Effective Date: March 25, 2020
A. Information we collect:
In the course of our business, we collect information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“Personal Information”). Depending on how you have interacted with us, we may have collected the following categories of Personal Information from you in the last twelve (12) months, which we may also share with third parties for the purposes outlined in this Privacy Notice. The categories below are those identified in the California Consumer Privacy Act (CCPA).
Please note that we have not collected every type of Personal Information identified in the Examples below, and the types of Personal Information we have collected on any consumer depends on how the consumer has interacted with us.
|Identifiers.||This category may include: name, postal address, unique personal identifiers, online identifiers, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. Under the CCPA, “unique identifiers” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer, a family, or a device that is linked to a consumer or family, over time and across different services, including, but not limited to, a device identifier; an Internet Protocol address; cookies, beacons, pixel tags, mobile ad identifiers, or similar technology; customer number, unique pseudonym, or user alias; telephone numbers, or other forms of persistent or probabilistic identifiers that can be used to identify a particular consumer or device.||YES|
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) and protected classification characteristics under California or federal law.||This category may include: name, signature, Social Security number, physical characteristics, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education or employment information, financial account numbers, medical information, health insurance information, age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex and gender information, veteran or military status, or genetic information.||YES
(for certain participants in Citadel trading programs, prospective employees and job applicants)
|Commercial information.||This category may include: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||YES|
|Biometric information.||This category may include: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a face print, a minutiae template, or a voiceprint, can be extracted.||NO|
|Internet or other electronic network activity information.||This category may include: browsing history, search history, and information regarding interactions with an Internet Web site, application, or advertisement. Citadel does make reasonable efforts to respect Do Not Track settings in browsers.||YES|
|Geolocation data.||This category may include: physical location or movements of your device or if you share the information with us at an event.||YES|
|Sensory data.||This category may include: audio, electronic, visual, thermal, olfactory, or similar information.||NO|
|Professional or employment-related information.||This category may include: current or past job history or performance evaluations.||YES|
|Non-public education information||This category may include: education records directly related to a student maintained by an educational institution or party acting on its behalf (e.g., grades, transcripts, schedules, and student ID numbers).||YES
(for prospective employees, consultants or contractors)
|K. Inferences drawn from other personal information.||This category may include: inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, interests, attitudes, or similar behavioral information.||YES|
Please note that some of the categories of personal information described in the CCPA overlap with each other; for instance, your name is both an Identifier and a type of data described in Cal. Civil Code 1798.80(e).
Personal information does not include publicly available information from government records or any deidentified or aggregated consumer information. In addition, the CCPA excludes the following from its scope: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
B. Use and Sharing of Personal Information:
We may use or disclose the personal information we collect for the purposes described in the “Information Use” and “Information Sharing” Sections above.
In the preceding twelve (12) months, Citadel has disclosed the following categories of personal information for a business purpose: identifiers; California Customer Records personal information categories; protected classification characteristics under California or federal law; internet or other similar network activity; geolocation data; professional or employment-related information (for prospective employees, contractors or consultants); non-public education information (for prospective employees only); and inferences drawn from other personal information.
C. Sales of Personal Information:
In the preceding twelve (12) months, Citadel has not sold personal information.
D. Your Rights & Choices:
The CCPA provides eligible California residents with specific rights with respect to our collection, retention, and use of Personal Information.
(a) Right to Know About Personal Information Collected, Disclosed, or Sold
You have the right to request that we provide certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Specifically, you have the right to request disclosure of the categories of Personal Information and specific pieces of Personal Information we have collected about you over the last 12 months. Upon the submission of a verifiable consumer request (see Exercising your California Privacy Rights, below), we will disclose to you:
We will also provide the specific pieces of Personal Information we collected about you, subject to certain exceptions under applicable law, if you also request access to such information.
We do not provide these access and data portability rights for B2B personal information.
(b) Right to Request Deletion of Personal Information
You also have the right to request that we delete Personal Information that we have collected and maintain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will conduct a reasonable search of our records in order to locate any Personal Information we have collected about you that is eligible for deletion, and delete such Personal Information. To the extent we have shared any Personal Information collected about you with service providers that is eligible for deletion, we will direct those service providers to delete that Personal Information as well. For the sake of clarity, however, Citadel may not be able to comply entirely with your request to delete all of your Personal Information as set forth under the CCPA. Specifically, we are not required to delete any PI we have collected about you that is necessary for us and our service provider(s) to:
Following a deletion request, any Personal Information about you that was not deleted from our systems due to the above exceptions will only be used for the purposes provided for by the applicable exceptions. Thus, all Personal Information about you that is not subject to a deletion exception will either be (1) permanently deleted on our existing systems (with the exception of archived or back-up systems maintained for emergency disaster recovery and business continuity purposes); (2) de-identified; or (3) aggregated so as to not be personal to you.
We do not provide these access and data portability rights for B2B personal information.
(d) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
We will not discriminate against you for exercising any of your privacy rights. Unless permitted by applicable law, we will not:
(e) Exercising Your California Privacy Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
Requests to exercise your rights under the CCPA require verification of your identity, and may be made only by you, your parent or guardian (if you are under 18 years of age), a person to whom you have given power of attorney pursuant to California Probate Code sections 4000 to 4465, or an authorized agent that is registered with the California Secretary of State. If a parent or guardian is submitting a request on behalf of a minor, the parent or guardian must submit proof that they are the parent or guardian of the subject consumer, and must verify the consumer’s identity (e.g., provide a notarized letter). If someone with power of attorney is making a request on behalf of a consumer, they must verify the individual consumer’s identity and submit documentation establishing the power of attorney. If an authorized agent is submitting a request on behalf of a consumer, they must verify the individual consumer’s identity, provide written permission from the consumer to submit the request on the consumer’s behalf, and submit documentation establishing registration with the Secretary of State. If Citadel cannot verify that the requestor is authorized by the consumer to act on such consumer’s behalf, Citadel is not obligated to provide information or respond to the request. If you have any questions about making a request on behalf of another consumer, please email us at PrivacyInquiries@citadel.com.
Your verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or that you are an authorized representative of such person. We will not respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. While we may ask for Personal Information to verify the requestor or consumer’s identity when making a request, we will only use that Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. Making a verifiable consumer request does not require you to create an account with us. Additionally, you may only make a verifiable consumer request for access twice within a 12-month period.
(f) Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Within ten (10) business days of receiving the request, we will confirm receipt and provide information about our verification and processing of the request. Citadel will maintain records of consumer requests made pursuant to the CCPA as well as our response to said requests for a period of at least twenty-four (24) months.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If you have an account with us, we may require you to take delivery of our written response through that account. If you do not have an account with us, we will deliver our written response electronically, though you may alternatively choose to receive delivery by mail. The response will also explain the reasons we cannot comply with a request, if applicable. Requests for the specific pieces of information that we have collected about you will be sent in a portable, readily useable format that you may transmit to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
(g) Your Rights Under “Shine the Light”
In addition to your rights under the CCPA, California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure, if any, of their Personal Information to third parties for their direct marketing purposes. To make such a request, please either email us or write to us using our information provided in the “Contact Us” section above.
Non-affiliated third parties are independent from Citadel and if you wish to receive information about your disclosure choices or stop communications from such third parties, you will need to contact those non-affiliated third parties directly.