NOTICE and POLICY FOR THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA) & DATA SUBJECT ACCESS REQUEST (DSAR)
Under the California Consumer Protection Act (CCPA), a California resident has the following rights regarding their “Personal Information” including the:
- Right to opt-out of the sale of their personal information to third parties;
- Right to know what personal information businesses have collected about them and how businesses have sold or disclosed that information to third parties; and
- Request that businesses delete personal information that has been collected from/about them.
IMPORTANT EXCEPTIONS due to our Program relationship with WebBank, a federally regulated Bank, the Gramm Leach-Bliley Act (GLBA) governs Scratch’s customer data requests which provides for an exemption from CCPA compliance.
EXEMPTION to Scratchpay Customers’ Requests
Under GLBA any information collected from a Scratchpay customer is considered exempt from CCPA and does not need to comply with the CCPA.
Even though Scratch is exempt from CCPA, Scratch is required to inform California resident customers of a channel and a process to communicate their rights including:
- right to know about said requests;
- right to delete requests;
- right to opt-out of selling data (Scratch does not sell customer data).
Customer’s Channel and Request Process – Scratch’s Website
- For data collected from Non-Customers from our website or mobile app does not meet the GLBA exemption and will need to comply with the CCPA. These would be individuals (Consumers vs. Customers) who visit our website or app but do not apply for a loan.
- To effectuate Non-Customer requests, our website includes a "Do not sell my information/Turn off cookies" option/functionality. When that is selected, we will honor the request. Scratch includes this link in all areas of the website, even in areas where only customers have access.
- California Resident – a person whose primary domicile (address) is in the state of California. The CCPA does not apply to non-California residents.
- CCPA definition of Personal Information – the CCPA defines Personal Information as information to include any data that relates to, describes, could be reasonably linked, or is capable of being associated with an individual or household and thus is broader in scope than GLBA’s definition.
- Gramm-Leach-Bliley (GLBA) - requires financial institutions that offer loans and financial services – to explain their information-sharing practices to their customers and to safeguard sensitive data. Financial institutions have certain exemptions under GLBA from the CCPA.
- GLBA definition of “Personal Information” - under GLBA applies to “personally identifiable financial information – i.e. the information a consumer provides to obtain a financial product or services that results from a consumer transaction, or is otherwise obtained in connection with providing a financial product or service. GLBA 12 C.F.R. §1016.3(q)(1).
TABLE 1 – Categories of Information Collection and California Residents Rights
|Categories of information we may collect||Identifiers such as: Name; User Name; Addresses; Online identifiers; Email address; Social Security number; Driver’s license and/or passport number or similar identification; Internet Protocol address; Geolocation data; Similar identifiers; Products or services purchased, obtained, or considered; Account numbers; Information regarding your interaction with our web site including from Cookies; Professional or employment-related information; Financial information; Publicly available information|
|Sources from which we obtain information||Information you provide to us when applying for a loan; Information received from credit reporting agencies; Information from third-party identity verification services; Internet search engines, including social media; and Government entities.|
|Use of the information we collect||To approve or decline loan applications; To service those products and services you have with us; With consultants and auditing firms, for institutional risk analysis and mitigation.|
|Sharing and Disclosing of information||We do not share your information except as allowed by law. We share information only with those vendors providing servicing of your products and services, and require they not sell, share, or use your information for any other purpose. We share information with consultants and auditors for institutional risk analysis and mitigation.|
|Opting out of our selling||We do not sell your information.|
|The right to know what personal information is collected about you||The general categories are described above.|
|The right to access your personal information||To obtain the specific information we have collected about you, please complete and submit the DSAR form below. We will acknowledge your request within 10 business days, and will provide the requested information within 45 days. If we are not able to respond within 45 days, we will inform you and respond within an additional 45 days. You may request this information up to two times per 12 month period. We reserve the right to verify the legitimacy of all requests, using any information you have given us, or any transactional information we have. We are prevented from providing the following: 1) Your social security number; 2) Driver’s license or other government issued identification number; 3) Financial account number; 4) Any health insurance or medical identification number (if we have it); 5) Account passwords or security questions and answers|
|The right to have your information deleted||Federal laws may govern our retention of your information, however anything we are not required to maintain under those guidelines may be deleted. You may request deletion of specific information by contacting us in one of the ways described above. Exceptions to our deletion responsibilities include information necessary to: 1) Complete the transaction for which the information is collected; 2) Provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you; 3) Perform a contract between us and you; 4) Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or to prosecute those responsible for that activity; 5) Debug to identify and repair errors; 6) To enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us; 7) Comply with a legal obligation; 8) Otherwise use your information internally in a lawful manner that is compatible with the context in which you provided the information. To request that information be deleted, please complete the DSAR form below.|
|The right to non-discrimination for the exercise of your Consumer Privacy Rights under this Act.||You have the right not to receive discriminatory treatment by us for the exercise of your privacy rights conferred by the California Consumer Privacy Act (CCPA).|
|The right to allow an authorized agent to make a request.||You may designate an authorized agent to make a request under the CCPA on your behalf. We retain the right to verify the legitimacy of that designation, and to identify both you and the agent. We will identify you with information you have previously provided to us and with information about your account(s) or transactions.|
|The right to opt-out of the sale of personal information where we might otherwise sell it.||We do not sell your information.|
If you have any other queries or requests relating to your rights under CCPA, please complete the Data Subject Access Request (DSAR) Form below and we'll get back to you: