California Consumer Privacy Act of 2018
PRIVACY NOTICE FOR CALIFORNIA RESIDENTS
Last Updated: November 1, 2024
- Subject to Universal Terms of Service: The following PRIVACY NOTICE FOR CALIFORNIA RESIDENTS (“Notice”) supplements and is subject to InMotion Hosting, Inc.’s, its parent, subsidiaries, affiliates, and brands (collectively, “Company”) Universal Terms of Service (“UToS”), which are incorporated herein by this reference, and applies solely to visitors, users, Customers and others who reside in the State of California (each a “Consumer” and collectively “Consumers”). This Notice is intended to comply with the California Consumer Privacy Act of 2018, as amended (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice. Capitalized terms used herein and not otherwise defined herein shall have the meanings set forth in the UToS. In the event of a conflict between this Notice and the UToS, this Notice shall control.
- Changes to Company Privacy Notice. Company reserves the right to amend this Notice at Company’s sole discretion and at any time. Continued use of the Websites or Products after changes constitutes acceptance of any changes to this Notice.
- Information Company Collects.
- The Websites and Products collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or Consumer’s device (collectively, “Personal Information”). The Websites and Products have collected or may collect the following categories of Personal Information from Consumers within the last twelve (12) months:
- Personal Information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, including but not limited to:
- Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; or
- Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
- Company obtains the categories of Personal Information listed above from the following categories of sources:
- Directly from Consumer (e.g., from forms Consumer completes or Products and services Consumer purchases).
- Indirectly from Consumer (e.g., from observing Consumer’s actions on the Websites).
- Use of Personal Information.
- Company may use or disclose the Personal Information Company collected for one or more of the following business purposes:
- To fulfill or meet the reason Consumer provided the information (e.g., if Consumer shared Consumer’s name and contact information to request a price quote or ask a question about Company’s Products or services, Company will use that Personal Information to respond to Consumer’s inquiry; if Consumer provides Consumer’s Personal Information to purchase a product or service, Company will use that information to process Consumer’s payment and facilitate delivery; Company may also save Consumer’s information to facilitate new product orders or process returns).
- To provide, support, personalize, and develop the Websites, Products, and services.
- To create, maintain, customize, and secure Consumer’s account (i.e., Customer’s Account).
- To process Consumer’s requests, purchases, transactions, and payments and prevent transactional fraud.
- To provide Consumer with support and to respond to Consumer’s inquiries, including to investigate and address Consumer’s concerns and monitor and improve Company responses.
- To help maintain the safety, security, and integrity of the Websites, Products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve the Websites, Products, and services.
- To respond to law enforcement and civil requests and as required by applicable law, court order, or governmental regulations.
- As described to Consumer when collecting Personal Information or as otherwise set forth in the CCPA.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Company’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Company about the Websites’ Consumers is among the assets transferred and related transaction matters.
- Company will not collect additional categories of Personal Information or use the Personal Information Company collected for materially different, unrelated, or incompatible purposes without providing Consumer notice.
- Company may use or disclose the Personal Information Company collected for one or more of the following business purposes:
- Sharing Personal Information.
- Company may disclose Personal Information to a third-party for a business purpose. When Company discloses Personal Information for a business purpose, Company enters into a contract that describes the purpose and requires the third-party recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract with any third-party utilized by the Company. Company may share Consumer’s Personal Information with the subprocessors.
- Disclosures of Personal Information for a Business Purpose.
- In the preceding twelve (12) months, Company has disclosed the following categories of Personal Information for a business purpose:
- Identifiers.
- California Consumer Records Personal Information categories.
- Protected classification characteristics under federal law.
- Commercial information.
- Internet protocol address, Internet or other similar network activity.
- Sensory data.
- Professional or employment-related information.
- Non-public education information.
- Inferences drawn from other Personal Information.
- Company discloses Consumer’s Personal Information for a business purpose with the subprocessors.
- In the preceding twelve (12) months, Company has disclosed the following categories of Personal Information for a business purpose:
- Sales of Personal Information. In the preceding twelve (12) months, Company has not sold Personal Information in the following categories of Personal Information:
- Identifiers.
- California Consumer Records Personal Information categories.
- Protected classification characteristics under federal law.
- Commercial information.
- Biometric information.
- Internet or other similar network activity.
- Geolocation data.
- Sensory data.
- Professional or employment-related information.
- Non-public education information.
- Inferences drawn from other Personal Information.
- Consumer’s Rights and Choices.
- The CCPA provides Consumers with specific rights regarding their Personal Information. This section describes Consumer’s CCPA rights and explains how to exercise those rights.
- Access to Specific Information and Data Portability Rights. Consumer has the right to request that Company disclose certain information about Company’s collection and use of Personal Information over the past twelve (12) months. Once Company receives and confirms a verifiable Consumer request (see Exercising Access, Data Portability, and Deletion Rights below), Company will disclose to Consumer:
- The categories of Personal Information Company collected about Consumer.
- The categories of sources for the Personal Information Company collected about Consumer.
- Company business or commercial purpose for collecting or selling that Personal Information.
- The categories of third parties with whom Company share that Personal Information.
- The specific pieces of Personal Information Company collected about Consumer (also called a data portability request).
- If Company sold or disclosed Personal Information for a business purpose, two separate lists disclosing:
- sales, identifying the Personal Information categories that each category of recipient purchased; and
- disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
- Deletion Request Rights.
- Consumer has the right to request that Company delete any of Personal Information that Company collected from Consumer and retained, subject to certain exceptions. Once Company receives and confirms a verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), Company will delete (and direct service providers to delete) Personal Information from Company records, unless an exception applies.
- Company may deny a deletion request if retaining the information is necessary for Company or Company service provider(s) to:
- Complete the transaction for which Company collected the Personal Information, provide a Product or service that Consumer requested, take actions reasonably anticipated within the context of Company ongoing business relationship with Consumer, or otherwise perform Company contract with Consumer.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug Products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if Consumer previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on Consumer’s relationship with Company.
- Comply with any legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which Consumer provided it.
- Exercising Data Portability, and Deletion Rights.
- To exercise the data portability and deletion rights described above, Website users, visitors and/or non-active customers and active Customers can submit a verifiable consumer request via Company’s online form, submit an email to privacy@inmotionhosting.com, in writing, via postal mail to Company at InMotion Hosting, Inc., Attn: Data Privacy Team, 555 S. Independence Blvd., Virginia Beach, VA 23542.
- Only a Customer, a Consumer on behalf of the Consumer’s minor child, a natural person or a person registered with the Secretary of State, authorized by the Consumer to act on the Consumer’s behalf, may make a verifiable consumer request related to Personal Information.
- The verifiable consumer request must:
- Provide sufficient information that allows Company to reasonably verify requestor/legal representative is the person about whom Company collected Personal Information; and
- Describe in the request with sufficient detail to allow Company to properly understand, evaluate and respond to it.
- Company cannot respond to a Consumer request or provide a requestor with Personal Information if Company cannot verify identity or authority to make the request and confirm the Personal Information relates to Consumer. Making a verifiable Consumer request does not require creation of a Customer Account. Company will only use Personal Information provided in a verifiable Consumer request to verify the Consumer/requestor’s identity or authority to make the request.
- For instructions on exercising sale opt-out rights, see Personal Information Sales Opt-Out and Opt-In Rights below.
- Response Timing and Format.
- Company shall use commercially reasonable efforts to respond to a verifiable Consumer request within forty-five (45) days of receipt but no more than ninety (90) days. Company will deliver a written response by mail or electronically, as determined in Company’s sole discretion, to Consumer/requestor. Requests that Company cannot comply with will receive an explanation, if applicable. For data portability requests, Company will select a format to provide Personal Information that is readily usable and should allow transmission of the information.
- Verifiable consumer requests carry no charge to process.
- All Consumer’s client data provided to Company is subject to data privacy laws and Consumer is responsible for obtaining the proper consent from such client(s) prior to sharing of Personal Information with Company.
- Personal Information Sales Opt-Out and Opt-In Rights. If a Consumer is sixteen (16) years of age or older, Consumer has the right to direct Company to not sell Personal Information at any time (the “right to opt-out”). Company does not sell the Personal Information of Consumers actually know are less than sixteen (16) years of age, unless Company receives affirmative authorization (the “right to opt-in”) from either the consumer who is between thirteen (13) and sixteen (16) years of age, or the parent or guardian of a consumer less than thirteen (13) years of age. Consumers who opt-in to Personal Information sales may opt-out of future sales at any time.
- To exercise the right to opt-out, Consumer (or Consumer’s authorized representative) may submit a request to Company. Once Consumer makes an opt-out request, Company will wait at least twelve (12) months before asking Consumer to reauthorize Personal Information sales. However, Consumer may change Consumer’s mind and opt back in to Personal Information sales at any time by completing the form and checking the box that says, “OPT-IN: I Opt-In to the “Sale” or “Sharing” of my Personal Information related to tailored advertising on this website.”
- Consumer does not need to create a Customer Account with Company to exercise Consumer’s opt-out rights. Company will only use Personal Information provided in an opt-out request to review and comply with the request.
- Non-Discrimination.
- Company will not discriminate against Consumer for exercising any of Consumer’s CCPA rights. Unless permitted by the CCPA, Company will not:
- Deny Products or services.
- Charge different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide a different level or quality of Products or services.
- Suggest that Consumer may receive a different price or rate for Products or services or a different level or quality of Products or services.
- Company may offer Consumer certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive offer will reasonably relate to Personal Information’s value and contain written terms that describe the program’s material aspects. Participation in a financial incentive program requires Consumer prior opt-in consent, which Consumer may revoke at any time.
- Company will not discriminate against Consumer for exercising any of Consumer’s CCPA rights. Unless permitted by the CCPA, Company will not:
- Other California Privacy Rights. California’s “Shine the Light” law (Civil Code Section § 1798.83) permits visitors, users, and Customers of the Websites that are California residents to request certain information regarding Company’s disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please complete the Personal Data Request form, or send an email to privacy@inmotionhosting.com or send by postal mail at: InMotion Hosting, Inc., Attn: Data Privacy Team, 555 S. Independence Blvd., Virginia Beach, VA 23452.
- Contact Information. Any questions or comments about this Notice, the ways in which Company collects and uses Personal Information described in the Privacy Policy, Consumer’s choices and/or rights regarding such use, or wish to exercise Consumer’s rights under California law may, contact Company at the address and/or email listed herein.
Category | Examples | Collected |
A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | YES |
B. Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code§ 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories. | YES |
C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | NO |
D. Commercial information. | Records of personal property, cloud services or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES |
E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO |
F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | YES |
G. Geolocation data. | Physical location or movements. | NO |
H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. | YES |
I. Professional or employment-related information. | Current or past job history or performance evaluations. | NO |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | NO |
K. Inferences drawn from other Personal Information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
CALIFORNIA’S CONSUMER PRIVACY ACT OF 2018
SECTION-BY-SECTION NOTICE REQUIREMENT SUMMARY
The following chart identifies and summarizes the primary statute sections relating to the CCPA’s generalized notice or disclosure requirements.
CCPA Section | General Notice or Information Disclosure Summary |
Cal. Civ. Code § 1798.100(b) | Must inform consumers, before or at the point of collection:
Prohibits collection of additional personal information categories or using collected personal information for additional purposes without providing this required notice. |
Cal. Civ. Code § 1798.105(b) | Must disclose the consumer’s deletion right. Cross-references Section 1798.130 for the disclosure requirement. |
Cal. Civ. Code § 1798.110(c) | If a business collects personal information about a consumer, it must disclose:
Cross-references Section 1798.130(a)(5)(B) for the disclosure requirement. NOTE: While Section 1798.110(c)(5) does list “the specific pieces of personal information the business has collected about that consumer” as a required piece of information in the online privacy disclosure, this is likely a statutory drafting error (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): History of the CCPA). Businesses should probably interpret this requirement as referring to the consumer’s specific information (access) rights and not as a requirement to include individual personal information in the online privacy notice (see Practice Note, Understanding the California Consumer Privacy Act (CCPA): Specific Information Rights). |
Cal. Civ. Code § 1798.115(c) | If a business sells personal information or discloses personal information for a business purpose, it must disclose the personal information categories:
Cross-references Section 1798.130(a)(5)(C) for the disclosure requirement. |
Cal. Civ. Code § 1798.115(d) | A third-party purchaser of a consumer’s personal information cannot resell that information unless the consumer receives explicit notice and an opportunity to opt- out. Cross-references Section 1798.120 establishing the consumer’s personal information sales opt-out and opt-in rights. |
Cal. Civ. Code § 1798.120(b) | If a business sells personal information to third parties, it must provide notice to consumers that:
|
Cal. Civ. Code § 1798.125(b)(2) and (3) | If a business offers financial incentives for personal information collections, sales, or deletions, it must notify consumers of the financial incentives and clearly describe material terms. Cross-references Section 1798.135 for notice requirements. |
Cal. Civ. Code § 1798.130 | Primary section discussing both general and specific notice requirements. Cross-references:
Subsections related to general or public disclosures and notices described below. |
Cal. Civ. Code § 1798.130(a)(1) | Must make available two or more designated methods for submitting verified consumer requests for information disclosures required under:
Contact methods must include, at minimum:
|
Cal. Civ. Code § 1798.130(a)(5) | Must disclose the following information:
The lists must use the 11 categories enumerated in the personal information definition in Section 1798.140(o) that most closely describe the personal information. Disclosure must occur:
Must update this information at least once every 12 months. |