UPDATED Supplemental Privacy Statement For California Consumers
Effective: January 1, 2021 Updated: February 2, 2021
Consistent with the CCPA, information concerning job applicants, current and former employees and independent contractors (collectively, “Personnel”), and subjects of certain business-to-business communications acting solely in their capacity (“B2B data subjects”) as representatives of another business is exempt from some or all of the requirements of the CCPA. This Notice does not apply to B2B data subjects, and only Sections 1 and 2 apply to Personnel. Publicly available information is also not treated as Personal Information (“PI”) under the CCPA, so this notice is not intended to apply to that data and your Consumer privacy rights do not apply to that data.
Sections 1 and 2 of this Notice cover our Collection, use, disclosure, and Sale of California Consumers’ and our Personnel’s PI for the twelve months preceding January 1, 2021, and will be updated annually. Our practices in calendar year 2021 may change. However, if our practices are materially different such that we think a Consumer would reasonably expect notice, we will provide notice in connection with the applicable collection and use in other applicable privacy policies and notices. Section 4 of this Notice describes the rights California Consumers have under the CCPA and how to exercise them, but does not apply to Personnel.This Notice reflects our good faith understanding of the law and our data practices as of the date posted (set forth above). Accordingly, we may from time-to-time update information in this and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.
This statement addresses these topics:
- Collection And Use Of Personal Information
- Sharing Personal Information
- Deidentified Patient Information
- California Consumer Privacy Rights
During calendar year 2020, depending on how you have interacted with us, we may have:
(a) Collected the following categories of PI about you:
- Identifiers such as name, alias, postal address, unique personal identifier (such as pixels, cookies, web beacons), social security number, IP address, email address, phone number, passport number, customer number, account name, ID card information, or other similar identifiers;
- Personal records, such as physical characteristics or descriptions, signature, education, employment history, bank account information, medical information, financial information, or health insurance information;
- Characteristics such as age, race, color, ancestry, national origin, marital status, religion, sex, veteran or military status, medical condition, and mental or physical disability;
- Commercial information, such as records or personal property, products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies;
- Online usage information, such as Internet and other electronic network activity information including, but not limited to, browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement;
- Geolocation data;
- Sensory information, such as audio, visual, and similar information; and
- Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
There may be additional information that we collected that meets the CCPA’s definition of PI but is not reflected by a category, in which case we will treat it as PI as required by the CCPA, but will not include it when we are required to describe our practices by category of PI.
As permitted by applicable law, we do not treat Deidentified data or Aggregate Consumer Information as PI and we reserve the right to convert, or permit others to convert, your PI into Deidentified or Aggregate Consumer Information. We have no obligation to re-identify such information or keep it longer than we need it for our own purposes.
(b) Collected PI about you from the following categories of sources:
- Directly from you. For example, when you create an account, make a purchase, apply for or accept an employment position with us, etc
- .Your friends, family, or associations, including through their use of the Services.
- Directly and indirectly from activity on our Services, and Third Party social media pages and other services. For example, see the types of collection in the “Automatically Collected Information” section above.
- Service Providers who provide services on our behalf such as those used to fulfill orders, process your payments and requests, verify your information, monitor activity on our Services, provide analysis and analytics, maintain databases, administer and monitor emails and marketing, administer and send mobile messages, serve ads on this and other services, and provide consulting services.
- Third Party data providers.
- Creation by us.
(c) Collected PI about you for one or more of the following Business Purposes:
- Providing customer service, including responding to your requests or inquiries.
- Processing and completing your transactions including, as applicable, order confirmation/re-scheduling, billing, enrollment in our loyalty or other programs, and delivering products and/or Services.
- Personalizing your experience with our Services with content and offers that are tailored to you, including special offers from other companies.
- Providing you with newsletters, articles, product or service alerts, new product or service announcements, savings awards, event invitations, and other information.
- Including you in market research, surveys, promotions, sweepstakes, and contests.
- Improving our Services, the manner in which offers are made on our Services, the purchasing decisions of our customers, and the interactions visitors have with our Services.
- Evaluating your shopping experience or existing products and Services or to create new items.
- Alerting you about a product safety announcement or recall or correction of an offer, promotion, or advertisement.
- Keeping a record of our interactions with you if you place an order or otherwise deal with our representatives over the telephone or online.
- Verifying and validating your identity or otherwise preventing, investigating, or providing notice of fraud, unlawful or criminal activity, or unauthorized access to or use of personal information, our website or data systems or to meet legal obligations.
- Enabling you to interact with content service providers, whether by linking to their sites, viewing their content within our online environment, or by viewing our content within their online environment.
- Creating aggregated, pseudonymized, or anonymized information for analytical and statistical purposes.
We may disclose your PI to a Service Provider for a Business Purpose, or, at your direction, with Third Parties such as sponsors of promotions, sweepstakes or contests. In 2020, we disclosed the following categories of PI for a Business Purpose to the following categories of recipients:
- Identifiers: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, compliance, tech performance measurement, and other Service Providers;
- Personal records: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, compliance, tech performance measurement, and other Service Providers;
- Characteristics: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, compliance, and other Service Providers;
- Commercial information: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, and other Service Providers;
- Online usage information: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, compliance, tech performance measurement, and other Service Providers;
- Geolocation data: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, compliance, tech performance measurement, and other Service Providers;
- Sensory information: Retail security, compliance, and other Service Providers; and• Inferences: Marketing/advertising agencies, analytics & retail merchandising and marketing mix measurement providers, and other Service Providers.We do not believe that we Sold any PI of California Consumers in 2020. See Section 4(c) below for information as to how to opt-out of future Sales.
We collect and deidentify certain health care patient information in our capacity as a pharmacy health care provider. In some instances, we disclose, license, and/or sell the deidentified information derived from this health care patient information. To deidentify this health care patient information, we use either the deidentification methodology: (1) described in Section 164.514(b)(2) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA safe harbor method; or (2) described in Section 164.514(b)(1) of Title 45 of the Code of Federal Regulations, commonly known as the HIPAA expert determination method. As such, this deidentified information is not PI.
(a) Right to Know:
- Specific Pieces
You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have Collected and are maintaining for the period that is 12 months prior to the request date. To make a request, click here, or call us at (877) 251-6559 (toll free). You will be asked to provide your name, email address, country of residence, state, and request details. A confirmation email will be sent to the email address you provide to begin the process to verify your identity. To protect your privacy and security we require verification of your identity to a high degree of certainty based on information we already have about you. If you cannot meet that standard, we will treat your request as a “categories request” as explained in the next section.
To protect your security and the rights of others, we may not be able to provide you all of the PI we may have on you. See Section 4(f) below for more details.
California Consumers have the right, no more than twice in a twelve-month period, to request that we disclose the categories of PI collected in the prior 12 months; the categories of sources from which such PI is collected; the business or commercial purpose for such collection or its sale (if applicable); the categories of third parties with which the businesses shares such PI, and, for each category of such PI, the categories of recipients of business purposes disclosures and, if applicable, of sales.
To make a request, click here, or call us at (877) 251-6559 (toll free). You will be asked to provide your name, email address, country of residence, state, and request details. A confirmation email will be sent to the email address you provide to begin the process to verify your identity. To protect your privacy and security we require verification of your identity to a reasonable degree of certainty based on information we already have about you. If you cannot meet that standard, we will refer you to this Notice where you can review our categories disclosures generally in Sections 1 and 2 above.
(b) Right to Delete
Except to the extent we have a basis for retention under the CCPA, you may request that we delete your PI that we have Collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and provide services you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. Note also that we are not required to delete your PI that we did not Collect directly from you. To make a request, click here, or call us at (877) 251-6559 (toll free). You will be asked to provide your name, email address, country of residence, state, and request details. A confirmation will be sent to the email address you provide to begin the process to verify your identity and to confirm that you want to delete your information. To the extent that we are able to sufficiently verify your identity and have a basis for retaining some of the PI you requested that we delete, we will explain the basis for the retention and will only retain it for such purpose and for so long as the retention purpose continues to exist.
Rather than exercising a deletion request, you may alternatively exercise more limited control of your PI by instead opting out of e-mail marketing communications by following the unsubscribe instructions on the footer of those emails.
(c) “Do Not Sell My Personal Information”
While California law also allows for California residents to opt out of the sale of their PI, we do not believe that we currently Sell PI of California Consumers as those terms are defined by the CCPA, but reserve the right to do so in the future. However, we offer California Consumer’s the ability to opt-out of future Sales here or call us at (877) 251-6559 (toll free). Although we believe that Third Party cookies we permit to be associated with our online Services restrict their data processing to what is permitted by Service Providers under the CCPA as to California Consumers, and thus do not result in a Sale of PI by us, to learn more about cookie choices here.
(d) Verification Process
After you (or a qualified agent which you duly authorize) submits a request to know or delete your PI, we are required to Verify your request to ensure that the request is not fraudulent (“Verifiable Consumer Request”)”. Thus, upon receiving your request we will take measures to verify that the request is legitimate. These verification efforts may require additional information from you which may include information you have provided us in the past. For instance, if you have previously provided your name to us, we may ask you for other information (e.g., last four digits of your credit card, email address, phone number, or transaction history) so that we can match the new information you provide with the information we have. We may also use other verification methods as the circumstances dictate. If through reasonable efforts we are unable to verify your request to the appropriate degree of certainty, we will notify you.
We will use PI provided in a Verifiable Consumer Request only to verify your identity or your authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.
(e) Agent Requests
Note you can authorize an agent to exercise any of these California privacy rights on your behalf, subject to the agent request requirements of the CCPA. Note that we will take additional measures to verify the legal authority of your agent. Agents should contact us here.
Notwithstanding anything to the contrary, we may Collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights. In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law. Further, to protect your privacy and security we will not provide you with access to or copies of sensitive PI such as government identification or financial account numbers, passwords or answers to security questions or biometric identifiers; provided, however, that we will inform you if we maintain any such applicable types of PI.
Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that PI in response to those requests. If we cannot comply fully with a request, we will explain the reasons in our response, unless we are prohibited from doing so by applicable law.
We will make commercially reasonable efforts to identify Consumer PI that we Collect, process, store, disclose and otherwise use and to respond to your California Consumer rights requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request. As permitted by the CCPA, we are also not required to search for PI not maintained in a searchable or reasonably accessible format that is used for certain internal purposes only, but we apply this exception we will respond to your request with a description of the categories of PI to which this exception applies.
In addition, as explained above, we will reject requests to the extent we are not able to sufficiently verify your identity, or your agent’s authority. If we conclude we have a basis for not fully responding to your request, our response to you will explain the basis for the limitation, unless we are prohibited from doing so by applicable law.
(g) Financial Incentives and Non-discrimination
California residents also have the right not to receive discriminatory treatment for the exercise of any of the privacy rights conferred by the California Consumer Privacy Act. As of the Effective Date of this CA Statement we did not offer any programs requiring you to limit any of your CCPA rights, or otherwise require you to limit your CCPA rights in connection with charging a different price or rate, or offering a different level or quality of good or service. If we do so, the CCPA requires certain program terms and notices for California Consumer and the material aspects of any such program, and the rights of California participants, will be explained and described in its program terms. Participating in any such programs will be entirely optional. We may add or change programs and/or their terms by posting notice on the program descriptions so check them regularly.
Cookies, Web Beacons, and Similar Technologies. We and/or our service providers may collect and store information using cookies, local shared objects (or Flash cookies), web beacons, Uniform Resource Locators (URL), and similar technologies to manage our websites and email messages and to collect and track information about you and your activities online at our websites over time and across third-party websites or online services including, but not limited to, your computer’s IP address and operating system, your browser type, the site from which you linked to our site, the time and date of your visit, how you use and interact with our Services, your preferences, and what products and services you purchase. We may also use device identifiers, web storage, and other technologies to collect information about your interactions with our content and Services. We deliver a customized experience and do not currently respond to “Do Not Track” signals of web browsers.