California Privacy Notice

FirstGroup America, Inc., California Privacy Notice

Effective Date: January 1, 2020

This notice reflects our good faith understanding of the law and our data practices as of the date posted, however the CCPA’s implementing regulations are not yet final and there remain differing interpretations of the law.  Accordingly, we may from time-to-time update information in this and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the development of the law and our understanding of how it relates to our data practices.

This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (“CCPA”) as a supplement to FirstGroup America, Inc., (or any of its subsidiaries or associated entities based in North America, with the exception of Greyhound) (“FirstGroup” “us” “we” “our”) other privacy policies or notices.  In the event of a conflict between any other FirstGroup policy, statement or notice and this Notice, this Notice will prevail as to California Consumers and their rights under the CCPA.  Please also see our general privacy policy posted or referenced on our websites, apps, products, or services including, without limitation,  www.firststudentinc.comwww.firsttransit.com, and firstcharterbus.com.

This Notice covers the collection, use, disclosure, and sale of California Consumers’ “Personal Information” (“PI”) as defined by the CCPA, except to the extent such PI is exempt from the notice obligations of the CCPA.  This Notice covers rights California Consumers have under the CCPA, as well as the notices required by other California laws.  The description of our data practices in this Notice, as required by the CCPA, covers only the prior calendar year and will be updated annually.  Our data practices in the current calendar year may change, and if our practices become materially different such that we think a Consumer would reasonably expect notice, we will provide notice in connection with the applicable collection, which may include reference to other applicable privacy policies and notices.

Consistent with the CCPA, job applicants, current and former employees and independent contractors (“Personnel”), and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered “Consumers” for purposes of this  Notice or the rights described herein.  However, our Personnel may obtain a separate privacy notice that is applicable to them by contacting our Human Resources department.

To aid in readability, in some places we have abbreviated or summarized CCPA terms or language.  Terms defined in the CCPA that are used in this Notice shall have the same meaning as in the CCPA.

You can click on the following blue links to navigate to the different sections in this Notice.


1. Our Personal Information Practices

This section describes our personal information practices for the calendar year 2019.  For more current detail see our general Privacy Policy and any notices we may provide at the point of collection.

PI WE COLLECT.

We collect and share PI from the following sources for the following purposes:

Category of PI

Examples

Sources of PI

Purposes for PI Collection

Categories of Recipients

1. Identifiers

(as defined in CCPA §1798.140(o)(1)(A))

This may include but is not limited to:  Full Name, Home Address, IP Address, Online Identifier, Personal Email, Postal Address, Previous Residence Address, Unique Personal Identifier, Work Email or other similar identifiers

Service Providers, Public Sources, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To securely process transactions and provide you our transportation services; and to troubleshoot and improve our services.

 

For example, to provide you with information about FirstGroup or to process insurance claims.

Service Providers, Banks, Customer Service Reps, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

2. Individual Records

(as defined in CCPA §1798.140(o)(1)(B))

This may include information such as: Claims History, Financial Processing Details, Children's Name, Contact Details, Date of Birth, Insurance Policy Information, Medical Condition, Parent's Names, and Phone Numbers

Service Providers, Public Sources, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To process transactions and provide our transportation services; and to troubleshoot and improve our services.

 

For example, to evaluate route efficiency and dispatching, to communicate with you, or to process insurance claims.

Service Providers, Banks, Customer Service Reps, External Agencies,
External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

3. Protected Characteristics

(as defined in CCPA §1798.140(o)(1)(C))

This may include, but is not limited to: Age,  Disability or Specific Conditions, Military or Veteran Status

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To  process transactions and provide our transportation services; and to troubleshoot and improve our services.

For example, to process insurance claims or to provide reasonable accommodations to disabled persons.

Service Providers, Customer Service Reps, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

4. Customer Account Details

(as defined in CCPA §1798.140(o)(1)(D))

 

This may include, but is not limited to: Records of Products or Services Purchased.

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To process transactions and provide our transportation services; and to troubleshoot and improve our services.

Service Providers, Banks, Customer Service Reps, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

5. Internet Usage Information

(as defined in CCPA §1798.140(o)(1)(F))

This may include, but is not limited to: Browsing Time, Cookie Information, Interactions with Advertisements and Websites, Network Interaction History, and Website History

Service Providers and Consumers

 

To process transactions and provide  our transportation services; to serve more relevant content and ads, and to troubleshoot and improve our services.

Service Providers and
External Auditors

6. Geolocation Data

(as defined in CCPA §1798.140(o)(1)(G))

This may include, but is not limited to: Device Location Data and Physical Location Map Coordinates

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To  process transactions and provide  our transportation services; and to troubleshoot and improve our services.

 

For example, to evaluate route efficiency and more accurate scheduling.

Service Providers, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

7. Sensory Data

(as defined in CCPA §1798.140(o)(1)(H))

This may include, but is not limited to: Audio Information, Audio Recordings, Video recordings, Visual Information

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To  process transactions and provide  our transportation services; and to troubleshoot and improve our services.

For example,  calls may be recorded for quality assurance and we may use security cameras with audio recording on vehicles and in other physical spaces.

Service Providers, Customer Service Reps, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

8. Professional or Employment Information

(as defined in CCPA §1798.140(o)(1)(I))

This may include, but is not limited to: Employer/Place of Employment, and Travel History.

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To  process transactions and provide  our transportation services, and to troubleshoot and improve our services.

 

Service Providers, Customer Service Reps, External Agencies, External Auditors, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

9. Non-public Education Records

(as defined in CCPA §1798.140(o)(1)(J))

This may include but is not limited to: Grade, Languages; Individual Education Plans (IEPs).

Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To  process transactions and provide  our transportation services; and to troubleshoot and improve our services.

For example, to provide reasonable accommodations to disabled persons.

N/A

10. Inferences from PI Collected

(as defined in CCPA §1798.140(o)(1)(K))

 

 

This may include, but is not limited to: Inferences and Preferences about your transportation needs.

Service Providers, Consumers, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

To securely process transactions and provide you our transportation services; and to troubleshoot and improve our services.

 

Service Providers, Customer Service Reps, Business Customers, and Public Authorities / Government and Quasi-governmental Agencies, including airports and school districts

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information.  We have no obligation to re-identify such information or keep it longer than we need it to respond to your requests. 

Disclosures:

We collect, use and disclose the following categories of PI for business purposes:

  • Identifiers
  • Individual Records
  • Protected Characteristics
  • Customer Account Details / Commercial Information
  • Internet Usage Information
  • Geolocation Data;
  • Sensory Data;
  • Professional or Employment Information;
  • Non-public Education Information and
  • Inferences from PI Collected.

We do so for the following business purposes provided for in the CCPA:

  • Processing Interactions and Transactions
  • Managing Interactions and Transactions
  • Performing Services
  • Research and Development
  • Quality Assurance
  • Security
  • and Debugging.

Our vendors may themselves engage services providers or subcontractors to enable them to perform services for us, which sub-processing is, for purposes of certainty, an additional business purpose for which we are providing you notice.

In addition, we may collect, use and disclose your PI as required or permitted by applicable law.

Notwithstanding anything to the contrary in our other privacy notices, we typically restrict use of your PI that is shared with our vendors for business purposes, or we treat such disclosures as sales of your PI subject to your Do Not Sell rights.

Sales:

We do not believe that in 2019 we “Sold” PI. For more information on your Do Not Sell rights, see the Do Not Sell subsection of the California Privacy Rights section of this Privacy Notice below.

 

CALIFORNIA PRIVACY RIGHTS.

We provide California Consumers the privacy rights described in this section. You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations.  To make a request, you may submit a form here or contact the FirstGroup Privacy Team at 1-844-930-1776, or USPrivacy@FirstGroup.com.  If you are disabled and need reasonable accommodations to facilitate your request, please let us know.  As permitted by the CCPA, any request you submit to us is subject to an identification and verification process.  We will verify identity based on matching information you provided with data we have maintained on you in our systems.  This data could include, but is not limited to, email address, mailing address, phone number, trip/quote number, pickup address or drop off address.  For your specific pieces of personal information, as required by the CCPA, we will apply the heightened verification standards set forth in subsection (ii) below.  If we are not satisfied that we have sufficiently verified your identity, we may direct you to this Notice for information on our PI practices generally.

Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID).  As required by the CCPA we do not include that PI in response to those requests.  If we cannot comply with a request, we will explain the reasons in our response.  You are not required to create an account with us to make a Verifiable Consumer Request.  We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your California Consumer privacy rights requests.  In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not.  We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome.  If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision.  You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver your social security number, driver’s license number or other government-issued id number, financial account number, any health or medical identification number, an account password, or security questions or answers in response to a CCPA request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

Your California Consumer privacy rights are as follows:

The Right to Know

Information Rights:

You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:

  • The categories of PI we have collected about you.
  • The categories of sources from which we collected your PI.
  • The business or commercial purposes for our collecting or selling your PI.
  • The categories of third parties to whom we have shared your PI.
  • The specific pieces of PI we have collected about you.
  • A list of the categories of PI disclosed for a business purpose in the prior 12 months, or that no disclosure occurred.
  • A list of the categories of PI sold about you in the prior 12 months, or that no sale occurred. If we sold your PI, we will explain:
    • The categories of your PI we have sold.
    • The categories of third parties to which we sold PI, by categories of PI sold for each third party.

To make a request, you may submit a form here or contact the FirstGroup Privacy Team at 1-844-930-1776,  or USPrivacy@FirstGroup.com. If you are disabled and need reasonable accommodations to facilitate your request, please let us know.  As permitted by the CCPA, any request you submit to us is subject to an identification and verification process.  We will verify identity based on matching information you provided with data we have maintained on you in our systems.  This data could include, but is not limited to, email address, mailing address, phone number, trip/quote number, pickup address or drop off address.  For your specific pieces of personal information, as required by the CCPA, we will apply the heightened verification standards set forth in subsection (ii) below.  If we are not satisfied that we have sufficiently verified your identity, we may direct you to this Notice for information on our PI practices generally.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

Obtaining Copies of PI:

You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining.  To make a request, you may submit a form here or contact the FirstGroup Privacy Team at 1-844-930-1776, or USPrivacy@FirstGroup.com.  As permitted by the CCPA, any request you submit to us is subject to an identification and verification process. We will verify identity based on matching information you provided with data we have maintained on you in our systems.  This data could include, but is not limited to, email address, mailing address, phone number, trip/quote number, pickup address or drop off address.  You may be required to execute an attestation under penalty of perjury.  If we are not satisfied that we have sufficiently verified your identity, we will treat your request as an information rights request (excepting for specific pieces), or may direct you to this Notice for information on our PI practices generally.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

Do Not Sell:

We do not believe that we “Sell” Consumer PI as those terms are defined by the CCPA.  However, we offer a ‘do not sell” opt-out available here, and will apply opt-outs received to any future sales of PI by us, or to activities that we later conclude does qualify as a sale under the CCPA, such as if the State of California provides guidance that differs from our current conclusions.

While there is not yet a consensus, data practices of third party cookies and tracking devices associated with our websites and mobile apps may arguably constitute a “Sale” of your PI as defined by the CCPA.  However, we do not think that these third party technologies and activities are a “Sale” of your PI by us, and until we are convinced otherwise we do not intend to treat them as such.  Accordingly, currently, a Do Not Sell request to us will not affect these third party technologies or activities, though we may change this policy in the future based on how the law and industry practices develop.  We may participate in third party signal programs that restrict the processing activities of cookie operators to service provider purposes, but we do not guarantee that they will do so.  You can, however, exercise control over browser-based cookies by adjusting the settings on your browser, and mobile devices may offer ad and data limitation choices.  In addition, third party tools enable you to search for and opt-out of some of these trackers, such as the Ghostery browser plug-in available at https://www.ghostery.com/.  Further, you can learn more about your choices regarding certain kinds of online interest-based advertising [DAA/NAI].  We do not represent that these third party tools, programs or statements are complete or accurate, clearing cookies or changing settings may affect your choices and you may have to opt-out separately via each browser and other device you use.  For more information on cookies and other tracking devices and ways to exercise preferences regarding them, see our general Privacy Policy.

Some browsers have signals that may be characterized as do not track signals, but we do not understand them to operate in that manner or to indicate a Do Not Sell expression by you so we currently do not recognize these as a Do Not Sell request.  We understand that various parties are developing do not sell signals and we may recognize certain such signals if we conclude such a program is appropriate.

You may alternatively exercise more limited control of your PI by instead exercising one of the following options:

  • Opting out of promotional emails from us by selecting the unsubscribe button at the bottom of our emails. Opting out of any potential future sales here.  We will apply opt-outs received to any future sales of PI by us, or to activities that we later conclude does qualify as a sale under the CCPA, such as if the State of California provides guidance that differs from our current conclusions
  • We do not knowingly sell the PI of Consumers we know are under 16. If you think we may have unknowingly collected PI for sale of yourself or of your child under the age of 13, or if you are at least 13 but under 16, exercising the opt-out will stop our selling of the PI.

Delete:

Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining.  Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement.  Note also that we are not required to delete your PI that we did not collect directly from you.  To make a request, you may submit a form here or contact the FirstGroup Privacy Team at 1-844-930-1776, or USPrivacy@FirstGroup.com.  As permitted by the CCPA, any request you submit to us is subject to an identification and verification process.  We will verify identity based on matching information you provided with data we have maintained on you in our systems.  This data could include, but is not limited to, email address, mailing address, phone number, trip/quote number, pickup address or drop off address.  You may be required to execute an attestation under penalty of perjury.  If we are not satisfied that we have sufficiently verified your identity, we may treat your request instead as a “do not Sell” opt-out request.

You may alternatively exercise more limited control of your PI by opting out of our commercial emails by clicking unsubscribe on the footer of the email.

Non-Discrimination:

We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

Authorized Agents:

Authorized agents of Consumers may make a request by visiting here or calling 1-844-930-1776.  As permitted by the CCPA, any request you submit to us is subject to an identification and verification process, and confirmation of the agent’s authority, which may include attestation under penalty of perjury.  Absent a power of attorney, we will also require the Consumer to verify their own identity.  We may verify identity based on matching information you provided with data we have maintained on you in our systems. This data could include, but is not limited to, email address, mailing address, phone number, trip/quote number, pickup address or drop off address.

Limitations on Rights :

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights.  In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law. 

ADDITIONAL CALIFORNIA NOTICES.

In addition to CCPA rights, certain Californians are entitled to certain other notices, including:

Third Party Marketing and Your California Privacy Rights:

Separate from your CCPA “Do Not Sell” rights you have the following additional rights regarding disclosure of your information to third parties for their own direct marketing purposes:

We do not share personal information as defined by California Civil Code § 1798.83 (“Shine the Light law”) with third parties for their direct marketing purposes absent your consent.  If you are a California resident, you may request information about our compliance with the Shine the Light law by contacting us at Shinethelight@firstgroup.com or by sending a letter to:

FirstGroup America, Inc.,
Attention: Legal Counsel
600 Vine Street, Suite 1400
Cincinnati, Ohio 45202

Any such request must include “California Shine the Light Request” in the first line of the description and include your name, street address, city, state, and ZIP code.  Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this email address or mail address.

As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.

(B)Online Privacy Practices:

For more information on our online practices and your California rights specific to our online services see our respective online Privacy Policies at www.firststudentinc.comwww.firsttransit.com, and firstcharterbus.com.  Without limitation, Californians that visit our online services and seek or acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:

Tracking and Targeting:

When you visit our online services, we and third parties may use tracking technologies to collect usage information based on your device for a variety of purposes, including serving you advertising, based on your having visited our services or your activities across time and third-party locations.  Some browsers may enable you to turn on or off a so-called “Do Not Track” signal.  Because there is no industry consensus on what these signals should mean and how they should operate, we do not look for or respond to “Do Not Track” signals.  For more information on tracking and targeting and your choices regarding these practices, see our respective online Privacy Policies at  www.firststudentinc.comwww.firsttransit.com, and  firstcharterbus.com.

 

CONTACT US.

For more information on your California privacy rights contact us at 1-844-930-1776 or email us at USPrivacy@firstgroup.com. You may also use our California Consumer Rights Portal found here or, write to us at:

FirstGroup America, Inc.,
Attention: Legal Counsel
600 Vine Street, Suite 1400
Cincinnati, Ohio 45202