Frequently Asked Questions for RRMC NA and California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act, and Connecticut Data Privacy Act:
Depending on your relationship with us and applicable laws, you may have various rights.
3. What is the California Consumer Privacy Act?
California Consumer Privacy Act (CCPA) is an act passed by the California legislature in 2018. It took effect on January 1, 2020. The rights under CCPA apply to all California residents.
4. What are my rights under the California Consumer Privacy Act?
Your right of access includes the right to request we disclose the categories and specific pieces of your personal information collected, the sources from which your personal information is collected, the business or commercial purpose we collect it, and with whom we share your personal information. Your right of access also includes the right to request we disclose for the preceding 12 months (or longer where you have requested it) the categories of your personal information we have collected or sold, the categories of third parties to whom we have sold it, and the categories of personal information that we have disclosed about you for a business purpose.
5. What is the California Privacy Rights Act?
On November 3, 2020, California voters approved the California Privacy Rights Act (CPRA), a consumer privacy ballot initiative that amends and expands the CCPA. The CPRA's substantive provisions become effective on January 1, 2023. Until then, the CCPA will remain in force. The CPRA provides consumers with expanded privacy rights, including the right to request that the business correct inaccuracies in their personal information and, in certain circumstances, to direct a business to limit its use of sensitive personal information. Additionally, a consumer’s opt out rights may extend to third-party behavioral advertising.
Under CPRA, a consumer’s right of access may, in some cases, extend beyond the 12-month period specified in CCPA. You may ask that we disclose information beyond the 12-month period. However, in some cases, we may not be able to accommodate the longer look back period, such as when the time extension proves impossible or would require disproportionate effort.
6. What is the Virginia Consumer Data Protection Act?
The Virginia Consumer Data Protection Act (CDPA) was signed into law on March 2, 2021 and is set to take effect on January 1, 2023. The CDPA provides consumers with the right to access, correct, and delete their personal information, as well as the right of data portability. Consumers also have the right to opt out of cross-context behavioral advertising, the sale of personal data, and certain profiling. Additionally, the CDPA requires that businesses obtain opt-in consumer consent to process sensitive data.
7. What is the Colorado Privacy Act?
The Colorado Privacy Act (CPA) was signed into law on July 8, 2021 and is scheduled to take effect on July 1, 2023. The CPA provides consumers with the right to access, correct, and delete their personal data, obtain a portable copy of their personal data, and opt out of cross-context behavioral advertising, the sale of personal data, or certain profiling. The CPA requires that businesses obtain opt-in consumer consent to process sensitive data.
8. What is the Utah Consumer Privacy Act?
Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) into law on March 24, 2022. The law goes into effect on December 31, 2023. Under the UCPA, consumers have the right to access their personal data, delete the personal data they provided to the controller, data portability, opt out of the sale of their personal data, and opt out of the processing of their personal data for purposes of targeted advertising. The UCPA does not give consumers the right to correct their personal data, nor do they have the right to opt out of profiling.
9. What is the Connecticut Data Privacy Act?
Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring,” also known as the Connecticut Data Privacy Act (CTDPA), into law on May 10, 2022. The law goes into effect on July 1, 2023. Under the CTDPA, consumers have the right to access, delete, and correct their personal data, to obtain a copy of their personal data in a portable format, and to opt out of the sale of their personal data and the processing of their personal data for purposes of targeted advertising or certain profiling. The CTDPA requires that businesses obtain opt-in consumer consent to process sensitive data.
10. How do you use my sensitive personal information?
RRMC NA may use your sensitive personal information to maintain or service accounts, provide customer service, process and provide products and services, verify customer information, verify the quality or safety of a service or product, provide information security, improve, upgrade, develop, or enhance our Services, conduct website and mobile app analysis, provide analytic services, provide storage, provide Services, process payments, develop our websites and mobile apps, market products and services, or other similar services.
11. Where can I exercise my rights under the California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act or the Connecticut Data Privacy Act?
You may exercise your rights under applicable state laws by visiting our website or by calling 1-877-877-3735 Monday through Thursday, 9am-9pm ET and Friday, 9am-6pm ET.
12. Does RRMC NA sell my personal information?
RRMC NA does not sell your personal information. However, RRMC NA may use personal information for behavioral advertising, which may be considered to be a sale of personal information under some state privacy laws. You may have the right to opt out of cross-context behavioral advertisements.
13. How about my BMW Financial Services account?
14. How about RRMC Centers?
15. How do I opt out of RRMC NA selling or sharing my personal information?
You need not opt out of the selling of your personal information because RRMC NA does not sell your personal information. However, RRMC NA may use personal information for behavioral advertising, which may be considered to be a sale of personal information under some state privacy laws. You may have the right to opt out of cross-context behavioral advertisements. You may adjust your settings relating to online behavioral advertising on our website by clicking the Do Not Sell My Personal Information link, adjusting your cookies, or using the NAI or DAA websites.
16. What about my rights regarding cross-context behavioral advertising or targeted advertising?
If you are a consumer, you may have the right to opt out of the sharing of your information for purposes of cross-context behavioral advertising. Some state privacy laws, like Virginia, Colorado, and Utah may call this “targeted advertising.” You may opt out of this type of sharing by visiting our website.
Please note that the term “targeted advertising” can mean different things depending on how it is defined in a privacy statute or other law. At times, it is essentially interchangeable with the term “cross-context behavioral advertising.” For example, under the CPRA, “cross-context behavioral advertising” is defined as the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” The broad definition covers a business’s collection of a consumer’s personal information across third-party digital properties for the purposes of targeted advertising.
Both the CDPA and CPA use the word “targeted advertising” to mean something similar. Under CDPA § 59.1-571, "targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer's activities over time and across nonaffiliated websites or online applications to predict such consumer's preferences or interests. Similarly, CPA § 6-1-1303(25) defines "targeted advertising" as “displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.”
17. What types of cookies and tracking technologies may our Services use?
Our Services may use the following cookies and tracking technologies, among others:
i. 'Session' cookies: Session cookies are temporary bits of information that are erased once you exit your web browser window or log out of a mobile app. Session cookies are used, for example, to improve navigation on our Services, block visitors from providing information where inappropriate (e.g., the website may remember previous entries of age that are outside the permitted parameters and block subsequent changes) and to collect aggregated statistical information.
ii. 'Persistent' cookies: Persistent cookies are more permanent bits of information that are placed on the hard drive of your computer or mobile device and stay there unless you delete the cookie. Persistent cookies store information on your computer or mobile device for a number of purposes, such as retrieving certain information you have previously provided, helping to determine what areas of the website visitors find most valuable, and customizing the website based on your preferences on an ongoing basis.
iii. 'Web beacons' (also known as internet tags, single-pixel GIFs, clear GIFs, and invisible GIFs): A web beacon is a tiny graphic on a web page or in an email message that is used to track pages viewed or messages opened. Web beacons tell the Services server information such as the IP address and browser type related to the visitor's computer. Web beacons may be placed on online advertisements that bring people to our Services and on different pages of our Services. Web beacons provide us with information on how many times a page is opened and which information is consulted.
18. Why might we allow third-party partners to place cookies on your computer or mobile device?
Like most advertisers, we may place advertisements where we think they will be most relevant to customers. One way we might do so is by allowing network advertising companies with whom we work to place their own cookies or similar markers when an individual visits our Services. This enables the network advertising companies to recognize individuals who have previously visited our Services. When the individual visits a third-party website on which that network advertising company has purchased ad space, the advertising company can then recognize the individual's interest in RRMC products and services and deliver one of our advertisements.
19. What choices do I have regarding cookies, including third-party cookies and the delivery of targeted advertisements on third-party sites?
20. Who can I contact regarding other questions for California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act, Connecticut Data Privacy Act and RRMC NA?
You may read more about your rights under CCPA, CPRA, CDPA, CPA, UCPA or CTDPA by reading our States Privacy Rights Statement above. You may read more about the CCPA and CPRA by visiting the California Attorney General’s website. You may read more about the CPRA, CDPA, CPA, UCPA or CTDPA. You may also contact RRMC NA with any remaining privacy questions by calling 1-877-877-3735.
21. What must I do to access my personal information under CCPA, CPRA, CDPA, CPA, UCPA, or CTDPA?
You must either use our website or call us at 1-877-877-3735 Monday through Thursday, 9am-9pm ET or Friday, 9am-6pm ET. You must provide us with your personal information so we may verify your request and locate your information in our systems. If we are unable to verify your identity as described in this privacy statement, we will be unable to process your request. If we are able to verify your identity and you are a current RRMC NA customer, we may deliver your personal information access report through our data subject rights portal or certified mail.
22. When I access my information, why is my personal information displayed in the manner in which it is displayed?
In allowing you to access your information, we consolidate information from various applications to provide data about the products and services you have with us in a single report. Some of this information may include variations of your personal information and may be limited to data collected or generated in the 12 months prior to the date of your request (or longer if you have requested it).
23. How do I correct my information?
24. What if I am a job applicant?
25. Are there any authorized agent designation requirements?
Some states, like Virginia and Utah, do not provide for an authorized agent to exercise a right on behalf of a consumer. Other states, like California, Colorado, and Connecticut, do permit the use of authorized agents.
We may require that your designated authorized agent provide us with a written declaration signed by you that the authorized agent is permitted to make a request on your behalf. When an authorized agent makes a request on your behalf, we will deliver to you, not the authorized agent, the responsive documents.
As you must with a direct consumer request, you or your designated authorized agent must provide us with adequate information to verify your identity. We may verify your identity by matching the information you provide with our records. If we cannot verify your identity, we will let you know and may deny the request. We may also require that your authorized agent comply with the requirements of applicable law, such as being registered with the appropriate Secretary of State.
26. Does RRMC NA charge a fee to respond to requests?
Generally, no. However, under CCPA, CPRA, CDPA, UCPA, and CTDPA, we may charge a reasonable fee for or refuse to act on requests that are manifestly unfounded or excessive, including repetitive requests. If we refuse to act on a request, we will notify you of the reason.
Under the CPA, your first request is free. However, we may charge a fee if you make more than one request in a 12-month period.
27. How long will it take to process my request?
We attempt to verify and complete requests within 45 days. In some cases, it may be necessary to extend the time frame. You will be notified if a request cannot be fulfilled and an extension is needed.
28. Why didn’t I get any information?
It may be that we were unable to find you in our systems with the information you provided to us. If you make a subsequent request and provide additional information about yourself, we may be able to find out more information about you in our systems. It is also possible that any information you may have provided us has since been deleted as a part of our record retention policies. It is also possible that the information you requested is covered under one of the permitted exemptions under the CCPA, CPRA, CDPA, CPA, UCPA, CTDPA or other applicable privacy law.
29. Does my personal information access report include everything you have about me?
Not necessarily. Some types of information are exempt from the CCPA, CPRA, CDPA, CPA, UCPA or CTDPA. Generally, CCPA, CPRA, CDPA, CPA, UCPA, and CTDPA do not apply to credit reports under the Fair Credit Reporting Act (FCRA), financial records under GLBA, or medical records under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act.
In addition, please note that the applicable regulations do not require us to search for personal information if we:
• Do not maintain the personal information in a searchable or reasonably accessible format;
• Maintain the personal information solely for legal or compliance purposes;
• Do not sell the personal information and do not use it for any commercial purpose; and
• Describe to the consumer the categories of records that may contain personal information that we did not search because we met the three conditions stated above
The types of records we did not search include records relating to litigation, unstructured paper records, and other categories.
As a result, these types of personal information or records are not included in your personal information access report.
30. What happens when I request that you delete my data?
We delete your data subject to our legal obligations and related data retention policies and schedules.
Please note that, under the CPRA, we are not required to comply with your request to delete your personal information if it is reasonably necessary for RRMC NA to maintain your personal information in order to complete the transaction, fulfill the terms of a written warranty or product recall, provide a good or service you requested, perform the contract between us, help ensure security and integrity, debug to identify and repair errors, ensure free speech or other rights provided by law, comply with the California Electronic Communications Privacy Act, engage in certain scientific, historical, or statistical research, enable internal uses that are expected and context compatible, and comply with a legal obligation.
As permitted under the applicable regulations, we may retain your personal information in our backup or archival systems until the retention period of those systems expires.
31. Can I delete my data in a RRMC app?
Yes, you can delete your data in a RRMC app. There are several ways to accomplish this:
- For some data types, you can delete the individual data elements, such as a single destination.
- You can delete all app data by clicking the “clear all application data” in the privacy menu in the app. This deletes all the data generated and collected by the app except your vehicle data and other non-application data.
32. Are there exceptions to compliance with these laws and my requests?
Yes, CPRA, CDPA, CPA, UCPA or CTDPA may create exceptions to compliance for the following reasons, among others: Complying with federal, state, or local laws or regulations or with a court order or subpoena; complying with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons; cooperating with law enforcement agencies concerning matters that may violate the law; cooperating with a government agency access request when a person is at risk of injury or death or otherwise protecting the vital interests or physical safety of an individual; exercising or defending legal claims; providing a product or service requested by the consumer; performing a contract to which the consumer is a party; fulfilling the terms of a written warranty; performing internal operations that are reasonably aligned with the expectations of the consumer; preventing and protecting against security incidents, identity theft, and other illegal activity; preserving the integrity or security of systems; ensuring the exercise of free speech; and when compliance by the business would violate an evidentiary privilege.
33. What about deidentified information?
RRMC NA may deidentify or aggregate your personal information in compliance with the CCPA and CPRA. In those situations, we are not obligated to provide access to or delete this information in response to a request.
34. For what purposes do you use the information provided in my requests?
We use the information you provide us to verify your identity and process your request.
35. How long do you retain the information about my request?
We retain the information relating to your request in accordance with our legal obligations and records retention policies and schedules. We will maintain, for a minimum of 24 months, a record of your request as required under CCPA. Communications provided to you through our data subject rights portal are available for 90 days.
36. How long do you retain my information?
We retain your information in accordance with our legal obligations and records retention policies and schedules. We may delete your data once the legal obligation expires or after the period of time specified in our retention policies.
37. Why was my request denied?
The security of your information is of utmost importance to us. We need to ensure that you are who you claim to be. We may deny your request if we are unable to verify your identity based on the information you provide with your request. Among other reasons, your request may also be denied if you have made more than two requests in the past 12-month period. We may provide you with the reason for the denial.
38. How many requests may I make in one year?
You may make two requests to access your personal information in a 12-month period under the CCPA, CPRA, and CDPA. You may make more than two requests; however, we are not required under the CCPA, CPRA, or CPDA to respond to them. Under the CPA, UCPA, and CTDPA, you may make one request in a 12-month period free of charge. While you may make subsequent requests during that period, we may charge a fee for such requests.