Any person who is a natural person who is a resident of the state of California or any other duly authorized representative of such person is a Requestor.
I. Requests
A. FocusPOS may use a two-step process for online requests to delete Personal Information.
1. Requestor must submit a request to delete.
2. Requestor must separately confirm that Personal Information should be deleted.
B. Receiving a Request
If a Requestor submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, FocusPOS will either:
1. Treat the request as if it had been submitted in accordance with FocusPOS’ designated manner, or
2. Provide the Requestor with information on how to submit the request or remedy any deficiencies with the request, if applicable.
II. Verifying a Requestor’s Identity
1. Whenever feasible, match the identifying information provided by the Requestor to the Personal Information already maintained by FocusPOS [or use a third-party identity verification service].
2. Avoid collecting sensitive Personal Information (e.g., Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics) unless necessary for the purpose of verifying the Requestor.
3. Generally, avoid requesting additional information from the Requestor for purposes of verification. If necessary, FocusPOS may request additional information, which shall only be used for the purposes of verifying the identity of the Requestor seeking to exercise his/her rights.
4. Sensitive or valuable Personal Information may warrant a more stringent verification process (see examples of such information listed above (Social Security number, etc.). A greater risk of harm to the Requestor by unauthorized access or deletion warrants a more stringent verification process.
III. Responses
A. Responding to a Request to Know or Delete
1. Upon receiving a request to know or a request to delete, FocusPOS will confirm receipt of the request within 10 business days and provide information about how FocusPOS will process the request.
a. The information provided will describe in general FocusPOS’ verification process and when the Requestor should expect a response, except in instances where FocusPOS has already granted or denied the request.
b. The FocusPOS confirmation may be given in the same manner in which the request was received. For example, if the request is made over the phone, the confirmation may be given orally during the phone call.
2. FocusPOS will respond to requests to know and requests to delete within 45 calendar days.
a. The 45-day period will begin on the day that FocusPOS receives the request, regardless of time required to verify the request.
b. If FocusPOS cannot verify the Requestor within the 45-day time period, FocusPOS may deny the request.
c. If necessary, FocusPOS may take up to an additional 45 calendar days to respond to the Requestor’s request, for a maximum total of 90 calendar days from the day the request is received, provided that FocusPOS provides the Requestor with notice and an explanation of the reason that FocusPOS will take more than 45 days to respond to the request.
B. Responding to Requests to Know
1. For requests that seek the disclosure of specific pieces of Personal Information, if FocusPOS cannot verify the identity of the Requestor, FocusPOS will not disclose any specific pieces of Personal Information to the Requestor and will inform the Requestor that it cannot verify his/her identity. If the request is denied in whole or in part, FocusPOS will also evaluate the request as if it is seeking the disclosure of categories of Personal Information.
2. For requests that seek the disclosure of categories of Personal Information, if FocusPOS cannot verify the identity of the Requestor, FocusPOS may deny the request to disclose the categories and other information requested and will inform the Requestor that it cannot verify his/her identity. If the request is denied in whole or in part, FocusPOS will provide or direct the Requestor to its general business practices regarding the collection, maintenance, and sale of Personal Information set forth in its Privacy Policy and/or Privacy Notice.
3. FocusPOS is not required to search for Personal Information if all of the following conditions are met:
a. FocusPOS does not maintain the Personal Information in a searchable or reasonably accessible format;
b. FocusPOS maintains the Personal Information solely for legal or compliance purposes;
c. FocusPOS does not sell the Personal Information and does not use it for any commercial purpose; and
d. FocusPOS describes to the Requestor the categories of records that may contain Personal Information that it did not search because it meets the conditions stated above (a)-(c).
4. FocusPOS will not disclose Personal Information in response to a request to know a Requestor’s Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. FocusPOS will, however, inform the Requestor with sufficient particularity that it has collected the type of information. For example, FocusPOS can respond that it collects “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
5. If FocusPOS denies a Requestor’s verified request to know specific pieces of Personal Information, in whole or in part, because of a conflict with federal or state law, or an exception, FocusPOS will inform the Requestor and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, FocusPOS will disclose the other information sought by the Requestor.
6. FocusPOS will use reasonable security measures when transmitting Personal Information to the Requestor.
7. [If FocusPOS maintains a password-protected account with the Requestor, it may comply with a request to know by using a secure self-service portal for Requestors to access, view, and receive a portable copy of his/her Personal Information if the portal fully discloses the Personal Information to which the Requestor is entitled, uses reasonable data security controls, and complies with the verification requirements of FocusPOS.]
8. Unless otherwise specified by FocusPOS to cover a longer period of time, the 12‑month period covered by a Requestor’s verifiable request to know will begin on the date FocusPOS received the request, regardless of the time required to verify the request.
9. In responding to a Requestor’s verified request to know categories of Personal Information, categories of sources, and/or categories of third parties, FocusPOS will provide an individualized response to the Requestor. It will not refer the Requestor to FocusPOS’ general practices outlined in its Privacy Policy unless its response would be the same for all Requestors and the Privacy Policy discloses all the information that is otherwise required to be in a response to a request to know such categories.
10. In responding to a verified request to know categories of Personal Information, FocusPOS will provide:
a. The categories of Personal Information FocusPOS has collected about the Requestor in the preceding 12 months;
b. The categories of sources from which the Personal Information was collected;
c. The business or commercial purpose for which it collected the Personal Information;
d. The categories of third parties with whom FocusPOS shares Personal Information;
e. The categories of Personal Information that FocusPOS disclosed for FocusPOS purpose in the preceding 12 months, and for each category identified, the categories of third parties to whom it disclosed that particular category of Personal Information.
f. FocusPOS will identify the categories of Personal Information, categories of sources of Personal Information, and categories of third parties to whom FocusPOS disclosed Personal Information, in a manner that provides Requestors a meaningful understanding of the categories listed.
C. Responding to Requests to Delete.[1]
1. For requests to delete, if FocusPOS cannot verify the identity of the Requestor, FocusPOS may deny the request to delete. FocusPOS will inform the Requestor that his/her identity cannot be verified.
2. FocusPOS will comply with a Requestor’s request to delete their Personal Information by:
a. Permanently and completely erasing the Personal Information on its existing systems with the exception of archived or back-up systems;
b. Deidentifying the Personal Information; or
c. Aggregating the Requestor Personal Information.
3. If FocusPOS stores any Personal Information on archived or backup systems, it may delay compliance with the Requestor’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.
4. In responding to a request to delete, FocusPOS will inform the Requestor whether or not it has complied with the Requestor’s request.
5. If FocusPOS complies with the Requestor’s request, FocusPOS will inform the Requestor that it will maintain a record of the request. FocusPOS may retain a record of the request for the purpose of ensuring that the Requestor’s Personal Information remains deleted from FocusPOS’ records.
6. In cases where FocusPOS denies a Requestor’s request to delete, FocusPOS will do all of the following:
a. Inform the Requestor that it will not comply with the Requestor’s request and describe the basis for the denial, including any conflict with or exception to federal or state law, unless prohibited from doing so by law;
b. Delete the Requestor’s Personal Information that is not subject to the exception; and
c. Not use the Requestor’s Personal Information retained for any other purpose than provided for by that exception.
7. In responding to a request to delete, FocusPOS may present the Requestor with the choice to delete select portions of their Personal Information only if a global option to delete all Personal Information is also offered and more prominently presented than the other choices.
[1] Complying with a request to delete is not mandatory if it is necessary to maintain the Personal Information in order to:
- complete a transaction or otherwise perform a contract;
- detect security incidents;
- identify and repair errors;
- exercise free speech or another legal right;
- comply with California’s Electronic Communications Privacy Act;
- engage in scientific, historical, or statistical research, if the Requestor has provided informed consent;
- enable internal uses aligned with the expectations of the Requestor;
- comply with a legal obligation;
- otherwise use the Personal Information, internally, in a lawful manner.
Cal. Civ. Code § 1798.105(d)
3. If FocusPOS stores any Personal Information on archived or backup systems, it may delay compliance with the Requestor’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.
4. In responding to a request to delete, FocusPOS will inform the Requestor whether or not it has complied with the Requestor’s request.
5. If FocusPOS complies with the Requestor’s request, FocusPOS will inform the Requestor that it will maintain a record of the request. FocusPOS may retain a record of the request for the purpose of ensuring that the Requestor’s Personal Information remains deleted from FocusPOS’ records.
6. In cases where FocusPOS denies a Requestor’s request to delete, FocusPOS will do all of the following:
a. Inform the Requestor that it will not comply with the Requestor’s request and describe the basis for the denial, including any conflict with or exception to federal or state law, unless prohibited from doing so by law;
b. Delete the Requestor’s Personal Information that is not subject to the exception; and
c. Not use the Requestor’s Personal Information retained for any other purpose than provided for by that exception.
7. In responding to a request to delete, FocusPOS may present the Requestor with the choice to delete select portions of their Personal Information only if a global option to delete all Personal Information is also offered and more prominently presented than the other choices.