the CCPA’s requirements.||The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.Children must receive an age appropriate privacy notice.Children’s personal data is subject to heightened security requirements.||Substantially different requirements, other than ages involved.The CCPA only requires parental consent for personal data sales, while GDPR’s parental consent requirement applies to all processing consent requests.|
|Right of Disclosure or Access||Consumers have a right to request disclosure of their personal information, and to receive additional details regarding the personal information a business collects and its use purposes, including any third parties with which it shares information.||Data subjects have a right to access their personal data, including receiving a copy and to obtain certain information about the data controller’s processing.||Broadly similar rights of disclosure/access.The CCPA’s right is only to obtain a written disclosure of the information. The GDPR allows broader access, which is not limited to a written disclosure in a portable format.|
|Right of Data Portability||In response to a request for disclosure, a business must provide personal information in a readily useable format to enable a consumer to transmit the information from one entity to another entity without hindrance.||The GDPR includes a new right to data portability to:
||Broadly similar rights.The GDPR provides a specific right to request a data controller to transfer their personal data to another data controller.|
|Right to Deletion / Erasure (The Right to be Forgotten)||A consumer has the right to deletion of personal information a business has collected, subject to certain exceptions.The business must also instruct its service providers to delete the data.||Data subjects have the right to request erasure of personal data under six circumstances (the right to be forgotten).Data controllers must also take reasonable steps to inform any other data controllers also processing the data.||Similar data deletion rights.The GDPR right only applies if the request meets one of six specific conditions while the CCPA right is broad.However, the CCPA also allows business to refuse the request on much broader grounds than the GDPR.The GDPR’s obligation to inform downstream data recipients of the person’s deletion request is also broader.|
|Right of rectification||None.||The GDPR grants data subjects the right to:
|Right to Restrict Processing||None, other than the right to opt-out of personal information sales.||Right to restrict processing of personal data, under certain circumstances.||Substantially different.|
|Right to Object to Processing||None, other than the right to opt-out of personal information sales.||Right to object to processing for profiling, direct marketing, and statistical, scientific, or historical research purposes.||Substantially different.|
|Right to Object to Automated Decision-Making||None.||Data subjects have the right to not be subject to automated decision-making, including profiling, which has legal or other significant effects on the data subject, subject to certain exceptions.||Substantially different.|
|Responding to Rights Requests||A business must:
Consumers may only make most information requests twice a year and only for a 12-month look-back. There are no limits on deletion and do not sell requests.
|A data controller must:
Requests do not have to be free to data subjects.
|Penalties (Private Rights of Action)||The CCPA establishes a narrow private right of action for certain data breaches involving a sub- set of personal information. However, the CCPA grants companies a 30-day period to cure violations, if possible.Consumers may seek the greater of actual damages or statutory damages ranging from $100 to $750 per consumer per incident.Courts may also impose injunctive or declaratory relief.||The GDPR establishes a private right of action for material or non-material damage caused by a data controller or data processors breach of the GDPR.||Substantially different in scope, but violations of either may potentially result in significant economic liability.|
|Penalties (Civil Fines)||The California AG may bring actions for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. However, the CCPA also grants businesses a 30-day cure period for noticed violations.||Administrative fines can reach EUR20 million or 4% of annual global revenue, whichever is highest.EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.||Approach to calculating fines differs, but violations of either may potentially result in significant economic liability.|