U.S. State Privacy Notice

Effective Date: January 30, 2023

This U.S. State Privacy Notice (“Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”). Capitalized terms used but not defined in this Notice shall have the meanings given to them under U.S. Privacy Laws.

This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements the general privacy policies of AvalonBay Communities, Inc. and our subsidiaries (“Company” “us,” “we,” or “our”) including, without limitation, our website Privacy Policy. In the event of a conflict between any other Company policy, notice, or statement and this Notice, this Notice will prevail as to Consumers unless stated otherwise.

Applicability:

  • Section 1 of this Notice provides notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information or Personal Data (collectively, “PI”). It does not apply to our job applicants, current employees, former employees, or independent contractors (“Personnel”). Our California Personnel can learn about our data practices as relates to them in our California Personnel Privacy Notice.
  • Sections 2-5 of this Notice provide information regarding Consumer rights and how you may exercise them. Section 2 also provides information regarding rights of our California Personnel
  • Section 6 of this Notice provides additional information for California residents, other than our Personnel.

For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context. This is not the case in the other states.

TABLE OF CONTENTS

1. Notice of Data Practices

(a) PI Collection, Disclosure, and Retention – By Category of PI

(b) PI Use and Disclosure – By Processing Purpose

2. Your Consumer Rights and How to Exercise Them

(a) Right to Limit Sensitive PI Processing

(b) Right to Know/Access

(1) Categories (available for California Residents Only)

(2) Specific Pieces

(c) Do Not Sell / Share / Target

(d) Right to Delete

(e) Correct Your PI

(f) Automated Decision Making/Profiling

(g) How to Exercise Your Consumer Privacy Rights

(1) Your Request Must be a Verifiable Consumer Request

(2) Agent Requests

(3) Appeals

(h) Our Responses

3. Non-Discrimination/Non-Retaliation

4. Notice of Financial Incentive Programs

5. Our Rights and the Rights of Others

6. Additional Notice for California Residents

(a) California Minors

(b) Shine the Light

7. Additional Notice For Connecticut Residents

8. Contact Us


1. NOTICE OF DATA PRACTICES

The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

We may collect your PI directly from you (e.g., when you register for an account or apply to live in one of our communities); from your devices; from our affiliates; from our service providers, such as internet listing services, fraud prevention and security providers, marketing providers, and consumer and support providers; from public sources of data such as government databases; or from other businesses or individuals.

Generally, we Process your PI to provide you services and as otherwise related to the operation of our business, including for one or more of the following Business Purposes: Performing Services; Managing Interactions and Transactions; Security; Debugging; Advertising & Marketing Services; Quality Assurance; Processing Interactions and Transactions; and Research and Development. We may also use PI for other Business Purposes in a context that is not a Sale or Share under U.S. Privacy Laws, such as disclosing it to our Service Providers, Contractors, or Processors that perform services for us (“Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action; for the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”) (“Additional Business Purposes”). Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors may also use your PI for Business Purposes and Additional Business Purposes, and may engage their own vendors to enable them to perform services for us.

We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. In addition, we may make your PI available to Third-Parties for their own use, such as selected marketing partners that offer services to our residents.

We provide more detail on our data practices in the two charts that follow.

(a) PI Collection, Disclosure, and Retention – By Category of PI

We collect, disclose, and retain PI as follows:

Category of PI Examples of PI Collected and Retained Categories of Recipients
1. Identifiers Real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address, e-mail address, account name, and other similar identifiers.

Disclosures for Business Purposes:

  • Vendors (e.g., internet listing services, resident services providers, payment processors, fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

  • Third-Party Digital Businesses; and
  • Selected marketing partners that offer services to our residents, such as credit card issuers.
2. Personal Records Name, signature, physical characteristics or description, address, telephone number, and financial information (e.g., credit card number, bank account number, or debit card number), insurance policy number, medical information, health insurance information, or emergency contact details. Some PI included in this category may overlap with other categories.

Disclosures for Business Purposes:

  • Vendors (e.g., internet listing services, resident services providers, payment processors, fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

Selected marketing partners that offer services to our residents, such as credit card issuers

3. Consumer Characteristics In some circumstances, we may collect PI that is considered protected under U.S. law, such as age, sex, gender identity, marital status, veteran status, citizenship status, familial status, disability, religion, or payment history, but only when that information is relevant for our Business Purposes. We abide by the legal requirements imposed under applicable law in regards to such information.

Disclosures for Business Purposes:

  • Vendors (e.g., fraud prevention and security providers, survey providers, consumer service and support providers, and cloud services and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

None

4. Customer Account Details/Commercial Information Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Disclosures for Business Purposes:

  • Vendors (e.g., internet listing services, resident services providers, payment processors, fraud prevention and security providers, analytics providers, customer relationship marketing providers, consumer service and support providers, and cloud services and storage providers);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

  • Third-Party Digital Businesses; and
  • Selected marketing partners that offer services to our residents, such as credit card issuers.
5. Internet Usage Information When you browse our sites or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with sites, applications, or advertisements.

Disclosures for Business Purposes:

  • Vendors (e.g., internet listing services, resident services providers, payment processors, fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

Third-Party Digital Businesses

6. Geolocation Data If you interact with us online we may gain access to the approximate, and sometimes precise, location of the device or equipment you are using.

Disclosures for Business Purposes:

  • Vendors (e.g., fraud prevention and security providers, mobile app services provider, consumer service and support providers, and cloud services and storage providers,);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

None

7. Sensory Data We may collect audio, electronic, video, or similar information such as when you contact us through our resident service line and through security cameras at our communities.

Disclosures for Business Purposes:

  • Vendors (e.g., fraud prevention and security providers, customer relationship marketing providers, consumer service and support providers, and cloud services and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share:

None

8. Professional or Employment Information Professional, educational, or employment-related information, such as employment history.

Disclosures for Business Purposes:

  • Vendors (e.g., fraud prevention and security providers, customer relationship marketing providers, and cloud services and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

9. Inferences from PI Collected Inferences drawn from PI to create a profile about a Consumer reflecting preferences, characteristics, trends, preferences, predispositions, and behaviors.

Disclosures for Business Purposes:

  • Vendors (e.g., analytics providers and cloud services and storage providers);
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

10. Sensitive PI Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card, or passport number)

Disclosures for Business Purposes:

  • Vendors (e.g., processing and storage vendors);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

Precise Geolocation (any data that is derived from a device and that is used or intended to be used to locate a consumer w/in a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet)

Disclosures for Business Purposes:

  • Vendors (e.g., processing and storage vendors); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

Sensitive Personal Characteristics (e.g., religious beliefs, citizenship status)

Disclosures for Business Purposes:

  • Vendors (e.g., processing and storage vendors);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

Biometric Information (e.g., scans of facial geometry, or fingerprints)

Disclosures for Business Purposes:

  • Vendors (e.g., fraud prevention and security providers); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

Health Information (PI collected and analyzed concerning a consumer’s health or medical history)

Disclosures for Business Purposes:

  • Vendors (e.g., processing and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None

There may be additional information we collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category. Because there are numerous types of PI in each category of PI, and various uses for each PI type, our retention periods for each category of PI vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.

Return to navigation

(b) PI Use and Disclosure – By Processing Purpose

We use and disclose PI for the processing purposes described below:

Processing Purpose(s) Examples(s) of Processing Purpose Categories of PI Implicated Categories of Recipients
1. Performing Services

Provide our services/communicate about our services: to provide you with info or services, to send you electronic newsletters and push notifications (if you have elected to receive such), qualify you to enter into a lease at one of our communities; service calls to your apartment home; ensure that you comply with lease terms

Enable additional features of our sites: to enable you to participate in a variety of our site’s features, including to pay rent and book tours online

Contact You: to contact you about your use of our services and, in our discretion, changes to our services or our service’s policies

Account management: to process your registration with our services, verify your info is active and valid, and manage your account

Resident Service: to respond to any questions, comments, or requests you have for us or for other resident service purposes

Payment: to facilitate rent payment

  • Identifiers
  • Personal Records
  • Personal Characteristics or Traits
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Geolocation Data
  • Sensory Data
  • Inferences from PI Collected
  • Government Issued Identification Numbers
  • Financial Data
  • Sensitive Personal Characteristics
  • Biometric Information
  • Health Information
  • Vendors (e.g., internet listing services, resident services providers, payment processors, fraud prevention and security providers, marketing services providers, analytics providers, customer relationship marketing providers, consumer service and support providers, and cloud services and storage providers);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process);
  • Other parties within the limits of Additional Business Purposes; and/or
  • Third-Party Digital Businesses
2. Managing Interactions and Transactions Auditing: related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with user interaction or transaction specifications and standards (e.g., ecommerce activities).
  • Identifiers
  • Internet Usage Information
  • Vendors (e.g., fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers);
  • Other parties within the limits of Additional Business Purposes; and/or
  • Third-Party Digital Businesses.
3. Security Security/fraud prevention: to protect the security of Company, our services, or its users and to prevent and address fraud; identity validation of consumer accounts or prevent unauthorized access to resident accounts; prevent identity theft
  • Identifiers
  • Personal Records
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Sensory Data
  • Government Issued Identification Numbers
  • Financial Data
  • Biometric Information
  • Vendors (e.g., Service Providers that help verify your identity if you take a self-guided tour of one of our properties; Service Providers that help ensure the physical safety of our communities; fraud prevention and security providers)
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes); and/or
  • Third-Party Digital Businesses
4. Debugging Repairs: to identify and repair errors that impair existing intended functionality of our services.
  • Identifiers
  • Internet Usage Information
  • Sensory Data
  • Vendors (e.g., Service Providers that help identify and repair errors on our services); and/or
  • Other parties within the limits of Additional Business Purposes.
5. Advertising & Marketing (excluding Cross-Context Behavioral Advertising and Targeted Advertising)

Content and offers customization: to customize your experience on our websites apps, or other services, or to serve you specific content and offers that are relevant to/customized for you

Advertising, marketing, and promotions: to assist us in determining relevant advertising and the success of our advertising campaigns; to help us determine where to place our ads, including on other websites; for promotional activities such as running sweepstakes, contests, and other promotions.

Third-party: for selected marketing partners to offer services to our residents, such as credit card issuers
  • Identifiers
  • Personal Records
  • Personal Characteristics or Traits
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Inferences from PI Collected
  • Vendors (e.g., internet listing services, marketing services providers, analytics providers, consumer service and support provider, and cloud services and storage providers);
  • Selected marketing partners that offer services to our residents, such as credit card issuers;
  • Other parties within the limits of Additional Business Purposes; and/or
  • Third-Party Digital Businesses.
6. Quality Assurance Quality and Safety of Service: undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
  • Identifiers
  • Internet Usage Information
  • Sensory Data
  • Vendors (e.g., Service Providers that help improve the quality of our services); and/or
  • Other parties within the limits of Additional Business Purposes.
7. Processing Interactions and Transactions Short-term, transient use: including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with Company and use of our services’ features and functionality (e.g., e-commerce transactions)
  • Identifiers
  • Personal Records
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Geolocation Data
  • Inferences from PI Collected
  • Vendors (e.g., internet listing services, fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers); and/or
  • Other parties within the limits of Additional Business Purposes.
8. Research and Development

Research and analytics: to better understand how users access and use our services, both on an aggregated and individualized basis, to improve our services and respond to user preferences, and for other research and analytical purposes

Customer satisfaction surveys: to administer surveys and questionnaires, such as for customer satisfaction purposes
  • Identifiers
  • Personal Records
  • Personal Characteristics or Traits
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Geolocation Data
  • Sensory Data
  • Inferences from PI Collected
  • Vendors (e.g., consumer service and support provider and cloud services and storage providers);
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes; and/or
  • Third-Party Digital Businesses.
9. Additional Business Purposes

Compliance with legal obligations: to comply with legal obligations, as part of our general business operations, and for other business administration purposes

Prevention of illegal activities, fraud, injury to others, or violation of our terms and policies: to investigate, prevent or take action if someone may be using info for illegal activities, fraud, or in ways that may threaten someone’s safety or violate of our terms or this Notice

Purposes disclosed at PI collection: We may provide additional disclosures at the time of PI collection, such as on a checkout page

Related or compatible purposes: for purposes that are related to and/or compatible with any of the foregoing purposes
  • Identifiers
  • Personal Records
  • Personal Characteristics or Traits
  • Customer Account Details/Commercial Information
  • Internet Usage Information
  • Geolocation Data
  • Sensory Data
  • Inferences from PI Collected
  • Government Issued Identification Numbers
  • Financial Data
  • Sensitive Personal Characteristics
  • Biometric Information
  • Health Information
  • Vendors (e.g., payment processors, fraud prevention and security providers, marketing services providers, analytics providers, consumer service and support providers, and cloud services and storage providers);
  • Collection agencies in the event of non-payment by a resident;
  • Public authorities/governmental bodies (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.
10. Commercial Purposes

Cross-context Behavioral Advertising

Targeted Advertising

Strategic partnerships with selected marketing partners that offer services to our residents, such as credit card issuers

  • Identifiers
  • Internet Usage Information
  • Vendors (e.g., internet listing services, marketing services providers, and analytics providers);
  • Selected marketing partners that offer services to our residents, such as credit card issuers; and/or
  • Third-Party Digital Businesses

Return to navigation

2. YOUR CONSUMER RIGHTS AND HOW TO EXERCISE THEM

As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Company provides Consumers and our California Personnel the privacy rights accorded to you under your applicable state law. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion with respect to if and how we process such requests. We will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Consumer Rights Request page here, or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process is in Section 2(g) below. The Consumer rights we accommodate are as follows:

(a) Right to Limit Sensitive PI Processing

We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws.

(b) Right to Know/Access

Residents of California, Virginia, and Colorado are entitled to access PI up to twice in a 12-month period. Residents of Connecticut are entitled once every 12-month period to access PI maintained by Company, with subsequent requests subject to a service fee. We apply the same limitation on number of Verifiable Consumer Requests in Connecticut to all states other than California, Virginia, and Colorado.

(1) Categories (available for California Residents Only)

California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

• The categories of PI we have collected about you.

• The categories of sources from which we collected your PI.

• The Business Purposes or Commercial Purposes for our collecting or Selling your PI.

• The categories of third parties to whom we have shared your PI.

• A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.

• A list of the categories of PI sold about you and, for each, the categories of recipients, or that no sale occurred.

(2) Specific Pieces

You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.

(c) Do Not Sell / Share / Target

Under the various U.S. Privacy Laws there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Other states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI and/or use your PI for Targeted Advertising, as these terms apply under U.S. Privacy Laws. However, we provide U.S. Consumers an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.

Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.

Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request here.

Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool here ( ). This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Beware that if you use ad blocking software, our cookie banner may not appear when you visit our services and you may have to use the link above to access the tool.

Opt-out preference signals (also known as global privacy control or GPC): Some of the U.S. Privacy Laws require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale and Sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website, which is explained by our consent management platform here. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We currently do not, due to technical limitations, process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.

We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.

We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law

(d) Right to Delete

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:

  • to complete transactions and services you have requested;
  • for security purposes;
  • for legitimate internal Business Purposes (e.g., maintaining business records);
  • to comply with law and to cooperate with law enforcement; and
  • to exercise or defend legal claims.

Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not collect directly from you.

(e) Correct your PI

Consumers may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law.

(f) Automated Decision Making/Profiling

We only engage in Automated Decision Making or Profiling in ways that are exempt from Consumer choice under U.S. Privacy Laws.

(g) How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent, use our Consumer Rights Request page here, or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).

(1) Your Request Must be a Verifiable Consumer Request

As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, and phone number. You will then be contacted for further verification which typically will involve use of an application that will compare a photograph of you to your government issued identification card. However, other methods of verification may be available upon request at privacy@avalonbay.com. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.

We verify each request as follows:

  • Right to Know (Categories) (available for California residents only): We verify your Request to Know Categories of PI to a reasonable degree of certainty or a reasonably high degree of certainty depending on the verification method used. If we cannot do so, we will refer you to this Notice for a general description of our data practices.
  • Right to Know (Specific Pieces): We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.
  • Do Not Sell/Share/Target & Limit SPI: No specific verification required unless we suspect fraud.
  • Right to Delete: We verify your Request to Delete to a reasonable degree of certainty or to a reasonably high degree of certainty depending on the verification method used, the sensitivity of the PI, and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target and/or Limit SPI request.
  • Correction: We verify your Request to Correct PI to a reasonable degree of certainty or to a reasonably high degree of certainty, depending on the verification method used, the sensitivity of the PI, and the risk of harm to the Consumer posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently, we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

(2) Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. You can learn how to do this by visiting the agent section of our Consumer Rights Request page here. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.

(3) Appeals

You may appeal Company’s decision regarding a request by following the instructions in our response to you.

(h) Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, any health or medical identification number, an account password, security questions or answers, or unique Biometric Information generated from measurements or technical analysis of human characteristics in response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

Return to navigation

3. NON-DISCRIMINATION/NON-RETALIATION

We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable PI.

Return to navigation

4. NOTICE OF FINANCIAL INCENTIVE PROGRAMS

We do not currently offer discounts or rewards to Consumers for providing us PI, or set price or service differences related to the collection, retention, sale, or sharing of PI. However, we may inform you of discounts, rewards, or other benefits offered by other businesses, and they may collect PI from you in connection with these benefits. Such benefits and PI collection are governed by their privacy policies and terms, and not ours.

If we offer such programs in the future, we will update this Notice to describe such program(s), including how you may opt-in and how we value the PI required. California Personnel should see the Notice of Financial Incentive Programs in our California Personnel Privacy Notice.

Return to navigation

5. OUR RIGHTS AND THE RIGHTS OF OTHERS

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

Return to navigation

6. ADDITIONAL NOTICE FOR CALIFORNIA RESIDENTS

In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:

This Notice provides information on our online practices and your California rights specific to our online services. Without limitation, Californians that visit our online services and seek to acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:

(a) California Minors

Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our services, and posted content on the service, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.

(b) Shine the Light

We may from time to time elect to share certain “personal information” (as defined by California’s “Shine the Light” law) about you with third parties for those third parties’ direct marketing purposes. California Civil Code § 1798.83 permits California residents who have supplied personal information, as defined in the statute, to us to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of personal information to third parties for their direct marketing purposes. If this applies, you may obtain the categories of personal information shared and the names and addresses of all third parties that received personal information for their direct marketing purposes during the immediately prior calendar year (e.g. requests made in 2023 will receive information about 2022 sharing activities). To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident and provide a current California address for our response. You may make this request by emailing us at privacy@avalonbay.com, or in writing at: 4040 Wilson Blvd., Suite 1000, Arlington, VA 22203, (Attention: Legal Counsel). Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year.

As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.

Return to navigation

7. ADDITIONAL NOTICE FOR CONNECTICUT RESIDENTS

Connecticut law requires any person or entity that collects Social Security numbers from Connecticut residents in the course of business to create a privacy protection policy and to publish or display it publicly. It is our policy to protect the confidentiality of Social Security numbers in our possession from misuse and improper disclosure by maintaining and enforcing policies and physical and electronic safeguards against misuse and improper disclosure. Unlawful disclosure of Social Security numbers is prohibited, and access to them is limited to personnel who need access to such information in order to perform their job functions.

Return to navigation

8. CONTACT US

If you have any questions, comments, or concerns about our privacy practices, please contact us by e-mail at privacy@avalonbay.com or call at us 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.

Return to navigation