CALIFORNIA CONSUMER PRIVACY ACT (CCPA) POLICY

Dooney & Bourke, Inc.
For use in conjunction with the CCPA Procedures.

INTRODUCTION

This document lays out Dooney & Bourke, Inc.’s CCPA Policy.

PURPOSE

This Policy expresses the strong commitment of Dooney & Bourke, Inc. to respect and protect the privacy and personal information of its employees, suppliers, customers, business partners, clients, and their respective end customers. This Policy will provide appropriate safeguards when Dooney & Bourke, Inc. processes personal information.

SCOPE

This Policy applies to Dooney & Bourke, Inc.’s parent company, related affiliates/subsidiaries, and third parties who process personal information on behalf of those entities whenever those entities process personal information from consumers who reside in California.

DEFINITIONS

Aggregate Consumer Information: Information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. Aggregate consumer information does not mean one or more individual consumer records that have been deidentified.

Biometric Information: An individual’s physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), that can be used, singly or in combination with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Business: A business is:

  1. A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
    1. Has annual gross revenues more than twenty-five million dollars ($25,000,000).
    2. Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
    3. Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
  2. Any entity that controls or is controlled by a business, as defined in paragraph above, and that shares common branding with the business. “control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.

Business Purpose: The use of personal information for the business’ or a service provider’s operational purposes, or other notified purposes, provided that the use of personal information shall be reasonably necessary and proportionate to achieve the operational purpose for which the personal information was collected or processed or for another operational purpose that is compatible with the context in which the personal information was collected. Business purposes are:

  1. Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
  2. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
  3. Debugging to identify and repair errors that impair existing intended functionality.
  4. Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
  5. Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
  6. Undertaking internal research for technological development and demonstration.
  7. Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business.

Collects, Collected, or Collection: Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

Commercial Purposes: To advance a person’s commercial or economic interests, such as by inducing another person to buy, rent, lease, join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or indirectly, a commercial transaction. commercial purposes do not include engaging in speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

Consumer: A natural person who is a California resident. A resident is every individual who is in California other than for a temporary or transitory purpose, and every individual who is domiciled in California who is outside California for a temporary or transitory purpose.

Deidentified: Information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, provided that a business that uses deidentified information:

  1. Has implemented technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
  2. Has implemented business processes that specifically prohibit reidentification of the information.
  3. Has implemented business processes to prevent inadvertent release of deidentified information.
  4. Makes no attempt to reidentify the information.

Designated Methods for Submitting Requests: A mailing address, email address, Internet Web page, Internet Web portal, toll-free telephone number, or other applicable contact information, whereby consumers may submit a request or direction under this Policy, and any new, consumer-friendly means of contacting a business, as approved by the Attorney General.

Device: Any physical object that can connect to the Internet, directly or indirectly, or to another device.

Health Insurance Information: A consumer’s insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the consumer, or any information in the consumer’s application and claims history, including any appeals records, if the information is linked or reasonably linkable to a consumer or household, including via a device, by a business or service provider.

Homepage: The introductory page of an Internet website and any Internet webpage where personal information is collected. In the case of an online service, such as a mobile application, homepage means the application’s platform page or download page, a link within the application, such as from the application configuration, “About,” “Information,” or settings page, and any other location that allows consumers to review notices detailed in this Policy, including, but not limited to, before downloading the application.

Infer or Inference: The derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data.

Person: An individual, proprietorship, firm, partnership, joint venture, syndicate, business trust, company, corporation, limited liability company, association, committee, and any other organization or group of persons acting in concert.

Personal Information: Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following:

  1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  2. Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the public from federal, state, or local government records.
  3. Characteristics of protected classifications under California or federal law.
  4. Commercial information, including records of personal property, products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
  5. Biometric information.
  6. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement.
  7. Geolocation data.
  8. Audio, electronic, visual, thermal, olfactory, or similar information.
  9. Professional or employment-related information.
  10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Education Rights and Privacy Act.
  11. Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information does not include publicly available information. For purposes of this paragraph, “publicly available” means information that is lawfully made available from federal, state, or local government records. “Publicly available” does not mean biometric information collected by a business about a consumer without the consumer’s knowledge. "Personal information" does not include consumer information that is deidentified or aggregate consumer information.

Probabilistic Identifier: The identification of a consumer or a device to a degree of certainty of more probable than not based on any categories of personal information included in, or like, the categories enumerated in the definition of personal information.

Processing, Process, Processed, or Processes: Any operation or set of operations that are performed on personal data or on sets of personal data, whether by automated means.

Pseudonymize or Pseudonymization: The processing of personal information in a manner that renders the personal information no longer attributable to a specific consumer without the use of additional information, provided that the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal information is not attributed to an identified or identifiable consumer.

Research: Scientific, systematic study and observation, including basic research or applied research that is in the public interest and that adheres to all other applicable ethics and privacy laws or studies conducted in the public interest in the area of public health. Research with personal information that may have been collected from a consumer during the consumer’s interactions with a business’ service or device for other purposes shall be:

  1. Compatible with the business purpose for which the personal information was collected.
  2. Subsequently pseudonymized and deidentified, or deidentified and in the aggregate, such that the information cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.
  3. Made subject to technical safeguards that prohibit reidentification of the consumer to whom the information may pertain.
  4. Subject to business processes that specifically prohibit reidentification of the information.
  5. Made subject to business processes to prevent inadvertent release of deidentified information.
  6. Protected from any reidentification attempts.
  7. Used solely for research purposes that are compatible with the context in which the personal information was collected.
  8. Not used for any commercial purpose.
  9. Subjected by the business conducting the research to additional security controls that limit access to the research data to only those individuals in a business as are necessary to carry out the research purpose.

Sell, Selling, Sale, or Sold: Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.

For purposes of this Policy, a business does not sell personal information when:

  1. A consumer uses or directs the business to intentionally disclose personal information or uses the business to intentionally interact with a third party, provided the third party does not also sell the personal information, unless that disclosure would be consistent with the provisions of this Policy. An intentional interaction occurs when the consumer intends to interact with the third party, via one or more deliberate interactions. Hovering over, muting, pausing, or closing a given piece of content does not constitute a consumer’s intent to interact with a third party.
  2. The business uses or shares an identifier for a consumer who has opted out of the sale of the consumer’s personal information for the purposes of alerting third parties that the consumer has opted out of the sale of the consumer’s personal information.
  3. The business uses or shares with a service provider personal information of a consumer that is necessary to perform a business purpose if both of the following conditions are met: services that the service provider performs on the business’ behalf, provided that the service provider also does not sell the personal information.
    1. The business has provided notice that information being used or shared in its terms and conditions consistent with this Policy.
    2. The service provider does not further collect, sell, or use the personal information of the consumer except as necessary to perform the business purpose.
    3. The business transfers to a third party the personal information of a consumer as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the business provided that information is used or shared consistently with this Policy. If a third party materially alters how it uses or shares the personal information of a consumer in a manner that is materially inconsistent with the promises made at the time of collection, it shall provide prior notice of the new or changed practice to the consumer. The notice shall be sufficiently prominent and robust to ensure that existing consumers can easily exercise their choices consistently with this Policy. This subparagraph does not authorize a business to make material, retroactive privacy policy changes or make other changes in their privacy policy in a manner that would violate the Unfair and Deceptive Practices Act (Chapter 5 (commencing with Section 17200) of Part 2 of Division 7 of the Business and Professions Code).

Service or Services: work, labor, and services, including services furnished in connection with the sale or repair of goods.

Service Provider: A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that processes information on behalf of a business and to which the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this Policy, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract with the business.

Third Party: A person who is not any of the following:

  1. The business that collects personal information from consumers under this Policy.
  2. A person to whom the business discloses a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract:
    1. Prohibits the person receiving the personal information from:
      1. Selling the personal information.
      2. Retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract, including retaining, using, or disclosing the personal information for a commercial purpose other than providing the services specified in the contract.
      3. Retaining, using, or disclosing the information outside of the direct business relationship between the person and the business.
    2. Includes a certification made by the person receiving the personal information that the person understands the restrictions in subparagraph (A) and will comply with them.

Unique Identifier or Unique Personal Identifier: A persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an internet protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device. For purposes of this subdivision, “family” means a custodial parent or guardian and any minor children over which the parent or guardian has custody.

Verifiable Consumer Request or Verifiable Request: A request that is made by a consumer, by a consumer on behalf of the consumer’s minor child, or by a natural person or a person registered with the Secretary of State, authorized by the consumer to act on the consumer’s behalf, and that the business can reasonably verify, pursuant to regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185 to be the consumer about whom the business has collected personal information. A business is not obligated to provide information to the consumer pursuant to Sections 1798.110 and 1798.115 if the business cannot verify, pursuant this subdivision and regulations adopted by the Attorney General pursuant to paragraph (7) of subdivision (a) of Section 1798.185, that the consumer making the request is the consumer about whom the business has collected information or is a person authorized by the consumer to act on such consumer’s behalf.

ENFORCEMENT

Policy Compliance: Dooney & Bourke, Inc. expects all directors, executives, employees, and agents will comply with this Policy.

Monitoring: Dooney & Bourke, Inc. ensures that all requirements contained in this Policy are properly implemented by:

  1. Providing evidence of compliance on an annual interval to Director of Customer Service;
  2. Reviewing submitted evidence to determine whether submitted evidence complies with this Policy; and
  3. Auditing Steps 1 and 2 at least once a year.

Sanctions: Non-compliance is defined as any one or more of the following:

  1. Any act that infringes on this Policy whether by negligence or willful misconduct;
  2. Unauthorized processing of personal information;
  3. Using hardware, software, communication networks and equipment, or personal information for illicit purposes which may infringe local laws or regulations; or
  4. Acts exposing Dooney & Bourke, Inc. to actual or potential monetary loss, regulatory censure, or reputational damage.
  5. Any infringement of this Policy may be treated as serious misconduct. Sanctions may include termination of employment or other contractual arrangement, and civil or criminal prosecution in accordance with applicable laws and regulation.

TRAINING

Dooney & Bourke, Inc. will provide regular privacy and data protection training to its employees who process personal information or develop tools used to process personal information. Such training will raise awareness about this Policy and the requirements contained herein.

GENERAL DISCLOSURE OBLIGATIONS

Dooney & Bourke, Inc. will disclose the following in its online privacy policy or policies if the business has an online privacy policy or policies, and in any California-specific description of consumers’ privacy rights, or if Dooney & Bourke, Inc. does not maintain those policies, on its Internet website, and update the following information at least once every 12 months:

  1. A description of a consumer’s rights pursuant to the sections titled, “CONSUMER REQUESTS” and “CONSUMER RIGHTS”
  2. A list of the categories of personal information Dooney & Bourke, Inc. has collected about consumers in the preceding 12 months by reference to the enumerated category or categories that most closely describe the personal information collected.

Dooney & Bourke, Inc. will ensure that all individuals responsible for handling consumer inquiries about Dooney & Bourke, Inc.’s privacy practices orDooney & Bourke, Inc.’s compliance with this Policy are informed about the requirements in this Policy and the CCPA Procedures.

Dooney & Bourke, Inc. must respond to verified consumer requests within 45 days. Dooney & Bourke, Inc. may extend the time period for response by 90 additional days when necessary, taking into account the complexity and number of the requests Dooney & Bourke, Inc. has received. Dooney & Bourke, Inc. will inform the consumer of any such extension, and the reasons for the delay, within 45 days of receiving the verified consumer request.

If Dooney & Bourke, Inc. does not take action on a verified consumer request, Dooney & Bourke, Inc., without delay and at the latest within the time period permitted above, will explain the reasons why Dooney & Bourke, Inc. will not take action on the verified consumer request. Dooney & Bourke, Inc. will develop procedures allowing consumers to appeal Dooney & Bourke, Inc.’s decision not to act on the consumer’s verified consumer request.

If a consumer’s request is manifestly unfounded or excessive—in particular because of their repetitive character—Dooney & Bourke, Inc. may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify the consumer of the reason for refusing the request. Dooney & Bourke, Inc. shall bear the burden of demonstrating that any verified consumer request is manifestly unfounded or excessive.

GENERAL OBLIGATIONS REGARDING CONSUMER REQUESTS

Dooney & Bourke, Inc. will:

  1. Make available to consumers two or more designated methods for submitting requests for information required to be disclosed pursuant to subsections titled, “Right to Disclosure and Requests when Dooney & Bourke, Inc. Sells Personal Information or Uses Personal Information for a Business Purpose” in the section titled, “CONSUMER REQUESTS”, including, at a minimum, a toll-free telephone number, and if Dooney & Bourke, Inc. maintains an Internet website, a website address. If Dooney & Bourke, Inc. operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, Dooney & Bourke, Inc. may only provide an email address for submitting requests for information required to be disclosed. If Dooney & Bourke, Inc. operates an internet website, it will make the website available to customers so customer may submit requests for information required to be disclosed.
  2. If Dooney & Bourke, Inc. operates exclusively online and has a direct relationship with a consumer from whom it collects personal information, Dooney & Bourke, Inc. may only provide an email address for submitting requests for information required to be disclosed. If Dooney & Bourke, Inc. operates an internet website, it will make the website available to customers so customer may submit requests for information required to be disclosed.
  3. Disclose and deliver the required information to a consumer free of charge within 45 days of receiving a verifiable request from the consumer. Dooney & Bourke, Inc. will promptly take steps to determine whether the request is a verifiable request, but this shall not extend Dooney & Bourke, Inc.’s duty to disclose and deliver the information within 45 days of receipt of the consumer’s request. The time to provide the required information may be extended once by an additional 45 days when reasonably necessary, provided the consumer is provided notice of the extension within the first 45-day period. The disclosure shall cover the 12-month period preceding Dooney & Bourke, Inc.’s receipt of the verifiable request and shall be made in writing and delivered through the consumer’s account with Dooney & Bourke, Inc., if the consumer maintains an account with the business, or by mail or electronically at the consumer’s option if the consumer does not maintain an account with Dooney & Bourke, Inc., in a readily useable format that allows the consumer to transmit this information from one entity to another entity without hindrance. The business shall not require the consumer to create an account with Dooney & Bourke, Inc. to make a verifiable request.

CONSUMER REQUESTS

Requests to Access Information: A consumer has the right to request that Dooney & Bourke, Inc. disclose to them the categories and specific pieces of personal information Dooney & Bourke, Inc. has collected on that consumer. Dooney & Bourke, Inc. will provide such information to a consumer after receiving a verifiable customer request.

Dooney & Bourke, Inc. will, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Dooney & Bourke, Inc. will not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.

Once Dooney & Bourke, Inc. receives a verifiable consumer request from a consumer to access personal information, it will promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without issue. Dooney & Bourke, Inc. may provide personal information to a consumer at any time but shall not be required to provide personal information to a consumer more than twice in a 12-month period.

Dooney & Bourke, Inc. does not have to retain personal information collected for a single, one-time transaction, if such information is not sold or retained by Dooney & Bourke, Inc. or used to reidentify or otherwise link information that is not, in the ordinary course of business, maintained in a manner that would be considered personal information

Requests for Deletion: A consumer has the right to request that Dooney & Bourke, Inc. delete any personal information about the consumer which Dooney & Bourke, Inc. has collected from the consumer.

Dooney & Bourke, Inc. will disclose, to the consumer, the consumer’s right to request that Dooney & Bourke, Inc. delete consumer’s personal information.

Once Dooney & Bourke, Inc. receives a verifiable request from a consumer to delete the consumer’s personal information, Dooney & Bourke, Inc. will delete the consumer’s personal information from its records and direct any service providers to delete the consumer’s personal information from their records.

Dooney & Bourke, Inc. does not need to comply with a consumer’s request to delete the consumer’s personal information if it is necessary for Dooney & Bourke, Inc. to maintain the consumer’s personal information in order to:

  1. Complete a transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of Dooney & Bourke, Inc.’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and consumer.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for the activity.
  3. Debug to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 of Title 12 of Part 2 of the Penal Code.
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  7. To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  8. Comply with a legal obligation.
  9. Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Requests for Disclosure: When Dooney & Bourke, Inc. collects personal information from consumers, those consumers have the right to request a disclosure containing the following:

  1. The categories of personal information it has collected about that consumer.
  2. The categories of sources from which the personal information is collected.
  3. The business or commercial purpose for collecting or selling personal information.
  4. The categories of third parties with whom the business shares personal information.
  5. The specific pieces of personal information it has collected about that consumer.

Dooney & Bourke, Inc. will disclose the information above after receiving a verifiable request and verifying the consumer’s identity. To verify the consumer’s identity, Dooney & Bourke, Inc. will associate the information provided by the consumer in the consumer’s verifiable request with personal information Dooney & Bourke, Inc. gathered about the consumer.

Dooney & Bourke, Inc. may identify by category or categories the personal information collected about the consumer in the preceding 12 months by reference to the enumerated category or categories provided in the definition of personal information.

Dooney & Bourke, Inc. is not required to:

  1. Retain any personal information about a consumer collected for a single one-time transaction if, in the ordinary course of business, that information about the consumer is not retained.
  2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information.

Dooney & Bourke, Inc. is not obligated to provide the information required in this subsection to the same consumer more than twice in a 12-month period.

Requests Regarding the Sale or Disclosure of Personal Information to a Third Party for a Business Purpose: When Dooney & Bourke, Inc. sells consumers’ personal information, or discloses personal information to a third party for a business purpose, those consumers have the right to request the following from Dooney & Bourke, Inc.:

  1. The categories of personal information Dooney & Bourke, Inc. collected about the consumer.
  2. The categories of personal information Dooney & Bourke, Inc. sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
  3. The categories of personal information Dooney & Bourke, Inc. disclosed about the consumer for a business purpose.

Dooney & Bourke, Inc. will disclose the information above after receiving a verifiable request and verifying the consumer’s identity. To verify the consumer’s identity, Dooney & Bourke, Inc. will associate the information provided by the consumer in the consumer’s verifiable request with personal information Dooney & Bourke, Inc. gathered about the consumer.

Dooney & Bourke, Inc. may identify by category or categories the personal information about the consumer Dooney & Bourke, Inc. sold or disclosed for business purposes in the preceding 12 months by reference to the enumerated category or categories provided in the definition of personal information. Dooney & Bourke, Inc. will provide the categories of third parties to whom the consumer’s personal information was sold or disclosed for a business purpose in the preceding 12 months. Dooney & Bourke, Inc. will disclose information it sold in a separate list from the information it disclosed for a business purpose.

If Dooney & Bourke, Inc. has not sold, or disclosed for a business purpose, consumer’s personal information, Dooney & Bourke, Inc. will disclose that fact to the consumer.

Third parties who have received personal information about consumers from Dooney & Bourke, Inc. will not sell such personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the Right to Opt Out (as explained in the Data Subjects’ Rights section below).

Dooney & Bourke, Inc. is not obligated to provide the information required in this subsection to the same consumer more than twice in a 12-month period.

CONSUMERS’ RIGHTS

Right to Opt Out: A consumer has the right, at any time, to direct Dooney & Bourke, Inc. not to sell the consumer’s personal information to third parties.

When Dooney & Bourke, Inc. sells consumers’ personal information to third parties, or provides a financial incentive program pursuant to the section titled, “FINANCIAL INCENTIVE PROGRAM”, Dooney & Bourke, Inc. will inform the consumer about the Right to Opt Out and shall provide the following:

  1. A clear and conspicuous link titled “Do Not Sell My Personal Information,” on the Dooney & Bourke, Inc.’s Internet homepage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer’s personal information. Dooney & Bourke, Inc. will not require a consumer to create an account to direct the business not to sell the consumer’s personal information.
  2. A description of the consumer’s rights pursuant to the Consumers’ Rights section in this Policy and a link to the “Do Not Sell My Personal Information” Internet webpage in:
    1. Dooney & Bourke, Inc.’s online privacy policy or policies if the business has an online privacy policy or policies.
    2. Any California-specific description of consumers’ privacy rights.
  3. Ensure all individuals responsible for handling consumer requests have read the CCPA Policy and CCPA Procedures and how to direct consumers so consumer may exercise their rights under this Policy or those Procedures.
  4. For consumers who exercise their right to opt out of the sale of their personal information, refrain from selling personal information collected by Dooney & Bourke, Inc. about the consumer. In the case of minor consumers’ personal information, Dooney & Bourke, Inc. cannot sell a minor consumer’s personal information without consent. Dooney & Bourke, Inc. can sell information from a consumer after the consumer has opted out from selling their personal information (or has not provided consent in the case of minor consumers) if the consumer or minor consumer subsequently provides express authorization to sell their personal information.
  5. For consumers who have opted out of the sale of their personal information, Dooney & Bourke, Inc. will respect the consumer’s decision to opt out for at least 12 months before requesting that the consumer authorize the sale of the consumer’s personal information.
  6. Use any personal information collected from the consumer in connection with the submission of the consumer’s Right to Opt Out for the purpose of complying with the consumer’s opt-out request.

If Dooney & Bourke, Inc. maintains a separate and additional homepage that is dedicated to California consumers and it includes required links and text, and the business takes reasonable steps to ensure that California consumers are directed to the homepage for California consumers, and not a homepage made available to the general public, then Dooney & Bourke, Inc. does not have to include the required links and text on its homepage that is made available to the general public.

A consumer may authorize another person solely to opt out of the sale of the consumer’s personal information on the consumer’s behalf, and Dooney & Bourke, Inc. will comply with an opt out request received from a person authorized by the consumer to act on the consumer’s behalf, pursuant to regulations adopted by the Attorney General.

Right to Opt In: Dooney & Bourke, Inc. will not sell the personal information of consumers if the Dooney & Bourke, Inc. has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer’s parent or guardian—in the case of consumers who are less than 13 years of age—has affirmatively authorized the sale of such consumer’s personal information. If Dooney & Bourke, Inc. disregards consumers’ age, authorities in California will deem Dooney & Bourke, Inc. to have had actual knowledge of consumers’ age.

NON-DISCRIMINATION

Statement Against Discrimination: Dooney & Bourke, Inc. will not discriminate against a consumer because the consumer exercised any of their rights or has made a request. The following is a list is a non-exhaustive list of things Dooney & Bourke, Inc. will not do to discriminate against consumers who have exercised their rights or made a request:

  1. Deny goods or services to the consumer.
  2. Charge different prices or rates for goods or services, including using discounts or other benefits or imposing penalties.
  3. Provide a different level or quality of goods or services to the consumer.
  4. Suggest that a consumer will receive a different price or rate for goods or services or a different level or quality of goods or services. Dooney & Bourke, Inc. may charge a different price, rate, or level of quality for a good or service to the consumer if that difference is reasonably related to the value provided to the consumer due to the consumer’s data.

FINANCIAL INCENTIVE PROGRAM

Dooney & Bourke, Inc. may offer financial incentives, including payments to consumers as compensation, for the collection of personal information, the sale of personal information, or the deletion of personal information. A business may also offer a different price, rate, level, or quality of goods or services to consumers if that price or difference is directly related to the value provided to the consumer by the consumer’s data. If Dooney & Bourke, Inc. offers any financial incentives, it must notify consumer of the financial incentives pursuant to the subsection titled, “Right to Opt Out” in the CONSUMERS’ RIGHTS section of this Policy.

Dooney & Bourke, Inc. will only enter a consumer into a financial incentive program if the consumer gives Dooney & Bourke, Inc. prior opt-in consent—in accordance with the subsection titled “Right to Opt-Out” in the CONSUMER RIGHTS section—which clearly describes the material terms of the financial incentive program, and which may be revoked by the consumer at any time.

Dooney & Bourke, Inc. will not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature.

OBLIGATIONS WHEN COLLECTING INFORMATION PURSUANT TO A CONSUMER’S REQUEST

Dooney & Bourke, Inc. will use personal information collected from the consumer in connection with Dooney & Bourke, Inc.’s verification of the consumer’s request solely for the purpose of verification.

SECURITY OBLIGATIONS

Dooney & Bourke, Inc. will encrypt or redact the following information it receives from consumers:

  1. Social security numbers;
  2. Driver’s license numbers or California identification card number;
  3. Account numbers, credit or debit card numbers—in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  4. Medical information; and
  5. Health insurance information.

Dooney & Bourke, Inc. will implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information provided by consumers to Dooney & Bourke, Inc..

APPLICABILITY OF THIS POLICY

This Policy does not restrict Dooney & Bourke, Inc.’s ability to:

  1. Comply with federal, state, or local laws.
  2. Comply with civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
  3. Cooperate with law enforcement agencies concerning conduct or activity that Dooney & Bourke, Inc., service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
  4. Exercise or defend legal claims.
  5. Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.
  6. Collect or sell a consumer’s personal information if every aspect of that commercial conduct takes place wholly outside of California. For purposes of this Policy, commercial conduct takes place wholly outside of California if Dooney & Bourke, Inc. collected that information while the consumer was outside of California, no part of the sale of the consumer’s personal information occurred in California, and no personal information collected while the consumer was in California is sold. This paragraph shall not permit Dooney & Bourke, Inc. from storing, including on a device, personal information about a consumer when the consumer is in California and then collecting that personal information when the consumer and stored personal information is outside of California.

This Policy does not apply where compliance by Dooney & Bourke, Inc. with the Policy would violate an evidentiary privilege under California law and shall not prevent Dooney & Bourke, Inc. from providing the personal information of a consumer to a person covered by an evidentiary privilege under California law as part of a privileged communication.

This Policy will not apply to a provider of health care governed by the acts below nor to protected or health information that is collected by a covered entity or business associate governed by the Confidentiality of Medical Information Act (Part 2.6 (commencing with Section 56 of Division 1)) or governed by the privacy, security, and breach notification rules issued by the federal Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Availability Act of 1996. For purposes of this subdivision, the definition of “medical information” in Section 56.05 shall apply and the definitions of “protected health information” and “covered entity” from the federal privacy rule shall apply.

This Policy will not apply to information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Hamonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration.

This Policy will not apply to an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in subdivision (f) of Section 1681a of Title 15 of the United States Code, by a furnisher of information, as set forth in Section 1681s-2 of Title 15 of the United States Code, who provides information for use in a consumer report, as defined in subdivision (d) of Section 1681a of Title 15 of the United States Code, and by a user of a consumer report as set forth in Section 1681b of Title 15 of the United States Code. The foregoing will only apply if the information is not used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act. This exception does not apply to the private right of consumers to pursue legal action against a Dooney & Bourke, Inc. under the California Consumer Privacy Act section 1798.150.

This Policy will not apply to personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102), and implementing regulations, if it conflicts with that law.

This Policy will not apply to personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994 (18 U.S.C. Sec. 2721 et seq.), if it is in conflict with that act.

This exceptions above do not apply to the private right of consumers to sue a company under the California Consumer Privacy Act section 1798.150.

The right to opt out of the sale of consumer information does not apply to vehicle information or ownership information retained or shared between a new motor vehicle dealer and the vehicle's manufacturer if the vehicle or ownership information is shared for the purpose of effectuating, or in anticipation of effectuating, a vehicle repair covered by a vehicle warranty or a recall conducted pursuant to Sections 30118 to 30120, inclusive, of Title 49 of the United States Code provided that the new motor vehicle dealer or vehicle manufacturer does not sell, share, or use that information for any other purpose.

This Policy will not apply to personal information that is collected by Dooney & Bourke, Inc. about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business. This policy will not apply to information that is collected by Dooney & Bourke, Inc. that is emergency contact information of a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business. This policy will not apply to information that is necessary for Dooney & Bourke, Inc. to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

The foregoing paragraph will not apply to a consumers right to request that Dooney & Bourke, Inc. disclose the categories and specific pieces of personal information the business has collected. The foregoing paragraph will not apply to the privacy right of consumers to pursue legal action against a Dooney & Bourke, Inc. under the California Consumer Privacy Act section 1798.150.

EFFECTIVE DATE

This Policy shall take effect on 12/31/2019. All previous issuances of this Policy that are inconsistent with the whole or any part of this Policy are revoked and superseded.

ADMINISTRATION

This Policy will be administered by Director of Customer Service.

Director of Customer Service shall retain the right to amend, revoke, withdraw, or nullify the whole or any part of this Policy as deemed necessary.

QUESTIONS ABOUT THIS CCPA POLICY

If you have any questions about this CCPA Policy or the privacy practices of this Web Site, please contact us by email at privacy@dooney.com.