U.S. State Privacy Notice
Effective Date: January 30, 2023
This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”). Capitalized terms used but not defined in this Notice shall have the meanings given to them under U.S. Privacy Laws.
This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements the general privacy policies of AvalonBay Communities, Inc. and our subsidiaries (“Company” “us,” “we,” or “our”) including, without limitation, our website Privacy Policy. In the event of a conflict between any other Company policy, notice, or statement and this Notice, this Notice will prevail as to Consumers unless stated otherwise.
Applicability:
For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context. This is not the case in the other states.
(a) PI Collection, Disclosure, and Retention – By Category of PI
(b) PI Use and Disclosure – By Processing Purpose
2. Your Consumer Rights and How to Exercise Them
(a) Right to Limit Sensitive PI Processing
(1) Categories (available for California Residents Only)
(c) Do Not Sell / Share / Target
(f) Automated Decision Making/Profiling
(g) How to Exercise Your Consumer Privacy Rights
(1) Your Request Must be a Verifiable Consumer Request
3. Non-Discrimination/Non-Retaliation
4. Notice of Financial Incentive Programs
5. Our Rights and the Rights of Others
6. Additional Notice for California Residents
7. Additional Notice For Connecticut Residents
The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.
We may collect your PI directly from you (e.g., when you register for an account or apply to live in one of our communities); from your devices; from our affiliates; from our service providers, such as internet listing services, fraud prevention and security providers, marketing providers, and consumer and support providers; from public sources of data such as government databases; or from other businesses or individuals.
Generally, we Process your PI to provide you services and as otherwise related to the operation of our business, including for one or more of the following Business Purposes: Performing Services; Managing Interactions and Transactions; Security; Debugging; Advertising & Marketing Services; Quality Assurance; Processing Interactions and Transactions; and Research and Development. We may also use PI for other Business Purposes in a context that is not a Sale or Share under U.S. Privacy Laws, such as disclosing it to our Service Providers, Contractors, or Processors that perform services for us (“Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action; for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”) (“Additional Business Purposes”). Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors may also use your PI for Business Purposes and Additional Business Purposes, and may engage their own vendors to enable them to perform services for us.
We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. In addition, we may make your PI available to Third-Parties for their own use, such as selected marketing partners that offer services to our residents.
We provide more detail on our data practices in the two charts that follow.
(a) PI Collection, Disclosure, and Retention – By Category of PI
We collect, disclose, and retain PI as follows:
Category of PI | Examples of PI Collected and Retained | Categories of Recipients |
---|---|---|
1. Identifiers | Real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address, e-mail address, account name, and other similar identifiers. |
Disclosures for Business Purposes:
Sale/Share:
|
2. Personal Records | Name, signature, physical characteristics or description, address, telephone number, and financial information (e.g., credit card number, bank account number, or debit card number), insurance policy number, medical information, health insurance information, or emergency contact details. Some PI included in this category may overlap with other categories. |
Disclosures for Business Purposes:
Sale/Share: Selected marketing partners that offer services to our residents, such as credit card issuers |
3. Consumer Characteristics | In some circumstances, we may collect PI that is considered protected under U.S. law, such as age, sex, gender identity, marital status, veteran status, citizenship status, familial status, disability, religion, or payment history, but only when that information is relevant for our Business Purposes. We abide by the legal requirements imposed under applicable law in regards to such information. |
Disclosures for Business Purposes:
Sale/Share: None |
4. Customer Account Details/Commercial Information | Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
Disclosures for Business Purposes:
Sale/Share:
|
5. Internet Usage Information | When you browse our sites or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with sites, applications, or advertisements. |
Disclosures for Business Purposes:
Sale/Share: Third-Party Digital Businesses |
6. Geolocation Data | If you interact with us online we may gain access to the approximate, and sometimes precise, location of the device or equipment you are using. |
Disclosures for Business Purposes:
Sale/Share: None |
7. Sensory Data | We may collect audio, electronic, video, or similar information such as when you contact us through our resident service line and through security cameras at our communities. |
Disclosures for Business Purposes:
Sale/Share: None |
8. Professional or Employment Information | Professional, educational, or employment-related information, such as employment history. |
Disclosures for Business Purposes:
Sale/Share: None |
9. Inferences from PI Collected | Inferences drawn from PI to create a profile about a Consumer reflecting preferences, characteristics, trends, preferences, predispositions, and behaviors. |
Disclosures for Business Purposes:
Sale/Share: None |
10. Sensitive PI | Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card, or passport number) |
Disclosures for Business Purposes:
Sale/Share: None |
Precise Geolocation (any data that is derived from a device and that is used or intended to be used to locate a consumer w/in a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet) |
Disclosures for Business Purposes:
Sale/Share: None |
|
Sensitive Personal Characteristics (e.g., religious beliefs, citizenship status) |
Disclosures for Business Purposes:
Sale/Share: None |
|
Biometric Information (e.g., scans of facial geometry, or fingerprints) |
Disclosures for Business Purposes:
Sale/Share: None |
|
Health Information (PI collected and analyzed concerning a consumer’s health or medical history) |
Disclosures for Business Purposes:
Sale/Share: None |
There may be additional information we collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category. Because there are numerous types of PI in each category of PI, and various uses for each PI type, our retention periods for each category of PI vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.
(b) PI Use and Disclosure – By Processing Purpose
We use and disclose PI for the processing purposes described below:
Processing Purpose(s) | Examples(s) of Processing Purpose | Categories of PI Implicated | Categories of Recipients |
---|---|---|---|
1. Performing Services |
Provide our services/communicate about our services: to provide you with info or services, to send you electronic newsletters and push notifications (if you have elected to receive such), qualify you to enter into a lease at one of our communities; service calls to your apartment home; ensure that you comply with lease terms Enable additional features of our sites: to enable you to participate in a variety of our site’s features, including to pay rent and book tours online Contact You: to contact you about your use of our services and, in our discretion, changes to our services or our service’s policies Account management: to process your registration with our services, verify your info is active and valid, and manage your account Resident Service: to respond to any questions, comments, or requests you have for us or for other resident service purposes Payment: to facilitate rent payment |
|
|
2. Managing Interactions and Transactions | Auditing: related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with user interaction or transaction specifications and standards (e.g., ecommerce activities). |
|
|
3. Security | Security/fraud prevention: to protect the security of Company, our services, or its users and to prevent and address fraud; identity validation of consumer accounts or prevent unauthorized access to resident accounts; prevent identity theft |
|
|
4. Debugging | Repairs: to identify and repair errors that impair existing intended functionality of our services. |
|
|
5. Advertising & Marketing (excluding Cross-Context Behavioral Advertising and Targeted Advertising) |
Content and offers customization: to customize your experience on our websites apps, or other services, or to serve you specific content and offers that are relevant to/customized for you Advertising, marketing, and promotions: to assist us in determining relevant advertising and the success of our advertising campaigns; to help us determine where to place our ads, including on other websites; for promotional activities such as running sweepstakes, contests, and other promotions. Third-party: for selected marketing partners to offer services to our residents, such as credit card issuers |
|
|
6. Quality Assurance | Quality and Safety of Service: undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services. |
|
|
7. Processing Interactions and Transactions | Short-term, transient use: including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with Company and use of our services’ features and functionality (e.g., e-commerce transactions) |
|
|
8. Research and Development |
Research and analytics: to better understand how users access and use our services, both on an aggregated and individualized basis, to improve our services and respond to user preferences, and for other research and analytical purposes Customer satisfaction surveys: to administer surveys and questionnaires, such as for customer satisfaction purposes |
|
|
9. Additional Business Purposes |
Compliance with legal obligations: to comply with legal obligations, as part of our general business operations, and for other business administration purposes Prevention of illegal activities, fraud, injury to others, or violation of our terms and policies: to investigate, prevent or take action if someone may be using info for illegal activities, fraud, or in ways that may threaten someone’s safety or violate of our terms or this Notice Purposes disclosed at PI collection: We may provide additional disclosures at the time of PI collection, such as on a checkout page Related or compatible purposes: for purposes that are related to and/or compatible with any of the foregoing purposes |
|
|
10. Commercial Purposes |
Cross-context Behavioral Advertising Targeted Advertising Strategic partnerships with selected marketing partners that offer services to our residents, such as credit card issuers |
|
|
2. YOUR CONSUMER RIGHTS AND HOW TO EXERCISE THEM
As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Company provides Consumers and our California Personnel the privacy rights accorded to you under your applicable state law. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion with respect to if and how we process such requests. We will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.
To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Consumer Rights Request page here, or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process is in Section 2(g) below. The Consumer rights we accommodate are as follows:
(a) Right to Limit Sensitive PI Processing
We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws.
Residents of California, Virginia, and Colorado are entitled to access PI up to twice in a 12-month period. Residents of Connecticut are entitled once every 12-month period to access PI maintained by Company, with subsequent requests subject to a service fee. We apply the same limitation on number of Verifiable Consumer Requests in Connecticut to all states other than California, Virginia, and Colorado.
(1) Categories (available for California Residents Only)
California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:
• The categories of PI we have collected about you.
• The categories of sources from which we collected your PI.
• The Business Purposes or Commercial Purposes for our collecting or Selling your PI.
• The categories of third parties to whom we have shared your PI.
• A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
• A list of the categories of PI sold about you and, for each, the categories of recipients, or that no sale occurred.
You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.
(c) Do Not Sell / Share / Target
Under the various U.S. Privacy Laws there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Other states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI and/or use your PI for Targeted Advertising, as these terms apply under U.S. Privacy Laws. However, we provide U.S. Consumers an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.
Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.
Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request here.
Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool here ( ). This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Beware that if you use ad blocking software, our cookie banner may not appear when you visit our services and you may have to use the link above to access the tool.
Opt-out preference signals (also known as global privacy control or GPC): Some of the U.S. Privacy Laws require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale and Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website, which is explained by our consent management platform here. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We currently do not, due to technical limitations, process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.
We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.
We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law
Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:
Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not collect directly from you.
Consumers may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law.
(f) Automated Decision Making/Profiling
We only engage in Automated Decision Making or Profiling in ways that are exempt from Consumer choice under U.S. Privacy Laws.
(g) How to Exercise Your Consumer Privacy Rights
To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Consumer Rights Request page here, or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).
(1) Your Request Must be a Verifiable Consumer Request
As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, and phone number. You will then be contacted for further verification which typically will involve use of an application that will compare a photograph of you to your government issued identification card. However, other methods of verification may be available upon request at privacy@avalonbay.com. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.
We verify each request as follows:
To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.
You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. You can learn how to do this by visiting the agent section of our Consumer Rights Request page here. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.
You may appeal Company’s decision regarding a request by following the instructions in our response to you.
Some PI that we maintain is insufficiently specific for us to be able to associate it with a Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, any health or medical identification number, an account password, security questions or answers, or unique Biometric Information generated from measurements or technical analysis of human characteristics in response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.
3. NON-DISCRIMINATION/NON-RETALIATION
We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable PI.
4. NOTICE OF FINANCIAL INCENTIVE PROGRAMS
We do not currently offer discounts or rewards to Consumers for providing us PI, or set price or service differences related to the collection, retention, sale, or sharing of PI. However, we may inform you of discounts, rewards, or other benefits offered by other businesses, and they may collect PI from you in connection with these benefits. Such benefits and PI collection are governed by their privacy policies and terms, and not ours.
If we offer such programs in the future, we will update this Notice to describe such program(s), including how you may opt-in and how we value the PI required. California Personnel should see the Notice of Financial Incentive Programs in our California Personnel Privacy Notice.
5. OUR RIGHTS AND THE RIGHTS OF OTHERS
Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.
6. ADDITIONAL NOTICE FOR CALIFORNIA RESIDENTS
In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:
This Notice provides information on our online practices and your California rights specific to our online services. Without limitation, Californians that visit our online services and seek to acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:
Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our services, and posted content on the service, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.
We may from time to time elect to share certain “personal information” (as defined by California’s “Shine the Light” law) about you with third parties for those third parties’ direct marketing purposes. California Civil Code § 1798.83 permits California residents who have supplied personal information, as defined in the statute, to us to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of personal information to third parties for their direct marketing purposes. If this applies, you may obtain the categories of personal information shared and the names and addresses of all third parties that received personal information for their direct marketing purposes during the immediately prior calendar year (e.g. requests made in 2023 will receive information about 2022 sharing activities). To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident and provide a current California address for our response. You may make this request by emailing us at privacy@avalonbay.com, or in writing at: 4040 Wilson Blvd., Suite 1000, Arlington, VA 22203, (Attention: Legal Counsel). Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year.
As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.
7. ADDITIONAL NOTICE FOR CONNECTICUT RESIDENTS
Connecticut law requires any person or entity that collects Social Security numbers from Connecticut residents in the course of business to create a privacy protection policy and to publish or display it publicly. It is our policy to protect the confidentiality of Social Security numbers in our possession from misuse and improper disclosure by maintaining and enforcing policies and physical and electronic safeguards against misuse and improper disclosure. Unlawful disclosure of Social Security numbers is prohibited, and access to them is limited to personnel who need access to such information in order to perform their job functions.
If you have any questions, comments, or concerns about our privacy practices, please contact us by e-mail at privacy@avalonbay.com or call at us 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.