How do I submit my request to delete personal information under the California Consumer Privacy Act (CCPA)?California Privacy Policy

CALIFORNIA PRIVACY POLICY

Last Updated: February 5, 2020

As a resident of California, if you'd like to have your information deleted or not be shared with a third party used for advertising purposes, you can submit a request via email (Support@bookamillion.com), 

 

INTRODUCTION

Books-A-Million, Inc., Booksamillion.com Inc., BAM Card Services, LLC, 2nd and Charles, American Wholesale Book Company, and Yogurt Mountain, LLC (collectively “The Company”, “we”, “us”, and “our”) supplements the information contained in its Privacy Policy with this California Privacy Policy (the “Policy”), which applies solely to visitors, users, consumers, and others who reside in the State of California (“consumers” or “you”).  We adopt this Policy to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws.  Any terms defined in the CCPA have the same meaning when used in this Policy.  We are committed to protecting the privacy and security of the personal information we collect, use, share, and otherwise process as part of our business.  This Policy will provide you with a comprehensive description of our practices regarding the collection, use, disclosure, and sale of personal information of California residents and of the rights you have regarding your personal information.

For the purposes of the CCPA, we currently collect the categories of personal information listed in the chart below:

Category of Personal Information

Description

Identifiers

Examples: Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, driver’s license number, passport number, or other similar identifiers

Categories of personal information described in the California Customer Records statute

Examples: Name, signature,  address, telephone number, passport number, driver’s license or state identification card number, bank account number (?), credit card number, debit card number, or any other financial information, medical information

Characteristics of protected classifications

Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, sexual orientation, veteran or military status

Commercial information

Examples: Records of personal property, products or services (work, labor, and services, including services furnished in connection with the sale or repair of goods) purchased, obtained, or considered, or other purchasing or consuming histories or tendencies

Internet or other electronic network activity information

Examples: browsing history; search history; internet service provider (ISP); type of computer; operating system; type of web browser; URLs of any referring or exited webpages; information about your interaction with the Site or advertisements on it; data about which pages you visit; and the date and time of your visit

Geolocation data

Examples: Location data automatically collected during use of the Site; location data provided when locating stores; shipping and billing information; zip code

Audio, electronic, visual, thermal, olfactory, or similar information

Examples: Call center recordings and electronic communications with us

 Professional or employment-related information

Examples: Work history, experience, and references

 

 Education information

Examples: Information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).

Inferences

Examples: Derivation of information, data, assumptions, or conclusions from facts, evidence, or another source of information or data) drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

 

Business or Commercial Purposes: We use the categories of personal information listed above to provide our products and services to you, to operate, manage, and maintain our business, and to accomplish other business and commercial purposes, including the following:

  • To process your purchases and returns;
  • To process your payments and refunds;
  • To detect fraud and prevent loss;
  • To provide you with information about our products and services;
  • To enable you to track the status of your purchase or return;
  • To establish and maintain your user account with us;
  • To allow you to contact us and facilitate your communication with us; 
  • To manage our relationship with you;
  • To personalize your experience;
  • To enhance your experience in stores and online;
  • To authenticate you; 
  • To present and improve content and functionality on our websites;
  • To provide and improve customer service;
  • To deliver products and services to you;
  • To comply with your instructions;
  • To conduct research and analysis;
  • To provide notice of changes to our websites or the produces and services we offer;
  • To administer a context, promotion, survey or other feature;
  • To respond to visitor, subscriber, and customer inquiries;
  • To market our products and services to you or to send you information about The Company; including our affiliates, or products or services that may be of interest to you;
  • To contact you when necessary;
  • For any purpose related to and/or ancillary to any one of the purposes and uses described in this Policy or The Company’s general Privacy Policy;
  • To engage with you on social media;
  • To register you for your email or text message distribution lists;
  • To send you periodic emails or text messages;
  • To operate our business;
  • To ensure safety of person or property;
  • To ask you if you would like for us to share your information with third parties; and
  • In any other way we may describe when you provide the information. 

Other Processing Activities: As permitted by applicable law, we may use all of the personal information that we collect in order to:

  • Comply with federal, state, or local laws;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;
  • Cooperate with law enforcement agencies concerning conduct or activity that we, a service provider, or a third party reasonably and in good faith believe may violate federal, state, or local law;
  • Exercise or defend legal claims; and
  • Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information.

Additional Data Collection and Uses:  We will not collect categories of personal information other than those disclosed above without providing a new notice at collection.  In addition, we will not use your personal information for any purpose other than those disclosed above.  If we intend to use your personal information for a purpose that was not previously disclosed in the notice at collection, we will directly notify you of the new use and obtain consent from you to use it for the new purpose.

 

CALIFORNIA CONSUMER RIGHTS

 

DATA PRACTICES DURING LAST 12 MONTHS

Personal Information Collected: As described in this policy, we have collected the categories of personal information listed below during the preceding 12 months:

  • Identifiers
  • Categories of personal information described in the California Customer Records statute
  • Characteristics of protected classifications
  • Commercial information
  • Internet or other electronic network activity information
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences

We do not sell your personal information and have not sold categories of personal information during the preceding 12 months.  We will not sell your personal information unless we modify this Policy and take additional steps as may be required under the CCPA.

Personal Information Disclosed for a Business Purpose.  We have disclosed for a business purpose the categories of personal information listed below during the preceding 12 months:

  • Identifiers
  • Categories of personal information described in the California Customer Records statute
  • Characteristics of protected classifications
  • Commercial information
  • Internet or other electronic network activity information
  • Geolocation data
  • Audio, electronic, visual, thermal, olfactory, or similar information
  • Professional or employment-related information
  • Education information
  • Inferences

We have disclosed each category of personal information to the following categories of third parties: (1) corporate parents, subsidiaries, and affiliates; (2) advisors (accountants, attorneys); (3) service providers (data analytics, data storage, mailing, marketing, payment processing, website and platform administration, technical support); (4) operating systems and platforms; (5) advertising networks; (6) internet service providers; and (7) social networks. 

This section explains each financial incentive and price or service difference that we may offer in exchange for the retention or sale of your personal information so that you may make an informed decision on whether to participate.  A “price or service difference” is (1) any difference in the price or rate charged for any goods or services to any consumer, including through the use of discounts, financial payments, or other benefits or penalties; or (2) any difference in the level or quality of any goods or services offered to any consumer, including denial of goods or services to the consumer.

Summary. We offer the following financial incentives and price or service differences: [***].

Material Terms.  The material terms of the financial incentives and price or service differences are as follows: [***]

Categories of personal information implicated by the financial incentive or price or service difference: [***]

The financial incentive or price or service difference is permitted under the CCPA because it is reasonably related to the value provided by the consumer’s data.  We have obtained a good-faith estimate of the value of the consumer’s data that forms the basis for offering the financial incentive or price or service difference.  This estimate was calculated by [method], and it provides that the estimated value is [***]. 

How to opt-in.  You may opt-in to the financial incentive or price or service difference by [***]

How to withdraw:  You have the right to withdraw from the financial incentive at any time.  You may exercise that right by: [***]

 

CCPA REQUESTS TO KNOW AND REQUESTS TO DELETE

The CCPA gives consumers the right to request that we (1) disclose what personal information we collect, use, disclose, and sell, and (2) delete certain personal information that we have collected or maintain.  You may submit these requests to us as described below, and we honor these rights where they apply.

However, by way of example, these rights do not apply where we collect or sell a consumer’s personal information if: (1) we collected that information while the consumer was outside of California, (2) no part of a sale of the consumer’s personal information occurred in California, and (3) no personal information collected while the consumer was in California is sold.  In addition, de-identified information is not subject to these rights.

If a request is submitted in a manner that is not one of the designated methods for submission, or if the request is deficient in some manner unrelated to our verification process, we will either (1) treat the request as if it had been submitted in accordance with the designated manner, or (2) provide you with specific directions on how to submit the request or remedy any deficiencies with the request, as applicable.

Request to Know

As described below, you have the right to request: (1) the specific pieces of personal information we have collected about you; (2) the categories of personal information we have collected about you; (3) the categories of sources from which the personal information is collected; (4) the categories of personal information about you that we have sold and the categories of third parties to whom the personal information was sold; (5) the categories of personal information about you that we disclosed for a business purpose and the categories of third parties to whom the personal information was disclosed for a business purpose; (6) the business or commercial purpose for collecting, disclosing, or selling personal information; and (7) the categories of third parties with whom we share personal information.  Our response will cover the 12-month period preceding our receipt of a verifiable request.

Submission Instructions.  You may submit a request to know via a toll-free telephone call to [1-800-201-3550] or support@booksamillion.com.  

Verification Process.  We are required by law to verify the identities of those who submit requests to know, and our verification process is described in detail below. We will inform you if we cannot verify your identity.

  • If we cannot verify the identity of the person making a request for categories of personal information, we may deny the request. If the request is denied in whole or in part for this reason, we will provide a copy of, or direct you to, our privacy policy.
  • If we cannot verify the identity of the person making the request for specific pieces of personal information, we are prohibited from disclosing any specific pieces of personal information to the requestor. However, if denied in whole or in part for this reason, we will evaluate the request as if it is seeking the disclosure of categories of personal information about the consumer.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to know, we will confirm receipt of the request within 10 business days and provide information about how we will process your request. The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request).  In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request.  If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will associate the information provided by you in the verifiable consumer request to any personal information previously collected by us about you.  We will promptly take steps to disclose and deliver, free of charge to you, the information requested.  We will provide an individualized response to requests regarding categories of personal information as required by applicable law; but, we may refer you to our general practices outlined in this Policy when our response would be the same for all consumers and all the information that is otherwise required to be in a response is presented here.

If you do not have a password-protected account with us, we may respond to a request to know related to household personal information by providing aggregate household information.  If all consumers of a household jointly request access to specific pieces of personal information for the household, we will comply with the request if we can verify the identity of each consumer.

Delivery. Except as otherwise provided by applicable law, the information will be provided in writing and may be delivered through your account with us.  If you do not maintain an account with us, we will respond by mail or electronically (at your option) in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity.  Alternatively, we may offer a secure self-service portal for consumers to access, view, and receive a portable copy of their personal information.  If we do not take action on your request, we will, without delay and, at the latest, within the time period permitted for our response, inform you of the reasons that we did not take action and any rights you may have to appeal the decision.

Limitations. We are committed to responding to requests to know in accordance with applicable law.  However, your rights are subject to the following limitations:

  • We are only required to respond to requests to know twice in a 12-month period.
  • We are prohibited from disclosing Social Security numbers, driver’s license numbers, other government-issued identification numbers, financial account numbers, health insurance numbers, medical identification numbers, account passwords, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics.

Denials. If we deny a verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception under applicable law, we will inform the requestor and explain the basis for the denial.  If the request is denied only in part, we will disclose the other information sought by the consumer.

Request to Delete

You have a right to request the erasure/deletion of certain personal information collected or maintained by us.  As described below, we will delete your personal information from our records and direct any service providers (as defined under applicable law) to delete your personal information from their records.

Submission Instructions.  You may submit a request to delete via via a toll-free telephone call to [1-800-201-3550] or support@booksamillion.com. We may present you with the choice to delete select portions of your personal information, but a global option to delete all personal information will be offered and more prominently presented.

Verification Process.  We are required by law to verify the identities of those who submit requests to delete, and our verification process is described in detail below.  We will inform you if we cannot verify your identity. 

  • If we cannot verify the identity of the person making a request to delete, we may deny the request. We will, however, treat the request as a request to opt-out of sales of personal information.
  • If there is no reasonable method by which we can verify the identity of the requestor to the degree of certainty required, we will state this in our response and explain why we have no reasonable method by which we can verify the identity of the requestor.

Response Process. Upon receiving a request to delete, we will confirm receipt of the request within 10 business days and provide information about how we will process your request.  The information provided will describe our verification process and when you should expect a response from us (unless we have already granted or denied the request).  We will use a two-step process for online requests to delete in which you must first, clearly submit the request to delete and then second, separately confirm that you want your personal information deleted.  In general, we will respond to the request within 45 days from the day we receive it; but, if necessary, we may take up to an additional 45 days to respond to your request.  If an extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 days.

Once verification is complete, we will take one of the following actions: (1) permanently and completely erase the personal information on our existing systems (with the exception of archived or back-up systems); (2) deidentify the personal information; or (3) aggregate the consumer information.  For personal information stored on archived or backup systems, we may delay compliance with your request to delete for that data until the archived or backup system relating to that data is restored to an active system or next accessed or used for a sale, disclosure, or commercial purpose.

If you do not have a password-protected account with us, we may respond to a request to delete related to household personal information by providing aggregate household information.  If all consumers of a household jointly request deletion for the household, we will comply with the request if we are able to verify the identity of each consumer.

Delivery.  In our response to you, we will inform you of whether or not we have complied with the request. We will also inform you of our obligation to maintain a record of the request under California law.

Limitations.  We are committed to responding to requests to delete in accordance with applicable law.  However, we are not required to delete your personal information if it is necessary for us (or our service providers) to maintain your personal information in order to:

  • Complete the transaction for which the personal information was collected;
  • Fulfill the terms of a written warranty or product recall conducted in accordance with federal law;
  • Provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you;
  • Otherwise perform a contract between us and you;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
  • Debug to identify and repair errors that impair existing intended functionality;
  • Exercise free speech, ensure the right of another consumer to exercise his/her right of free speech, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act;
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
  • Comply with a legal obligation; and
  • Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which the information was provided.

Denials.  If we deny your request, we will (1) inform you that we will not comply with the request and describe the basis for the denial; (2) delete the personal information that is not subject to the exception; and (3) not use the personal information retained for any other purpose than provided for by the applicable exception(s).

Verification Procedures

To determine whether the individual making the request is the consumer about whom we have collected information, we will verify your identity by matching the identifying information provided by you in the request to the personal information that we already maintain about you.  As a part of this process, you will be required to provide [].

If we cannot verify your identity based on the information already maintained, we may request additional information from you.  We will try to limit the information collected, and we will only use this information to verify your identity and for security or fraud-prevention purposes.  Except as required by law, we will delete any new personal information collected for the purposes of verification as soon as practical after processing the request.

We require different levels of authentication based upon the nature of the personal information requested. A more stringent verification process is applied when (1) sensitive or valuable personal information is involved, (2) there is a greater risk of harm to the consumer, and/or (3) there is a higher likelihood that fraudulent or malicious actors would request the information.

Password-Protected Account. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for the account. We will require you to re-authenticate yourself before disclosing or deleting your data.  If we suspect fraudulent or malicious activity on or from the password-protected account, we will not comply with the request until further verification procedures determine that the request is authentic and that the consumer making the request is the person about whom we have collected information.

Request to Know Categories. For a request to know categories of personal information, we will verify the identity of the consumer making the request to a “reasonable degree of certainty” by matching at least two (2) data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer.

Request to Know Specific Pieces. For a request to know specific pieces of personal information, we will verify the identity of the consumer making the request to a “reasonably high degree of certainty” by matching at least three (3) pieces of personal information provided by the consumer with personal information maintained by us, which we have determined to be reliable for the purpose of verifying the consumer, together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. We are required by law to maintain all signed declarations as part of our record-keeping obligations.

Request to Delete.  For a request to delete, we will verify the identity of the consumer to a “reasonable degree of certainty” or a “reasonably high degree of certainty,” depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.  For example, the deletion of family photographs and documents may require a reasonably high degree of certainty, while the deletion of browsing history may require a reasonable degree of certainty.

Authorized Agents

The CCPA allows you to use authorized agents to make requests on your behalf.  If you use an authorized agent to submit a request to know or request to delete, we may require you to: (1) provide the authorized agent with written permission to do so; and (2) verify your identity directly with us.  However, we will not require these actions if you have provided the authorized agent with power of attorney pursuant to the California Probate Code.  We may deny a request from an agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

In addition to the individual identity verification procedure described above, authorized agents will be required to submit the following written documentation:

Businesses: If the authorized agent is operating as a business, you must provide: (1) a certificate of good standing with your state of incorporation; (2) written authorization document that includes each customer’s name, address, telephone number, and valid email address, signed and dated by each consumer authorizing you, as the authorized agent, to act on behalf of each consumer in making the request; and (3) a valid email address for each consumer for our direct correspondence with each consumer, including an identity verification process to be conducted by us directly with that consumer. 

Individuals: If the authorized agent is an individual, you must provide: (1) a “power of attorney” signed and dated by the consumer and notarized by a notary public naming you as the consumer’s authorized representative, which includes the consumer’s full name and physical California address and the consumer’s month/year of birth; (2) if you do not have a power of attorney signed by the consumer, then we require a written authorization document that includes the customer’s name, address, telephone number, and valid email address, signed by the consumer authorizing you, as the authorized agent, to act on behalf of the consumer in making the request; and (3) a valid email address for each consumer for our direct correspondence with each consumer, including an identity verification process to be conducted by us directly with that consumer. 

Excessive Requests

If requests from a consumer are manifestly unfounded or excessive, in particular because of their repetitive character, we may either (1) charge a reasonable fee, or (2) refuse to act on the request and notify the consumer of the reason for refusing the request.  If we charge a fee, the amount will be based upon the administrative costs of providing the information or communication or taking the action requested.

CCPA NON-DISCRIMINATION

You have the right not to receive discriminatory treatment by us due to your exercise of the rights provided by the California Consumer Privacy Act.  We do not offer financial incentives and price or service differences, and we do not discriminate against consumers for exercising their rights under the CCPA.

UPDATES AND CHANGES TO THIS POLICY

We reserve the right, at any time and without notice, to add to, change, update, or modify this Policy to reflect any changes to the way in which we treat your personal information or in response to changes in law. Should this Policy change, we will post all changes we make to this Policy on this page.  If we make material changes to how we treat your personal information, we will also notify you through a notice on the home page of the Websites for a reasonable period of time. Any such changes, updates, or modifications shall be effective immediately upon posting on the Site. The date on which this policy was last modified is identified at the beginning of this Policy.

You are expected to, and you acknowledge and agree that it is your responsibility to, carefully review this Policy prior to using the Websites, engaging with us on social media, or communicating with us, from time to time, so that you are aware of any changes.  Your continued use of the Site, engaging with us on social media, or communicating with us in any format after the “Last Updated” date will constitute your acceptance of and agreement to such changes and to our collection and sharing of your personal information according to the terms of the then-current Policy. 

 

CONTACT US

For more information, or if you have any questions regarding this Privacy Policy or wish to exercise your rights, you may contact us using the information below, and we will do our best to assist you.  Please note, if your communication is sensitive, you may wish to contact us by postal mail or telephone.

In Writing:

Books-A-Million Customer Service

402 Industrial Lane

Birmingham, AL 35211

By Telephone: (800) 201-3550
By Email: support@booksamillion.com

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Was this article helpful?
5 out of 8 found this helpful

Comments

0 comments

Article is closed for comments.