This section provides specific information for California consumers, as required under California privacy laws, including the California Consumer Privacy Act as amended, and its implementing regulations (“CCPA”). The CCPA requires that we provide certain information to California consumers about how we handle their PI, and their rights in that regard. Under the CCPA, “PI” is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, device or household, including the categories identified in the chart below to the extent they identify, relate to, describe, are capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer, device or household, subject to certain exceptions (e.g., publicly available information is not PI).
Consistent with the CCPA, this notice, and the rights described, do not apply in calendar year 2020 to job applicants, current or former employees, contractors, or persons interacting with us in their capacity as a representative of a business.
This notice reflects our good faith understanding of the law and our data practices as of the Effective Date, but as of that date, the CCPA’s implementing regulations are not yet final and there remain differing interpretations of the law. Accordingly, we may from time-to-time update information in this and other notices regarding our data practices and your rights, modify our methods for responding to your requests, and/or supplement our response to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.
Categories of PI of California Consumers that We Collect, Disclose, and Sell
|Categories of PI||Collection Sources||Purpose(s) for Collection||Categories of Parties We Share PI With|
|1. Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, IP address, e-mail address, account name, government ID or other similar identifiers.||From the consumer, by us and from the consumer’s browser, device, e-mail and/or social media account, other individuals, such as the consumer’s friends or family, business partners (non-vendors), and vendors.||Managing Cookies, sending marketing e-mails and text messages, conducting other advertising and promotional campaigns, data security, debugging, internal research and development, processing and managing customer interactions and transactions, facilitating arrangements we have with business partners, performing services requested by the consumer, and research and quality assurance.||Service providers, third party partners, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|2. Personal records, including signature, physical characteristics or description, written statements, telephone number, address, credit card number, or other financial information.||From the consumer, by us and from the consumer’s e-mail and/or social media account, other individuals, such as the consumer’s friends or family, business partners (non-vendors), and vendors.||Data security, debugging, processing and managing consumer interactions and transactions, performing services requested by the consumer, research and quality assurance.||Service providers, third party partners, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|3. Characteristics such as gender and age.||From the consumer and from vendors||Providing more relevant service to consumers||Service providers, Corporate Transaction recipients, and as directed by the Consumer or as required by applicable law.|
|4. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||From the consumer, by us from the consumer’s browser, device, e-mail and/or social media account, other individuals, such as the consumer’s friends or family, business partners (non-vendors), and vendors.||Data security, debugging, processing and managing consumer interactions and transactions, performing services requested by the consumer, advertising, research and quality assurance.||Service providers, third party partners, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|5. Biometric information.||N/A||N/A||N/A|
|6. Internet or other electronic network activity information, including, but not limited to, browsing history, browsing time, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.||From the consumer, by us and from the consumer’s browser, device, e-mail and/or social media account, and our vendors.||Debugging, processing and managing consumer interactions and transactions, performing services requested by the consumer, advertising, quality assurance and research and analytics.||Service providers, third party partners, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|7. Geolocation data, including, but not limited to, precise physical location and movement patterns||From the consumer, by us and from the consumer’s browser, device, e-mail and/or social media account, and otherwise directly from Consumers||Managing Cookies, processing and managing consumer interactions and transactions, performing services requested by the consumer, targeted advertising, quality assurance, fraud prevention and security, and research and analytics.||Service providers, third party partners, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|8. Audio, electronic, visual, thermal, olfactory, or similar information, including, but not limited to, image, photograph, and voice.||Directly from consumers||Processing and managing consumer interactions and transactions, performing services requested by the consumer, quality assurance, and fraud prevention and security.||Service providers, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
|9. Professional or employment-related information.||N/A||N/A||N/A|
|10. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).||N/A||N/A||N/A|
|11. Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer’s preferences, and behavior.||Consumer’s browser, device, e-mail and/or social media account, and otherwise directly from consumers or as created by us or our vendors.||Processing and managing customer interactions and transactions, performing services requested by the customer, and quality assurance and security and fraud prevention.||Service providers, Corporate Transaction recipients, and as directed by the consumer or as required by applicable law.|
We have disclosed the following categories PI of California consumers for a business purpose, consistent with the collection purposes set forth in the chart above, within the 12 months preceding the Effective Date:
- Personal records;
- Commercial information;
- Internet or other electronic network activity information;
- Geolocation data;
- Audio, electronic, visual, thermal, olfactory of similar information; and
- • Inferences drawn from PI to create a profile about a consumer.
The applicable sources, and purposes of the PI collected by us, and the categories of third parties to which we have disclosed it for business purposes, are set forth in the chart above. We do not believe that we have sold PI, except as discussed in the next section. We acknowledge that the data collection by some third party Cookies associated with our Services may be considered by some to be a “sale” under the broad language of the CCPA
Rights that California consumers have under the CCPA. California law grants consumers certain rights and imposes certain restrictions on particular business practices as set forth below.
Do Not Sell Right If you are a California consumer, you have the right to opt-out of the sale of your PI. The CCPA, however, defines “sale” in an unusual way, and with no guidance from the State of California as of the Effective Date as to how broadly the term should be interpreted, a number of differing reasonable interpretations are possible.
We do not believe that sharing your information with certain third parties as part of our normal business operations constitutes a sale within the meaning of what most people would consider a sale to be. Even under a broad understanding of “sale,” we do not typically sell your PI, but from time to time, we may decide to share your information with certain trusted third parties so that they can contact you with offers that you might enjoy. Because of this possibility, we are also providing you a way to opt-out of the sharing of your information that might occur under such circumstances. To exercise your right, visit our Privacy Rights Requests Center and fill out the appropriate form or call us at 844-674-2442.
We do not knowingly sell the PI of children under the age of 16 without the authorization required by the CCPA.
Requests for Deletion and Right to Know. If you are a California consumer, you have the right to make the following requests, typically at no charge, up to twice every 12 months:
- Deletion: the right to request deletion of your PI that we have collected about you, subject to certain exemptions, such as where the information is used to complete the transaction for which the PI was collected, provide a good or service that you have requested, perform a contract between you and us, detect security incidents, protect against malicious, deceptive, fraudulent or illegal activities, prosecute people responsible for malicious, deceptive, fraudulent or illegal activities, debug to identify and repair errors that impair existing intended functionality, comply with a legal obligation, enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us, or otherwise use your information internally, in a lawful manner that is compatible with the context in which you provided the information.
- Right to Know (categories or specific information): the right to know what categories of PI we have collected about you in the preceding 12 months, including with regard to each of the categories of PI collected, the categories of sources from which the PI was collected, the business and/or commercial purpose(s) for the collection, disclosure and/or sale of your PI, and the categories of third parties with whom we have sold or disclosed for business purposes your PI. You also have the right to know what specific pieces of PI we have collected about you in the preceding 12 months and the right to request a copy of that information.
Submitting Requests and What You can Expect. You (or your authorized agent) can submit a deletion, or right to know, or Do Not Sell request online by visiting our Privacy Rights Requests Center and filling out the appropriate form. There you will find details on what is required to be verified and to make the request. You (or your authorized agent) can also submit your request by calling 844-674-2442, our CCPA dedicated toll-free line. If you are visiting one of our Stores, you will see a notice that also directs you to the Privacy Rights Requests Center and the CCPA dedicated toll-free line to make your request. If you are disabled and need reasonable accommodations, please let us know. Subject to us being able to verify you (and, if applicable your agent and his or her authority), so that we do not delete the wrong person’s information, or give access to PI to the wrong person or otherwise act upon the wrong person’s instructions, we will respond to your request in a secure manner through the protocols set up by our vendor OneTrust in our Privacy Rights Requests Center. We will notify you that we have received your deletion or right to know request within 10 days of receipt of your request. We will honor Do Not Sell requests, as more fully explained above, within 15 days after we receive such a request. For right to know and deletion requests, we will endeavor to respond within 45 days after receiving the request, but if we believe that in order to thoroughly and accurately respond to your request we need more time, we will notify you that we need an additional 45 days to process your request.
Incentives and "Non-Discrimination." The CCPA prohibits discrimination against California consumers for exercising their rights under the CCPA and imposes requirements on financial incentives, including loyalty programs, offered to California consumers related to their PI. Accordingly, we will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights. However, we may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable PI provided to us.
Currently, Forever 21 offers a loyalty program for the users of its Forever 21-branded credit cards. If you have a Forever 21-branded credit card, you receive points based on purchase activities, and you consent to our sending marketing communications to you, such as to provide you notice of special offers and activities available to cardholders. The program terms are available here. Your choice to participate in this loyalty program will not affect your right to submit right to know, deletion, or Do Not Sell requests under the CCPA, except that as long as you are a member of this loyalty program you must allow us to retain and use your PI to administer the program, which includes sending you marketing messages. We have determined that consumers knowingly electing to accept the program terms to receive the program benefits establishes that the value of the benefits is reasonably related to the value of the program PI and its use to us. Please note that participating in incentive programs such as this one is entirely optional. By submitting a Forever 21-branded credit card application you are affirmatively opting in to the program. You can opt-out of the program by closing your Forever 21-branded cards (thus terminating participation and forgoing the ongoing incentives). We may from time to time change the terms of this incentive program by posting notice, so be sure to check them regularly.
Shine the Light
We do not typically share PI about you with third parties for their direct marketing purposes, except where we offer you the ability to consent (either on an opt-in or opt-out basis), but we sometimes may. Where permitted by applicable law, if we elect to share your personal information (as defined by California’s “Shine The Light” law, California Civil Code Section 1798.83) with third parties for their direct marketing purposes without giving you the ability to consent to such sharing (such as may from time to time be the case with the issuer of our Forever 21-branded credit card(s)), the law allows you to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of PI to third parties for their direct marketing purposes without your opportunity to consent. If this applies, you may obtain the categories of PI shared and the names and addresses of all third parties that received PI for their direct marketing purposes during the immediately prior calendar year (e.g. requests made in 2020 will receive information about 2019 sharing activities). You may make one request per calendar year. To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident and provide a current California address for our response. You may make this request by sending us an e-mail at [email protected], or by writing to us at Forever 21 (F21 OpCo, LLC), Attn: Legal Department/Privacy, 3880 N. Mission Rd., Los Angeles, CA 90031. Any such request must include “Shine the Light Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code, and confirmation that you are a California resident. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through this e-mail address or mail address. Please allow up to 30 days for a response.
CA Minors Any California residents under the age of eighteen (18) who have registered to create an account to use the Services, and who post content on the Service, can request removal by contacting us as set forth in the Contact Us section, detailing where the content or information is posted and attesting that they posted it. We will then make reasonable good faith efforts to remove the post from prospective public view or anonymize it so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third-parties may have republished or archived content by search engines and others that we do not control.