Effective date: January 1, 2023
TABLE OF CONTENTS
- The personal information we collect
- Sources we collect personal information from
- How we use personal information
- How we disclose personal information
- Third-party services and features
- Cookies and other technologies
- Contact information
- Your California privacy rights
1. The personal information we collect
We want you to know how we collect and use your personal information. Some examples of the personal information we may collect about you include:
- Contact information including your name, mailing address, personal email address, personal telephone and contact numbers, emergency contacts and language preferences
- Demographic information, such as your age and date of birth, sex and gender, race and ethnicity, sexual orientation and gender identity, disability and health status and military status
- Professional information, such as resumes and cover letters, educational history and transcripts, work history, references, certifications and professional licenses
- Work eligibility and tax information, such as your social security number, spousal and dependent information and marital status
- Vehicle information, such as VIN and license plate number
- ID information, such as driver’s license information, passport number, government-issued identification number and immigration/naturalization identification number
- Financial information, such as bank account numbers and beneficiary information
- Social media account information if you share it with us
- Photos or videos you provide to us
- Other information you voluntarily provide
Information created during your workforce relationship with CVS:
- Role information, such as job title, office location, start and end dates, business unit and reporting manager
- Compensation information, such as salary and wages, bonus allocations and payments, hours of work and records of absence
- Benefits information, such as insurance enrollments and 401(k) contributions
- Workforce investigations, grievances and complaints, disciplinary action and performance evaluations
- Background check and investigations information
- Information about your internet activity and related devices, including your computer’s IP address and/or mobile device information (e.g., device model, operating system version, unique device identifiers, mobile network information)
- Geolocation information, including from your mobile device(s) or vehicle(s), such as GPS coordinates
- Health information, such as your health conditions
- Images or videos recorded in or around one of our stores or office buildings (e.g., security camera footage)
We may also combine information that does not personally identify you with personal information. If we do, we will treat the combined information as personal information for as long as it stays combined. Please note, we may use and disclose de-identified information that is not in scope of this policy.
2. Sources we collect personal information from
We collect the personal information described above from the following sources.
- Directly from you. We collect personal information directly from you when you interact with us or our vendors through communications and automatically when you visit our websites and mobile applications.
- From subsidiaries and affiliates. We collect personal information from our subsidiaries and affiliates you interact with as permitted by applicable law.
3. How we use your personal information
Depending on the nature of your relationship with us, we may use your personal information for the purposes listed below.
- To communicate with you. We use your personal information to respond to your requests and otherwise communicate with you. For instance, we may use your personal information to consider you for a role, contact you about your application, send you email alerts, send you newsletters and to provide you with related customer service. We may use your personal information to send marketing communications and administrative information.
- For our internal business purposes. We may use your personal information for our internal human resources and business purposes, such as hiring and onboarding, offboarding, financial reporting, training and data analysis. We may also use it for developing our new programs, to assess the effectiveness of our campaigns, and to operate and expand our business activities.
- For workforce management. We may use your personal information for payroll and tax, benefits administration, investigations and corrective actions, workforce development programs, diversity, equality and inclusion initiatives.
- To maintain and enhance the safety and security of the workplace. We may use personal information to detect, prevent and address safety and security issues, fraud or illegal/malicious activity. We may also use your personal information to protect the health and safety of you and others in our workplace.
- In connection with a sale or transfer of business assets. To consider and implement mergers, acquisitions, reorganizations and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping and legal functions.
4. How we disclose personal information
We may disclose personal information with the following parties.
- Vendors. We may disclose personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors and legal counsel.
- Affiliates and subsidiaries. We may disclose personal information we collect to our affiliates or subsidiaries.
- Government or public authorities. We may disclose personal information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies and terms of service, (c) to protect the security or integrity of our services, (d) to protect the property, rights and safety of CVS, our users or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.
We may disclose personal information for the following purposes:
- To provide information to our service providers. We may disclose personal information to our service providers. They provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and infrastructure, customer service, email delivery, auditing and other services.
- In connection with a sale or transfer of business assets. We may disclose or transfer your personal information to other parties if some or all of our business, assets or stock are sold, transferred or used as security. This includes in connection with any bankruptcy or similar proceeding.
- To respond to law enforcement officials or enforce our rights. We may disclose your personal information if required to do so by law enforcement officials or other government authorities. We disclose personal information in matters involving claims of personal or public safety, or in litigation. This may include disclosure of your personal information to allow us to pursue remedies or to limit the damages we may sustain. We may also use or disclose your information to enforce our terms and conditions, to protect our operations or those of any of our affiliates, to prevent misuse of our services, or to protect our rights, privacy, safety or property and/or that of our affiliates, you or others.
- To maintain and enhance the safety and security of the workplace. We may disclose personal information to detect, prevent and address safety and security issues, fraud or illegal/malicious activity. We may also disclose your personal information to protect the health and safety of you and others in our workplace.
5. Third-party service and features
The services may contain links to, or make available, third-party websites, services, features or other resources not run by us or on our behalf (the “Third-Party Services.”) We make these Third-Party Services available as a convenience to you and are not affiliated with, endorsing or sponsoring the Third-Party Services.
We use reasonable physical, technical and administrative safeguards. Please be aware that despite our efforts, no data security measures can guarantee security. You should take steps to ensure your personal information is protected like using passwords that would be difficult to guess, not using the same password for multiple accounts and periodically changing your password.
7. Cookies and other technologies
What are cookies? Cookies are small computer files we transfer to your computer’s hard drive. These are usually small text files. You can set your browser to accept or reject cookies. Instructions for resetting the browser are in the “help” section of most browsers.
We use this information for various purposes:
- To ensure that the services function properly
- To help with navigation (or how you find your way around the site)
- To understand use of the services
- To diagnose problems
- To measure the success of our talent campaigns
- To otherwise administer the services
Internet providers assign your device an IP address number. We may identify and log your IP address automatically in our web server log files when you use our services. We may also collect the time of your visit and the pages you look at. We use IP addresses to do things like gauge usage levels of the services, help find server problems, and administer services.
Our services use tracking technologies to collect and record your activities and movements across our websites throughout your browsing session, including page hits, mouse movements, scrolling, typing, out-of-the-box errors and events and API calls (“Session Data”). We use this information to (1) remember your information so you do not have to re-enter it, (2) track and understand how you use and interact with the services, (3) perform analytics, (4) measure the usability of the services and the effectiveness of our communications; and (5) improve our products, services and your experience. Such tracking may also include recorded sessions, which we may play back for these purposes. We may share session data with our vendors (which may change over time) for these purposes.
Do-Not-Track. Our websites are not designed to respond to “do-not-track” signals received from browsers.
8. Contact information
If you have any questions or concerns about the way we collect and use your information, contact us or call us toll-free at 1-888-607-4287.
Attn: Privacy Office
1 CVS Drive
Woonsocket, R.I. 02895
9. Your California privacy rights
Last Updated: January 1, 2023
This section does not address or apply to our information practices that are not subject to the CCPA, such as:
- Publicly available information. Information that is lawfully made available from government records, information we have a reasonable basis to believe is lawfully made available to the general public by you or by widely distributed media or by a person to whom you have disclosed the information and not restricted it to a specific audience.
- Deidentified information. Information that is deidentified in accordance with applicable laws.
- Aggregated information. Information relates to a group from which individual identities have been removed.
- Protected health information. Information governed by the Health Insurance Portability and Accountability Act or California Confidentiality of Medical Information Act.
- Activities covered by the Fair Credit Reporting Act. This includes information we receive from consumer reporting agencies that are subject to the Fair Credit Reporting Act e.g., information contained in background check reports we obtain as part of our vetting process.
- Trade secret and intellectual property of CVS. This includes our confidential business information and intellectual property.
The terms used in this section have the same meaning given to them in the CCPA.
A. What personal information we collect
We may collect (and may have collected during the 12-month period prior to the effective date of this section) the following categories of personal information (as enumerated in the CCPA) about you. For more information about the personal information we collect, please see Section 1 above.
- Identifiers, which may include your name, mailing address, personal email address, and personal telephone number
- Professional or employment-related information, such as your employment history, information relating to your compensation, benefits information, information from background checks or references, information relating to your performance evaluations, hours of work and records of absence and other information that may be provided on your resume
- Commercial information, such as VIN or vehicle license plate number
- Information relating to internet activity or other electronic network activity, which may include your device and browser information, interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications and social media
- Geolocation data, including from your mobile device(s) or vehicle(s), such as Global Positioning System (“GPS”) coordinates
- Audio, electronic or visual information, which may include images you provide to us (e.g., when you upload photos or videos) or that are viewed or recorded on a security camera
- Education information, such as education history, educational degrees and academic transcripts
- Protected classification characteristics under California or federal law, such as your age and/or date of birth, gender or gender identity, nationality and national origin, race or ethnicity, marital status, criminal history, drug test results and trade union membership
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), such as your health insurance information and workers’ compensation claim information, signature and physical characteristics or description
We may also collect (and may have collected during the 12-month period prior to the effective date of this section) the following categories of sensitive personal information about you:
- Government identification, such as government issued identifications (e.g., SSN)
- Account log-in information, which may include your account username and passwords
- Demographic information, such as racial or ethnic origin, religious or philosophical beliefs or union membership
- Precise geolocation data, such as the GPS coordinates of any corporate devices assigned to you
- Information concerning your health, such as your health conditions or information made available via connected health devices (e.g., smart watches, health apps)
- Information concerning sexual orientation, if you choose to share with us, as part of our employment reporting obligations and diversity, equality and inclusion initiatives
We do not collect, use or disclose sensitive personal information about employees beyond the purposes authorized by the CCPA.
B. How long we retain personal information
We retain your personal information only as long as necessary and in alignment with our data retention schedules. Information may be retained to comply with applicable law, adhere to contractual requirements, in anticipation of litigation or a legal matter or as otherwise necessary and proportionate to provide you with a product or service.
C. What we do with personal information
- Performing services, including maintaining or servicing employment related activities, providing customer service, processing or fulfilling requests, verifying your information, processing payments, providing analytics services or providing similar services
- Auditing related to applicant and employment related activities, including, but not limited to, auditing compliance
- Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for that activity
- Debugging to identify and repair errors that impair existing intended functionality
- Undertaking internal research for technological development and demonstration
- Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade or enhance the service or device that is owned, manufactured, manufactured for or controlled by us
D. Sources of collected personal information
We may collect (and during the 12-month period prior to the effective date of this section, may have collected) personal information about you from these sources:
- Directly from you or your device, including your use of our websites and mobile applications, and your communications with us
- Our subsidiaries and affiliates
- Our service providers, including but not limited to, technology/website hosting providers, analytics providers, and systems administrators/security and fraud investigations providers
- Advertising networks and social media networks
- Government entities, regulators and law enforcement
- Third parties, including companies that collect and sell publicly available information, or business partners that collect information and provide it to us according to their privacy policies and terms of service
E. What personal information we disclose and who we disclose personal information to
The following table describes the categories of personal information we disclose and the categories of third parties to whom we disclose personal information. For more information about how we disclose personal information, please see Section 4 above.
We do not sell or share your personal information to third parties.
We do not knowingly sell the personal information of minors under 16 years of age.
If you are a California consumer, you have the following rights under the CCPA with respect to your personal information.
- Right to know/access. With respect to the personal information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of personal information about you we have collected; (ii) the sources from which we have collected that personal information; (iii) our business or commercial purposes for collecting, selling, or disclosing that personal information; (iv) the categories of third parties to whom we have disclosed that personal information; and (v) a copy of the specific pieces of your personal information we have collected.
- Right to delete. Subject to certain conditions and exceptions, you may have the right to ask us to delete certain personal information we have collected from you. Please note, CVS is not obligated to delete personal information that is: (i) necessary to provide services that you request (such as benefits and compensation) or (2) required to comply with applicable laws.
- Right to correction. You may have the right to ask us to correct inaccuracies in the personal information we have collected.
- Right to non-discrimination. We will not discriminate against you if you exercise any of these privacy rights.
How to submit a request
If you are a California consumer and a current or former CVS employee, then you can reach us one of the ways shown below.
- Password-protected web portal: Sign in here
- Once you have completed login, navigate to and select the “Submit/Check HR Ticket” tile.
- Next, click on “My Tickets” and then “Create Ticket.”
- Once a new ticket opens, choose “I have a question” and “Other (Questions).”
- Finally, please write-in, “CA Privacy Rights Request” in the subject line and then describe the nature of your request in the description box.
- Call us at: 1-888-694-7287
If you are a California consumer and a CVS applicant, contractor or other CVS professional, then you can reach us one of the ways shown below.
- Online submission form
- Call us at: 1-888-694-7287
You may also give someone else permission to exercise these rights for you. To submit a request as an authorized agent on behalf of a consumer, write us at ConsumerPrivacy@CVSHealth.com or call us at 1-888-694-7287. We will need proof showing you have asked someone else to make a request on your behalf, which may include a Power of Attorney form or other signed document. If we have information on your minor child, you may exercise these rights for them.
Before we fulfill a request, we must verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, if you are a CVS employee or former employee, you will need to first sign into your account. If you are not a CVS employee or former employee, you will be asked to give us certain personal information via webform or on the phone, as described above. If you are not a CVS employee or former employee and request access to, correction or deletion of your personal information, we may require you to provide any of the following information: Full legal name, email address, phone number, position(s) applied for, store/office location applied to and/or home address (depending on the information you may have provided). In addition, if you are not a CVS employee or former employee and you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
CCPA reporting metrics
To learn more about the consumer requests that CVS has processed in the past calendar year, click here.