California Consumer Privacy Act Addendum to Firma Clinical Research Privacy Policy

California residents (“CA consumers,” hereafter “consumers”) have been granted special privacy data protections by law and regulation (the California Consumer Privacy Act [CCPA]), which protects the personal information of individually identifiable California-resident individuals and households. The protections for personal information in the CCPA are similar to, but not identical to, the principal European privacy regulation, the General Data Protection Regulation (GDPR). Firma Clinical Research (Firma) is a for-profit Business (the relevant CCPA term) that complies with both the CCPA and the GDPR.

The protected item in the CCPA is personal information, defined as “information that identifies, relates to, describes, is capable of being associated with or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Examples of such personal information (given by reference in the CCPA to California statutes 1798.80 and 1798.140) include the following non-exhaustive list:

• Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
• Any categories of personal information described in subdivision (e) of Section 1798.80, namely name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
• Characteristics of protected classifications under California or federal law.
• Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Biometric information.
• Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
• Geolocation data.
• Audio, electronic, visual, thermal, olfactory, or similar information.
  Professional or employment-related information.
• Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).
• Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

In the past 12 months, Firma has collected personal information in the following categories:

• Identifiers, including real name, alias, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, account name, social security number, driver’s license number
• Characteristics of protected classifications under California or federal law, such as age (40 years or older), race, ancestry, national origin, medical condition, physical or mental disability, sex (including gender, pregnancy and related medical conditions)
  Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement;
• Professional or employment-related information; and
  Education information

Sources of California personal information collected by Firma:

• Information given directly to Firma by consumers
• Information Firma gathers, either by automated or non-automated means, from its web site
• Public sources and data resellers
• Third-party websites

Business purposes for which Firma may use consumer personal information:

• Auditing related to a current interaction with the consumer and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
• Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
• Debugging to identify and repair errors that impair existing intended functionality.
• Short-term, transient use, provided that the personal information is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction.
• Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider.
• Undertaking internal research for technological development and demonstration.
• Undertaking activities to verify or maintain the quality or safety of a service or device that is owned or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned or controlled by the business.

Firma will ask consumers for permission if it wishes to use their personal information for a purpose not disclosed at the time of its collection.

Third parties (by the definition in California statute 1798.140) with which Firma may share personal information from consumers:

• Firma’s clients; if their contracts with Firma are not compliant with California statute 1798.140 (w);
• Firma’s service providers, such as home health agencies, if their contracts with Firma are not compliant with California statute 1798.140 (w);
• Other third parties to protect Firma’s legal rights or as required by law, such as to comply with a subpoena or other legal process,
  Other third parties involved in a transaction involving a transfer of Firma’s business or assets.
• Other third parties with a consumer’s prior consent.

Firma provides notice as soon as reasonably practicable. Such notice provides both the categories of personal information to be collected from consumers and the purposes for which each categories of personal information will be used.

Consumer rights over their personal information:

• The CCPA gives consumers specific rights over their personal information. These rights include the following:
  • the right to request that the business disclose what personal information it collects, uses, discloses, and sells (during the previous 12 months). This “request to know” includes requests for any or all of the following:
    • Specific pieces of personal information that a business has collected about the consumer;
    • Categories of personal information it has collected about the consumer;
    • Categories of sources from which the personal information is collected;
    • Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
    • Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
    • The business or commercial purpose for collecting or selling personal information.
  • A consumer also has the right to request that a Business “delete personal information about the consumer that the business has collected from the consumer, pursuant to Civil Code section 1798.105” (a “request to delete”).
  • Consumers also have the right to request that a Business not sell a consumer’s personal information to third parties, a “request to opt-out.” [Since Firma does not sell any personal information, this request is not relevant to Firma.]
  • Firma has not disclosed for a business purpose or sold to third parties any personal information in the preceding 12 months.
• A consumer can make requests to know and requests to delete by either of the following 2 methods:
  • Calling the following toll-free number: 833 572 5898
  • Sending an e-mail to privacy@firmaclinical.com
• In order to fulfill a consumer request, Firma must be able to verify the requesting consumer’s identity. If we cannot fulfill a consumer’s request, Firma will explain why. The consumer herself/himself or a duly authorized representative must make the request. A consumer may also make a request for her/his minor child. There is no charge for a consumer request to know or delete unless it is excessive, repetitive, or manifestly unfounded. For data portability requests, Firma will use a widely-employed digital format, such as .pdf. A consumer may make 2 or fewer requests in a 12-month period. Firma will not discriminate against a consumer for exercising any of her/his rights under the CCPA.

As used in this CCPA Addendum, the term “California Personal Information” does not include the following:

• Information Firma collects as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration;
• Other medical information services that Firma performs under contract with its clients.
• Deidentified data, aggregated consumer information; or publicly available information lawfully made available from federal, state, or local government records;
• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA); and
• Personal information covered by other sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Driver’s Privacy Protection Act of 1994, and the federal Gramm-Leach-Bliley Act, and implementing regulations, or the California Financial Information Privacy Act.

Firma reserves the right to update this privacy policy at any time. The new policy will be in effect from the time it is publicly displayed.