Data Policy - REI Machines

Data Policy

License Agreement

MASSIVE REAL ESTATE, LLC DBA REI MACHINES LICENSE AGREEMENT

This is a contract. This License Agreement (“Agreement”) accompanies the On Point Data online application, the direct marketing lists obtained from On Point Data and the data contained within the direct marketing lists (collectively, the “Services”). Massive Real Estate, LLC (dba “On Point Data”) grants you (“Customer”) a limited, non-exclusive, non-transferable license to use the Services, provided you accept the following terms on behalf of the company entered into the registration information:

1. Property.

The Services and all intellectual property rights therein are owned by On Point Data. No ownership rights are granted by this Agreement and, except for the limited license provided, On Point Data reserves all rights in and to the Services and all underlying data compilations and information contained therein, including but not limited to the exclusive intellectual property rights and the right to grant further licenses.  Customer acknowledges that the Services are the proprietary property of On Point Data and are a valuable commercial product, the development of which involved an expenditure of substantial time and money by On Point Data.

2. Changes to this Agreement.

Service Provider may modify this Agreement from time to time by posting a modified Agreement on the website. Your continued use of the website and any emails thereafter will constitute agreement to such modifications. At the time of any material modifications, Service Provider will change the “Last Updated” date below.  Please review this Agreement from time to time so that you are apprised of any changes.

3. Registration; Authority to Accept this Agreement.

By registering with this website, you understand and agree that you have established a business relationship between you and On Point Data. You represent that you are of legal age to form a binding contract and have the full power, capacity and authority to accept this Agreement.  BY REGISTERING ON THE WEBSITE, YOU AGREE THAT MASSIVE LEAD LISTS MAY CONTACT YOU BY TELEPHONE AT THE NUMBER YOU PROVIDED OR BY EMAIL AT THE ADDRESS YOU PROVIDED REGARDING OTHER PRODUCTS OR SERVICES OFFERED BY OR THROUGH MASSIVE LEAD LISTS EVEN IF YOUR TELEPHONE NUMBER IS ON A DO-NOT-CALL REGISTRY OR SIMILAR LIST. With any email communication, On Point Data will provide a means by which you may opt-out of further communication.

4. Permitted Use.

The Services are solely for use within Customer’s own organization by Customer’s own employees. Customer shall be permitted to use the Services solely for Customer’s own internal direct marketing purposes. Customer may use each address or telephone number connected to a given property one (1) time only for direct marketing activities, including but not limited to: promoting, marketing, surveying or soliciting by Customer, by way of telemarketing, email marketing, any other advertising or promotional materials, such as flyers, pamphlets, brochures, mailers, video or audio tapes or electronic mail, whether in print or other media.

5. Restrictions on Use.

Both during and after the term of this Agreement, Customer agrees as follows:

(a) Customer shall not: (i) disclose, use, disseminate, reproduce or publish any portion of the Services in any manner other than as expressly permitted in this Agreement, (ii) permit any parent, subsidiary, other affiliated entity or other third party, including any third party entity involved in a joint marketing arrangement with Customer, to use the Services or any portion thereof, (iii) grant access to the Services, or any portion thereof, to individuals incarcerated in prisons or correctional institutions, (iv) allow access to the Services through any terminal located outside of Customer’s operations, (v) use the Services outside the United States.

(b) Customer shall not: (i) resell, relicense or redistribute the Services in whole or in part without the prior written consent of On Point Data, (ii) use the Services to create any derivative products, (iii) use the Services to create, enhance or structure any database in any form for resale or distribution, (iv) process or permit to be processed the Services or any portion thereof, with other data from any other source, (v) merge or incorporate the Services with any other file, (vi) use the Services to enhance a file or list owned by any third party, (vii) use the Services to develop any list, enhancement or product, or (viii) use the Services to prepare, publish, clean or maintain any directory.

(c) Customer shall (i) comply with all federal, state, and local laws, regulations, ordinances and court orders from competent jurisdictions, as well as the published guidelines of the Direct Marketing Association and other applicable industry guidelines, regarding the use, storage and dissemination of data such as the Services, (ii) abide by all prevailing federal, state, and local laws, regulations, ordinances and court orders from competent jurisdictions, including but not limited to those governing fair information practices and consumers’ rights to privacy, telemarketing, and any applicable non-solicitation laws and regulations; (iii) limit access to consumer information to those individuals who have a “need to know” in connection with Customer’s business and will obligate those individuals to acknowledge consumers’ rights to privacy and adhere to fair information practices and consumers’ right to privacy; (iv) abide by On Point Data’ privacy policies and Customer’s own privacy policies; and (v) use the Services in a manner that gives due consideration to matters concerning privacy.

(d) Customer understands that the data has not been collected for credit purposes and is not intended to be indicative of any consumer’s credit worthiness, credit standing, credit capacity, or other characteristics listed in Section 1681(a) of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq.  Customer shall not use the Services (i) as a factor in establishing an individual’s eligibility for credit or insurance, (ii) in connection with underwriting individual insurance, (iii) in evaluating an individual for employment purposes, (iv) in connection with a determination of an individual’s eligibility for a license or other benefit granted by a governmental authority, (v) in any way that would cause the Services to constitute a “consumer report” under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., or (vi) in any other manner that would cause such use of the Services to be construed as a consumer report by any pertinent governmental authority.

(e) Customer represents and warrants that it is not one of the following entities: Acxiom, America Online, Inc. (AOL), CBCInnovis, CD-Data, Choice Point, Costar Group, Data Solutions, DataWarehouse, Data Verify, Digital Risk, Experian, Equifax, Fair Isaac Corporation, Fidelity National Financial (FNF), Fidelity National Information Services (FNIS), Fidelity National Insurance Company, Fidelity National Title Group, First Data Solutions,  FiServ, FNC, Google, Haines, InfoUSA, Insurance Service Office (ISO), International Data Management (IDM), Interthinx,  iPlace, ISGN, Land America, Lender Processing Services, Lending Tree, Lexis/Nexis, MacDonald-Detweiler, MasterFiles, Merlin Data, Microsoft, Myriad Development, National Data Cooperative, National Information Services, New Reach, Real Net, RJ Peters, Sedgwick CMS, Stewart Information Services Corporation, SW Financial, Thompson-West Group, TransUnion, Veros, Yahoo!, and Zillow.

(f) Customer shall be solely responsible for maintaining the confidentiality of all usernames and passwords used by its employees and Customer shall be responsible for all use and fees associated with accessing the data with the password, whether or not authorized by Customer.
(g) Customer shall not use the Services for any purpose that (i) infringes any third party’s copyright, patent, trademark, trade secret or other proprietary rights or rights of publicity or privacy, or (ii) is defamatory, trade libelous, unlawfully threatening or unlawfully harassing.

(h) Customer shall not remove, alter or obscure any proprietary notices in the Services and will reproduce all such notices on all copies or portions thereof.

(i) Customer shall not refer to any selection criteria or any presumed knowledge about the consumer being contacted in any direct mail solicitation, telephone solicitation or survey.

6. Compliance Audits.

On Point Data reserves the right, during normal business hours, on reasonable notice, and at On Point Data’ expense, to audit the Customer to ensure Customer’s compliance with the terms and conditions of this Agreement. On Point Data shall select an auditor in its sole discretion. If such auditor determines there has been a breach in Customer’s compliance with the terms of this Agreement, On Point Data may immediately terminate this Agreement and pursue its other legal remedies. Should Customer not cooperate with On Point Data’ audit request within five (5) days, Customer shall be deemed to have conclusively admitted to a material breach in Customer’s compliance for which On Point Data may immediately terminate this Agreement and pursue its legal remedies.

7. Records and Copy Review.

(a)  Customer shall maintain current, accurate and complete records relating to its use of the Services for at least twelve (12) months after any direct marketing activity, including, but not limited to: sample mail pieces, telemarketing scripts, ad copy and other communications, as applicable. On Point Data, or any representative it designates, shall have the right to examine, copy and make extracts from all such records and any source documents used in preparation thereof, at any time during normal business hours, provided On Point Data gives Customer reasonable notice prior to any such examination.

(b)  At any time upon On Point Data’ request, Customer shall provide On Point Data with a copy of the direct mail solicitations or telephone scripts used in connection with the Services. Upon reasonable notice, On Point Data reserves the right to review any such solicitations or scripts for compliance with this Agreement.  In the event Customer fails to provide such items, On Point Data may delay delivery of the Services with no liability. If, in the sole judgment of On Point Data, the subject solicitations or scripts fail to comply with this Agreement, On Point Data may cancel or terminate this Agreement, with no liability.

8. Fees.

In consideration of the rights granted to Customer hereunder, Customer shall pay to On Point Data the fees stated within the Services. By submitting an order to On Point Data, Customer authorizes On Point Data to charge the credit card entered into On Point Data by Customer for the Services at the fees stated within the Services. Fees are exclusive of use, ad valorem, personal property, and other taxes, which are the responsibility of Customer. On Point Data shall charge Customer applicable sales tax, and Customer shall be responsible for filing all other taxes. On Point Data reserves the right to change the fees for the Services at any time. Additional charges may apply for training users at Customer locations. Customer shall provide all Internet connectivity, hardware and software necessary to access On Point Data.

9. Term and Termination.

The initial term of this Agreement is twelve (12) months commencing on the date Customer enters into this Agreement. Thereafter, the term shall automatically renew for additional successive twelve (12) month terms.  Either party may forego automatic renewal by giving the other party not less than thirty (30) calendar days written notice of termination prior to the expiration of the then-current term.  If either party breaches any provision of this Agreement, the non-breaching party shall, upon providing written notice of such breach, be entitled to immediately terminate this Agreement, provided such breach is not cured within five (5) days following such notice.  Upon termination of this Agreement by either party, Customer, at its own expense, shall return all Services to On Point Data or certify that the Services have been destroyed within ten (10) business days of termination, and any amounts unpaid by Customer shall be immediately due and payable. Failure to return or certify the destruction of the Services to On Point Data will result in: (i) Customer’s obligation to pay a perpetual license fee for the Services; or (ii) Customer’s obligation to permit and agent of On Point Data to have access to Customer’s premises for the retrieval of the Services and Customer shall pay the actual costs as reasonably incurred by On Point Data to retrieve same.

10. Links to Other Websites and Related Disclaimer.

The website may include links to other websites beyond the control of On Point Data. On Point Data provides you with these links solely for your convenience. Some of these websites may be co-branded (i.e., bear the name and/or logo of both a third party service provider and On Point Data). The provision of any link to another service provider does not signify an endorsement by On Point Data of the service provider’s website or the services offered by that service provider. On Point Data has no control over, does not review, and cannot be responsible for the information contained on other websites. Your use of such websites will be subject to that website’s terms and conditions.  YOU AGREE THAT MASSIVE LEAD LISTS WILL NOT BE RESPONSIBLE OR LIABLE FOR LOSS OR DAMAGE YOU MAY INCUR AS THE RESULT OF A TRANSACTION YOU ENTER INTO THROUGH ANOTHER WEB SITE.

11. Potential Disruption of Service.

Access to the website may from time to time be unavailable, delayed or limited due to, among other things:  hardware failure; software failure, including among other things, bugs, errors, viruses, configuration problems, incompatibility of systems, utilities or applications, the operation of firewalls or screening programs, unreadable codes, or content irregularities; system overload; damage caused by severe weather, natural disasters, war or acts of God; terrorism; interruption of power supplies; strike or other stoppage of labor; governmental or regulatory restrictions; or any other cause whatsoever beyond the control of On Point Data.

12.  Disclaimer.

THE SERVICES ARE INFORMATIONAL ONLY AND ARE NOT INTENDED TO PROVIDE SPECIFIC COMMERCIAL, FINANCIAL OR INVESTMENT ADVICE. THE SERVICES ARE BASED UPON CERTAIN DATA, SUBJECT TO FREQUENT CHANGE. MASSIVE LEAD LISTS MAKES NO WARRANTIES OR REPRESENTATIONS ABOUT THE METHODOLOGIES USED OR THE ACCURACY, TIMELINESS, RELIABILITY OR COMPLETENESS OF ANY OF THE SERVICES. THE SERVICES ARE PROVIDED ON AN “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND WHATSOEVER, INCLUDING ANY IMPLIED OR EXPRESS WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. ANY RELIANCE ON OR USE BY CUSTOMER OF THE SERVICES SHALL BE ENTIRELY AT CUSTOMER’S OWN RISK. MASSIVE LEAD LISTS MAKES NO REPRESENTATIONS OR WARRANTIES ABOUT THE LEGALITY OR PROPRIETY OF THE USE OF THE SERVICES IN ANY JURISDICTION, STATE OR REGION. CUSTOMER SHALL BE SOLELY RESPONSIBLE FOR OBTAINING ANY AND ALL NECESSARY LICENSES, CERTIFICATES, PERMITS, APPROVALS OR OTHER AUTHORIZATIONS REQUIRED BY FEDERAL, STATE OR LOCAL STATUTE, LAW OR REGULATION APPLICABLE TO CUSTOMER’S USE OF THE SERVICES.

13. Limitation of Liability.

MASSIVE LEAD LISTS’ TOTAL LIABILITY AND CUSTOMER’S EXCLUSIVE REMEDY UNDER OR RELATED TO THIS AGREEMENT, WHETHER BASED ON BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, SHALL BE LIMITED TO DIRECT MONEY DAMAGES NOT EXCEEDING THE AMOUNT PAID BY CUSTOMER TO MASSIVE LEAD LISTS DURING THE TWELVE (12) MONTHS PRECEDING THE CLAIM.  THIS LIMIT IS CUMULATIVE AND ALL PAYMENTS UNDER THIS AGREEMENT WILL BE AGGREGATED TO CALCULATE SATISFACTION OF THE LIMIT.  THE EXISTENCE OF MULTIPLE CLAIMS WILL NOT ENLARGE THE LIMIT.  MASSIVE LEAD LISTS SHALL HAVE NO LIABILITY UNDER OR IN ANY WAY RELATED TO THIS AGREEMENT FOR ANY LOSS OF PROFIT OR REVENUE OR FOR ANY CONSEQUENTIAL, INDIRECT, INCIDENTAL, SPECIAL OR EXEMPLARY DAMAGES, EVEN IF MASSIVE LEAD LISTS IS AWARE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY.  CUSTOMER AGREES THAT THE LIMITATIONS SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THIS AGREEMENT, AND THAT THE SERVICES WOULD NOT BE PROVIDED TO CUSTOMER ABSENT SUCH LIMITATIONS.

14. Indemnification.

CUSTOMER AGREES TO INDEMNIFY AND HOLD MASSIVE LEAD LISTS HARMLESS FROM AND AGAINST ALL CLAIMS OF THIRD PARTIES ARISING OUT OF OR RELATED TO THE USE OF THE SERVICES BY THE CUSTOMER, OR ATTRIBUTABLE TO CUSTOMER’S BREACH OF THIS AGREEMENT; PROVIDED THAT MASSIVE LEAD LISTS GIVES CUSTOMER PROMPT WRITTEN NOTICE OF ANY SUCH CLAIM.  MASSIVE LEAD LISTS SHALL CONTROL THE DEFENSE AND ANY SETTLEMENT OF SUCH CLAIM, AND CUSTOMER SHALL COOPERATE WITH MASSIVE LEAD LISTS IN DEFENDING AGAINST SUCH CLAIM.

15. Claims of Copyright Infringement.

If you believe that your work has been copied and is accessible on the website in a way that constitutes copyright infringement, notify On Point Data in writing:
On Point Data

100-7 Rancho Rd #246
Thousand Oaks, California 91362

Any claim of copyright infringement should include sufficient information to enable On Point Data to evaluate your claim and to take appropriate action.

16.  General.

(a)  Unless specified otherwise in a fully-executed license agreement with On Point Data, this Agreement constitutes the entire agreement between the parties with respect to the Services and supersedes any prior understanding or agreement, oral or written, relating to the Services.

(b)  The interpretation and construction of this Agreement, and all matters relating hereto, shall be governed by the laws of the State of California applicable to agreements executed and to be performed solely within California. The parties hereby submit to the jurisdiction of, and waive any venue objections against, the United States District Court for the Central District of California, Orange County Branch and the Superior and Municipal Courts of the State of California, Orange County in any litigation arising out of relating to this Agreement or its subject matter. This Agreement shall not be governed by the United Nations Convention on Contracts for the International Sale of Goods.

(c)  The prevailing party shall be awarded its reasonable attorney’s fees and costs in any lawsuit arising out of or related to this Agreement.

(d)  No modification, amendment, supplement to or waiver of any provision of this Agreement shall be effective unless in writing and duly signed by an authorized representative of both parties hereto.

(e)  Any provision of this Agreement that contemplates performance subsequent to the expiration or earlier termination of this Agreement shall survive such expiration or termination and shall continue in full force and effect until fully satisfied.

(f)  On Point Data shall not be liable for any delay or failure in its performance of any of the acts required by this Agreement when such delay or failure arises for reasons beyond the reasonable control of On Point Data.

(g)  Customer may not assign this Agreement or any rights or obligations hereunder.

(h)  Neither party shall use, or permit their respective employees, agents and subcontractors to use the trademarks, service marks, copyrighted material, logos, names, or any other proprietary designations of the other party, or the other party’s affiliates, whether registered or unregistered, without such other party’s prior written consent.

(i)  Except with prior written approval from On Point Data, Customer shall not disclose On Point Data as a data source to any third party, unless required by federal, state or local laws or government regulations and with prior written notice to On Point Data.

(j)  Customer shall provide for physical security of the Services with the same degree of care (provided that such is at least a reasonable degree of care) that Customer uses to protect its own most sensitive data.

(k)  Any notice or other communication required or permitted under this Agreement shall be sufficiently given if delivered in person or sent by one of the following methods: (a) registered U.S. mail, return receipt requested (postage prepaid); (2) certified U.S. mail, return receipt requested (postage prepaid); or (3) commercially recognized overnight service with tracking capabilities. Notices to On Point Data shall be sent to 100-7 Rancho RD #246, Thousand Oaks, CA 91362, with a copy to On Point Data counsel at the same address marked Attention: Legal Department.  Notices to Customer shall be sent to the address entered by Customer in the On Point Data registration information.  Notices or communications shall be deemed properly delivered as of the date personally delivered or sent by mail or overnight service.

By accessing the information contained within On Point Data and clicking “I Accept,” Customer agrees to be bound by all terms and conditions contained in this Agreement. By clicking “I Accept,” you assert that you: (1) are an authorized agent of Customer with the authority to bind Customer to the terms and conditions contained in this Agreement; (2) have read, understood, and agree to all terms, conditions, and notices contained or referenced herein and on the website; and, (3) agree to follow all applicable laws and regulations.  If you do not accept the terms and conditions contained herein, you may not use the Services.

Last Updated November 25, 2019.

Important Information About Your Privacy as a Consumer

Important Information about Your Privacy.

On Point Data is one of the nation’s largest aggregator of publicly-recorded property information in the United States.  We compile information recorded with the county recorder and assessors’ offices.

On Point Data is not engaged in direct marketing to consumers, and is therefore not subject to certain consumer privacy laws that apply to direct marketing companies.  However, companies that engage in direct marketing are required to comply with state and federal laws designed to protect consumers from receiving unwanted solicitation.

To have your information removed from lists used for telemarketing and direct mail, you may register via mail and/or online with the organizations listed below.  Generally, you will stop receiving telemarketing calls within 3 to 6 months of registration, but the timeframe may vary based on the guidelines of the applicable agency.

Direct Marketing Association (DMA):

Mail Preference Service
Direct Marketing Association
P.O. Box 9008
Farmingdale, NY 11735-9008

Telephone Preference Service

Direct Marketing Association

P.O. Box 9014

Farmingdale, NY 11735-9014

DMA Consumer Assistance Web site: https://www.dmachoice.org/dma/member/home.action 

Getting Off Mailing Lists: http://www.the-dma.org/donotmail/ 

Getting Off Telephone Call Lists: http://www.ftc.gov/donotcall 

Getting Off E-Mail Lists: www.dmachoice.org/EMPS/

Federal Trade Commission:

FTC National Do-Not-Call Registry: https://www.donotcall.gov/default.aspx

If you would like to have your name removed from real estate public records, please contact your county offices for options on how this can be achieved.

Important Information for Businesses About Consumer Opt-Out Regulations

On Point Data recognizes the challenges that our clients face regarding consumer opt-out regulations. Companies involved in direct marketing to consumers are required by law to comply with certain state and federal regulations that protect consumers from receiving unwanted solicitation. As a convenience to our clients, On Point Data performs the following services to make our suite of products more “opt-out friendly”:

Identify and scrub all telephone numbers in our database against the Federal Trade Commission’s National Do-Not-Call Registry according to the following intervals:

Phone numbers appended to transaction records received from county recorder offices are scrubbed daily

Phone numbers appended to records received from tax assessors’ offices are scrubbed twice monthly

Identify and scrub all mailing address files received from tax assessors’ offices against addresses registered with the Direct Marketing Association’s Mail Preference Service on a quarterly basis.

The following are links to some key providers of information regarding consumer opt-out regulations:

Direct Marketing Association (DMA):

DMA Consumer Assistance Website: https://www.dmachoice.org/dma/member/home.action 

Getting off Mailing Lists: http://www.the-dma.org/donotmail/ 

Getting Off Telephone Call Lists: http://www.ftc.gov/donotcall 

Getting Off E-Mail Lists: www.dmachoice.org/EMPS 

Federal Trade Commission. FTC National Do-Not-Call Registry: https://www.donotcall.gov/default.aspx 

 CPA SOLUTION FOR COMPLIERS, LIST OWNERS AND MAILERS. INQUIRE HERE.

The following is the full text of the California Consumer Privacy Act (CCPA) after it was amended by SB-1121. AB-375 and SB-1121 both contained introductory language which has been excluded from the statutory code here:
Section 1798.100.

(a) A consumer shall have the right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected.

(b) A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

(c) A business shall provide the information specified in subdivision (a) to a consumer only upon receipt of a verifiable consumer request.

(d) A business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

(e) This section shall not require a business to retain any personal information collected for a single, one-time transaction, if such information is not sold or retained by the business or to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.
Section 1798.105.

(a) A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.

(b) A business that collects personal information about consumers shall disclose, pursuant to Section 1798.130, the consumer’s rights to request the deletion of the consumer’s personal information.

(c) A business that receives a verifiable consumer request from a consumer to delete the consumer’s personal information pursuant to subdivision (a) of this section shall delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

(d) A business or a service provider shall not be required to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for the business or service provider to maintain the consumer’s personal information in order to:

(1) Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer.

(2) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.

(3) Debug to identify and repair errors that impair existing intended functionality.

(4) Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.

(5) Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.

(6) Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.

(7) To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.

(8) Comply with a legal obligation.

(9) Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.
Section 1798.110.

(a) A consumer shall have the right to request that a business that collects personal information about the consumer disclose to the consumer the following:

(1) The categories of personal information it has collected about that consumer.

(2) The categories of sources from which the personal information is collected.

(3) The business or commercial purpose for collecting or selling personal information.

(4) The categories of third parties with whom the business shares personal information.

(5) The specific pieces of personal information it has collected about that consumer.

(b) A business that collects personal information about a consumer shall disclose to the consumer, pursuant to paragraph (3) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) upon receipt of a verifiable consumer request from the consumer.

(c) A business that collects personal information about consumers shall disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of Section 1798.130:

(1) The categories of personal information it has collected about that consumer.

(2) The categories of sources from which the personal information is collected.

(3) The business or commercial purpose for collecting or selling personal information.

(4) The categories of third parties with whom the business shares personal information.

(5) The specific pieces of personal information the business has collected about that consumer.

(d) This section does not require a business to do the following:

(1) Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.

(2) Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.
Section 1798.115.

(a) A consumer shall have the right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:

(1) The categories of personal information that the business collected about the consumer.

(2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.

(3) The categories of personal information that the business disclosed about the consumer for a business purpose.

(b) A business that sells personal information about a consumer, or that discloses a consumer’s personal information for a business purpose, shall disclose, pursuant to paragraph (4) of subdivision (a) of Section 1798.130, the information specified in subdivision (a) to the consumer upon receipt of a verifiable consumer request from the consumer.
(c) A business that sells consumers’ personal information, or that discloses consumers’ personal information for a business purpose, shall disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of Section 1798.130:

(1) The category or categories of consumers’ personal information it has sold, or if the business has not sold consumers’ personal information, it shall disclose that fact.

(2) The category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it shall disclose that fact.

(d) A third party shall not sell personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to Section 1798.120.
Section 1798.120.

(a) A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.

(b) A business that sells consumers’ personal information to third parties shall provide notice to consumers, pursuant to subdivision (a) of Section 1798.135, that this information may be sold and that consumers have the “right to opt-out” of the sale of their personal information.

(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age. This right may be referred to as the “right to opt-in.”

(d) A business that has received direction from a consumer not to sell the consumer’s personal information or, in the case of a minor consumer’s personal information has not received consent to sell the minor consumer’s personal information shall be prohibited, pursuant to paragraph (4) of subdivision (a) of Section 1798.135, from selling the consumer’s personal information after its receipt of the consumer’s direction, unless the consumer subsequently provides express authorization for the sale of the consumer’s personal information.
Section 1798.125.

(a) (1) A business shall not discriminate against a consumer because the consumer exercised any of the consumer’s rights under this title, including, but not limited to, by:

(A) Denying goods or services to the consumer.

(B) Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.

(C) Providing a different level or quality of goods or services to the consumer.

(D) Suggesting that the consumer will receive a different price or rate for goods or services or a different level or quality of goods or services.

(2) Nothing in this subdivision prohibits a business from charging a consumer a different price or rate, or from providing a different level or quality of goods or services to the consumer, if that difference is reasonably related to the value provided to the consumer by the consumer’s data.

(b) (1) A business may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to the consumer if that price or difference is directly related to the value provided to the consumer by the consumer’s data.

(2) A business that offers any financial incentives pursuant to subdivision (a), shall notify consumers of the financial incentives pursuant to Section 1798.135.

(3) A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent pursuant to Section 1798.135 which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

(4) A business shall not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.
Section 1798.130.

(a) In order to comply with Sections 1798.100, 1798.105, 1798.110, 1798.115, and 1798.125, a business shall, in a form that is reasonably accessible to consumers:

(1) Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet Web site, a Web site address.

(2) Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable consumer request from the consumer. The business shall promptly take steps to determine whether the request is a verifiable consumer request, but this shall not extend the business’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time period to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding the business’s receipt of the verifiable consumer request and shall be made in writing and delivered through the consumer’s account with the business, if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with the business, in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with the business in order to make a verifiable consumer request.

(3) For purposes of subdivision (b) of Section 1798.110:

(A) To identify the consumer, associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(B) Identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information collected.

(4) For purposes of subdivision (b) of Section 1798.115:

(A) Identify the consumer and associate the information provided by the consumer in the verifiable consumer request to any personal information previously collected by the business about the consumer.

(B) Identify by category or categories the personal information of the consumer that the business sold in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was sold in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information sold. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (C).

(C) Identify by category or categories the personal information of the consumer that the business disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information, and provide the categories of third parties to whom the consumer’s personal information was disclosed for a business purpose in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describes the personal information disclosed. The business shall disclose the information in a list that is separate from a list generated for the purposes of subparagraph (B).

(5) Disclose the following information in its online privacy policy or policies if the business has an online privacy policy or policies and in any California-specific description of consumers’ privacy rights, or if the business does not maintain those policies, on its Internet Web site, and update that information at least once every 12 months:

(A) A description of a consumer’s rights pursuant to Sections 1798.110, 1798.115, and 1798.125 and one or more designated methods for submitting requests.

(B) For purposes of subdivision (c) of Section 1798.110, a list of the categories of personal information it has collected about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information collected.

(C) For purposes of paragraphs (1) and (2) of subdivision (c) of Section 1798.115, two separate lists:

(i) A list of the categories of personal information it has sold about consumers in the preceding 12 months by reference to the enumerated category or categories in subdivision (c) that most closely describe the personal information sold, or if the business has not sold consumers’ personal information in the preceding 12 months, the business shall disclose that fact.

(ii) A list of the categories of personal information it has disclosed about consumers for a business purpose in the preceding 12 months by reference to the enumerated category in subdivision (c) that most closely describe the personal information disclosed, or if the business has not disclosed consumers’ personal information for a business purpose in the preceding 12 months, the business shall disclose that fact.

(6) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Sections 1798.110, 1798.115, 1798.125, and this section, and how to direct consumers to exercise their rights under those sections.

(7) Use any personal information collected from the consumer in connection with the business’s verification of the consumer’s request solely for the purposes of verification.

(b) A business is not obligated to provide the information required by Sections 1798.110 and 1798.115 to the same consumer more than twice in a 12-month period.

(c) The categories of personal information required to be disclosed pursuant to Sections 1798.110 and 1798.115 shall follow the definition of personal information in Section 1798.140.
Section 1798.135.

(a) A business that is required to comply with Section 1798.120 shall, in a form that is reasonably accessible to consumers:

(1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information. A business shall not require a consumer to create an account in order to direct the business not to sell the consumer’s personal information.

(2) Include a description of a consumer’s rights pursuant to Section 1798.120, along with a separate link to the “Do Not Sell My Personal Information” Internet Web page in:

(A) Its online privacy policy or policies if the business has an online privacy policy or policies.

(B) Any California-specific description of consumers’ privacy rights.

(3) Ensure that all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed of all requirements in Section 1798.120 and this section and how to direct consumers to exercise their rights under those sections.

(4) For consumers who exercise their right to opt-out of the sale of their personal information, refrain from selling personal information collected by the business about the consumer.

(5) For a consumer who has opted-out of the sale of the consumer’s personal information, respect the consumer’s decision to opt-out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.

(6) Use any personal information collected from the consumer in connection with the submission of the consumer’s opt-out request solely for the purposes of complying with the opt-out request.

(b) Nothing in this title shall be construed to require a business to comply with the title by including the required links and text on the homepage that the business makes available to the public generally, if the business maintains a separate and additional homepage that is dedicated to California consumers and that includes the required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers and not the homepage made available to the public generally.

(c) A consumer may authorize another person solely to opt-out of the sale of the consumer’s personal information on the consumer’s behalf, and a business shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.
Section 1798.140.
For purposes of this title:

(a) “Aggregate consumer information” means information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Aggregate consumer information” does not mean one or more individual consumer records that have been de¬identified.

(b) “Biometric information” means an individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

(c) “Business” means:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.

(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.

(d) “Business purpose” means the use of personal information for the business’s or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

(1) Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.

(2) Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.

(3) Debugging to identify and repair errors that impair existing intended functionality.

(4) Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.

(5) Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.

(6) Undertaking internal research for technological development and demonstration.

(7) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

(e) “Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

(f) “Commercial purposes” means to advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. “Commercial purposes” do not include for the purpose of engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

(g) “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier.

(h) “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

(1) Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(2) Has implemented business processes that specifically prohibit reidentification of the information.

(3) Has implemented business processes to prevent inadvertent release of deidentified information.

(4) Makes no attempt to reidentify the information.

(i) “Designated methods for submitting requests” means a mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this title, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General pursuant to Section 1798.185.

(j) “Device” means any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device.

(k) “Health insurance information” means a consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.

(l) “Homepage” means the introductory page of an Internet Web site and any Internet Web page where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review the notice required by subdivision (a) of Section 1798.145, including, but not limited to, before downloading the application.

(m) “Infer” or “inference” means the derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

(n) “Person” means an individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

(o) (1) “Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household:

(A) Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

(B) Any categories of personal information described in subdivision (e) of Section 1798.80.

(C) Characteristics of protected classifications under California or federal law.

(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

(E) Biometric information.

(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

(G) Geolocation data.

(H) Audio, electronic, visual, thermal, olfactory, or similar information.

(I) Professional or employment-related information.

(J) Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

(K) Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

(2) “Personal information” does not include publicly available information. For these purposes, “publicly available” means information that is lawfully made available from federal, state, or local government records, if any conditions associated with such information. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. Information is not “publicly available” if that data is used for a purpose that is not compatible with the purpose for which the data is maintained and made available in the government records or for which it is publicly maintained. “Publicly available” does not include consumer information that is deidentified or aggregate consumer information.

(p) “Probabilistic identifier” means the identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or similar to, the categories enumerated in the definition of personal information.

(q) “Processing” means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.

(r) “Pseudonymize” or “Pseudonymization” means the processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

(s) “Research” means scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer in the course of the consumer’s interactions with a business’s service or device for other purposes shall be:

(1) Compatible with the business purpose for which the personal information was collected.

(2) Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.

(3) Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.

(4) Subject to business processes that specifically prohibit reidentification of the information.

(5) Made subject to business processes to prevent inadvertent release of deidentified information.

(6) Protected from any reidentification attempts.

(7) Used solely for research purposes that are compatible with the context in which the personal information was collected.

(8) Not be used for any commercial purpose.

(9) Subjected by the business conducting the research to additional security controls limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.

(t) (1) “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

(2) For purposes of this title, a business does not sell personal information when:

(A) A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this title. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.

(B) The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.

(C) The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met:

(i) The business has provided notice that information being used or shared in its terms and conditions consistent with Section 1798.135.

(ii) The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.

(D) The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business, provided that information is used or shared consistently with Sections 1798.110 and 1798.115. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with Section 1798.120. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

(u) “Service” or “services” means work, labor, and services, including services furnished in connection with the sale or repair of goods.

(v) “Service provider” means a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

(w) “Third party” means a person who is not any of the following:

(1) The business that collects personal information from consumers under this title.

(2) (A) A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:

(i) Prohibits the person receiving the personal information from:

(I) Selling the personal information.

(II) Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.

(III) Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.

(ii) Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

(B) A person covered by this paragraph that violates any of the restrictions set forth in this title shall be liable for the violations. A business that discloses personal information to a person covered by this paragraph in compliance with this paragraph shall not be liable under this title if the person receiving the personal information uses it in violation of the restrictions set forth in this title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the person intends to commit such a violation.

(x) “Unique identifier” or “Unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

(y) “Verifiable consumer request” means a request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.
Section 1798.145.

(a) The obligations imposed on businesses by this title shall not restrict a business’s ability to:

(1) Comply with federal, state, or local laws.

(2) Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.

(3) Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.

(4) Exercise or defend legal claims.

(5) Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.

(6) Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this title, commercial conduct takes place wholly outside of California if the business collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit a business from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

(b) The obligations imposed on businesses by Sections 1798.110 to 1798.135, inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law and shall not prevent a business from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

(c) (1) This title shall not apply to any of the following:

(A) Medical information governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) and the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5).

(B) A provider of health care governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56) of Division 1) or a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in subparagraph (A) of this section.

(C) Information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.

(2) For purposes of this subdivision, the definitions of “medical information” and “provider of health care” in Section 56.05 shall apply and the definitions of “business associate,” “covered entity,” and “protected health information” in Section 160.103 of Title 45 of the Code of Federal Regulations shall apply.

(d) This title shall not apply to the sale of personal information to or from a consumer reporting agency if that information is to be reported in, or used to generate, a consumer report as defined by subdivision (d) of Section 1681a of Title 15 of the United States Code, and use of that information is limited by the federal Fair Credit Reporting Act (15 U.S.C. Sec. 1681 et seq.).

(e) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, or the California Financial Information Privacy Act (Division 1.4 (commencing with Section 4050) of the Financial Code). This subdivision shall not apply to Section 1798.150.

(f) This title shall not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.). This subdivision shall not apply to Section 1798.150.

(g) Notwithstanding a business’s obligations to respond to and honor consumer rights requests pursuant to this title:

(1) A time period for a business to respond to any verified consumer request may be extended by up to 90 additional days where necessary, taking into account the complexity and number of the requests. The business shall inform the consumer of any such extension within 45 days of receipt of the request, together with the reasons for the delay.

(2) If the business does not take action on the request of the consumer, the business shall inform the consumer, without delay and at the latest within the time period permitted of response by this section, of the reasons for not taking action and any rights the consumer may have to appeal the decision to the business.

(3) If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, a business may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. The business shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

(h) A business that discloses personal information to a service provider shall not be liable under this title if the service provider receiving the personal information uses it in violation of the restrictions set forth in the title, provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation. A service provider shall likewise not be liable under this title for the obligations of a business for which it provides services as set forth in this title.

(i) This title shall not be construed to require a business to reidentify or otherwise link information that is not maintained in a manner that would be considered personal information.

(j) The rights afforded to consumers and the obligations imposed on the business in this title shall not adversely affect the rights and freedoms of other consumers.

(k) The rights afforded to consumers and the obligations imposed on any business under this title shall not apply to the extent that they infringe on the noncommercial activities of a person or entity described in subdivision (b) of Section 2 of Article I of the California Constitution.
Section 1798.150.

(a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

(A) To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.

(B) Injunctive or declaratory relief.

(C) Any other relief the court deems proper.

(2) In assessing the amount of statutory damages, the court shall consider any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated. In the event a cure is possible, if within the 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business. No notice shall be required prior to an individual consumer initiating an action solely for actual pecuniary damages suffered as a result of the alleged violations of this title. If a business continues to violate this title in breach of the express written statement provided to the consumer under this section, the consumer may initiate an action against the business to enforce the written statement and may pursue statutory damages for each breach of the express written statement, as well as any other violation of the title that postdates the written statement.

(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.
Section 1798.155.

(a) Any business or third party may seek the opinion of the Attorney General for guidance on how to comply with the provisions of this title.

(b) A business shall be in violation of this title if it fails to cure any alleged violation within 30 days after being notified of alleged noncompliance. Any business, service provider, or other person that violates this title shall be subject to an injunction and liable for a civil penalty of not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General. The civil penalties provided for in this section shall be exclusively assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General.

(c) Any civil penalty assessed for a violation of this title, and the proceeds of any settlement of an action brought pursuant to subdivision (b), shall be deposited in the Consumer Privacy Fund, created within the General Fund pursuant to subdivision (a) of Section 1798.160 with the intent to fully offset any costs incurred by the state courts and the Attorney General in connection with this title.
Section 1798.160

(a) A special fund to be known as the “Consumer Privacy Fund” is hereby created within the General Fund in the State Treasury, and is available upon appropriation by the Legislature to offset any costs incurred by the state courts in connection with actions brought to enforce this title and any costs incurred by the Attorney General in carrying out the Attorney General’s duties under this title.

(b) Funds transferred to the Consumer Privacy Fund shall be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this title. These funds shall not be subject to appropriation or transfer by the Legislature for any other purpose, unless the Director of Finance determines that the funds are in excess of the funding needed to fully offset the costs incurred by the state courts and the Attorney General in connection with this title, in which case the Legislature may appropriate excess funds for other purposes.

Section 1798.175

This title is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information, including, but not limited to, Chapter 22 (commencing with Section 22575) of Division 8 of the Business and Professions Code and Title 1.81 (commencing with Section 1798.80). The provisions of this title are not limited to information collected electronically or over the Internet, but apply to the collection and sale of all personal information collected by a business from consumers. Wherever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title, but in the event of a conflict between other laws and the provisions of this title, the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.

Section 1798.180

This title is a matter of statewide concern and supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the collection and sale of consumers’ personal information by a business.

Section 1798.185.

(a) On or before July 1, 2020, the Attorney General shall solicit broad public participation and adopt regulations to further the purposes of this title, including, but not limited to, the following areas:

(1) Updating as needed additional categories of personal information to those enumerated in subdivision (c) of Section 1798.130 and subdivision (o) of Section 1798.140 in order to address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.

(2) Updating as needed the definition of unique identifiers to address changes in technology, data collection, obstacles to implementation, and privacy concerns, and additional categories to the definition of designated methods for submitting requests to facilitate a consumer’s ability to obtain information from a business pursuant to Section 1798.130.

(3) Establishing any exceptions necessary to comply with state or federal law, including, but not limited to, those relating to trade secrets and intellectual property rights, within one year of passage of this title and as needed thereafter.

(4) Establishing rules and procedures for the following:

(A) To facilitate and govern the submission of a request by a consumer to opt-out of the sale of personal information pursuant to paragraph (1) of subdivision (a) of Section 1798.145.

(B) To govern business compliance with a consumer’s opt-out request.

(C) For the development and use of a recognizable and uniform opt-out logo or button by all businesses to promote consumer awareness of the opportunity to opt-out of the sale of personal information.

(5) Adjusting the monetary threshold in subparagraph (A) of paragraph (1) of subdivision (c) of Section 1798.140 in January of every odd-numbered year to reflect any increase in the Consumer Price Index.

(6) Establishing rules, procedures, and any exceptions necessary to ensure that the notices and information that businesses are required to provide pursuant to this title are provided in a manner that may be easily understood by the average consumer, are accessible to consumers with disabilities, and are available in the language primarily used to interact with the consumer, including establishing rules and guidelines regarding financial incentive offerings, within one year of passage of this title and as needed thereafter.

(7) Establishing rules and procedures to further the purposes of Sections 1798.110 and 1798.115 and to facilitate a consumer’s or the consumer’s authorized agent’s ability to obtain information pursuant to Section 1798.130, with the goal of minimizing the administrative burden on consumers, taking into account available technology, security concerns, and the burden on the business, to govern a business’s determination that a request for information received by a consumer is a verifiable consumer request, including treating a request submitted through a password-protected account maintained by the consumer with the business while the consumer is logged into the account as a verifiable consumer request and providing a mechanism for a consumer who does not maintain an account with the business to request information through the business’s authentication of the consumer’s identity, within one year of passage of this title and as needed thereafter.

(b) The Attorney General may adopt additional regulations as necessary to further the purposes of this title.

(c) The Attorney General shall not bring an enforcement action under this title until six months after the publication of the final regulations issued pursuant to this section or July 1, 2020, whichever is sooner.

Section 1798.190

If a series of steps or transactions were component parts of a single transaction intended from the beginning to be taken with the intention of avoiding the reach of this title, including the disclosure of information by a business to a third party in order to avoid the definition of sell, a court shall disregard the intermediate steps or transactions for purposes of effectuating the purposes of this title.

Section 1798.192.

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable. This section shall not prevent a consumer from declining to request information from a business, declining to opt-out of a business’s sale of the consumer’s personal information, or authorizing a business to sell the consumer’s personal information after previously opting out.

Section 1798.194 This title shall be liberally construed to effectuate its purposes.

Section 1798.196. This title is intended to supplement federal and state law, if permissible, but shall not apply if such application is preempted by, or in conflict with, federal law or the United States or California Constitution.

Section 1798.198.(a) Subject to limitation provided in subdivision (b), and in Section 1798.199, this title shall be operative January 1, 2020. (b) This title shall become operative only if initiative measure No. 17-0039, The Consumer Right to Privacy Act of 2018, is withdrawn from the ballot pursuant to Section 9604 of the Elections Code.

Section 1798.199.

Notwithstanding Section 1798.198, Section 1798.180 shall be operative on the effective date of the act adding this section.
Turnkey CCPA Compliance

REI MACHINES END USER DATA POLICY.

 

MASSIVE REAL ESTATE, LLC DBA REI MACHINES(“The Company”) Data Privacy Policy is designed to ensure The Company and its users, clients, subscribers(“End User) have a clear understanding of the privacy requirements and other factors related to the data obtained by and/or provided by The Company. Any data provided by The Company to It’s users, clients, subscribers, falls under our license agreement and ccpa compliance.

  

Who Owns The Data Records?

The Company is a Data Provider. Once the data is sold by The Company to an End User, the data belongs to said End User.

Is Our Data Re- Sold?

We adhere to a strict “non re-sell” policy whereas the data you purchase from The Company will not be re-sold. Another End User cannot purchase a list which has already been purchased by another End User without written consent from the original Purchasing End User.

 

What Do You Do With Our Data Records?

Your Data and the data which is purchased by The Company is stored on a secure sever and and adheres to our privacy policy. We do not use, sell, or in any way distribute any of your data records which have been purchased by The Company.

The Data collected by the End User, through the tools and services provided by The Company, is the intellectual property of the End User and the End User can export their data at any time. The Company does not use, sell, or in any way distribute any of the data collected by the End User.

 

What is your Data Record Refund Policy?

 All Data Sales are final.  There are no refunds of any type on any Data Record Purchases