Privacy Policy

Effective Date: March 26, 2024

This Privacy Policy talks about how CVS Pharmacy, Inc. and its subsidiaries and affiliates which provide services in person at our stores or through CVS.com® ("CVS," "we" or "us") may collect information about you, including through your interactions with us:

• In our stores
• On our websites
• On our mobile applications

We refer to these collectively as the "Commercial Services" and our websites and mobile applications as the “Online Services.”

Residents of certain states may have additional privacy rights under state law. For information about your privacy rights under these state laws, please refer to the applicable state-specific section below.

table of contents

1. Privacy Policy scope
2. The personal information we collect
3. Sources we collect personal information from
4. How we use personal information
5. How we disclose personal information
6. Third-party services and features
7. Security
8. Cookies and other technologies
9. Interest based advertising
10. Your choices and access
11. Contact information
12. Your California privacy rights
13. Your Colorado privacy rights
14. Your Connecticut privacy rights
15. Your Utah privacy rights
16. Your Virginia privacy rights
17. Your Washington privacy rights

1. Privacy Policy scope

   As you likely know, CVS Health® offers many healthcare services in addition to the Commercial Services, such as pharmacy, medical, and health plan services. If you are looking for information about how CVS Health collects and uses information for any healthcare services other than the Commercial Services, you should review the privacy policy provided for those services. Please visit our Privacy Center at: https://www.cvshealth.com/privacy-center.html to view our other CVS Health privacy policies.

   
   

   If you have any questions or concerns about this Privacy Policy, how we collect and use your personal information, or questions about which policy applies to information you have provided, please do not hesitate to Contact Us, or call us toll-free at 1-888-607-4287.

   
   

   We may change this Privacy Policy. The "Effective Date” at the top of this page shows when it was last revised. Any changes take effect when we post the revised Privacy Policy on the Commercial Services.

   
   

   Our Online Services are designed for a general audience and are not directed to children. We do not knowingly collect personal information online from any person we know to be under the age of 13.

   
   

   We designed our Online Services for users from the United States and we control and operate the Online Services from the United States.

   
   

2. The personal information we collect

   We want you to know how we collect and use your personal information. Some examples of the personal information we may collect about you include:

   
   
   • Contact information including your name, mailing address, email address, and telephone number
   • Your password, if you create an account
   • Demographic information such as your age and date of birth, sex and/or gender, race and/or ethnicity
   • Language preferences
   • Enrollment in programs such as e-receipt or ExtraCare®, your use of coupons or other offers
   • Transaction information such as purchase history, returns, or exchanges
   • Use of certain store services such as if you arrange to pick up your retail order outside a CVS store, or have your order delivered to your home
   • Your interactions with our websites or mobile sites, mobile apps, Wi-Fi and other online services, such as how you use our Online Services including search terms, pages you visit on CVS.com and our mobile applications
   • Information about the apps, browsers and devices you use to access our Online Services including your computer’s IP address and/or mobile device information (e.g., device model, operating system version, unique device identifiers, mobile network information)
   • Views and interactions with emails, communications, content and ads
   • Payment card information
   • Driver’s license number or other government issued identification information
   • Geolocation information and in-store location
   • Inferences about you, such as head of household or caregiver status
   • Your social media account information if you share it with us
   • Images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera
   • Health information you provide us based on your participation with certain programs
   • Biometric information which may include voice recognition voice recognition information, facial scans, and/or other similar biometric identifiers
   • Professional or employment-related information, such as whether you are a CVS Health colleague
   • Other information you provide to us
   
   

   If you choose not to provide your personal information to us in connection with the Commercial Services, we may not be able to provide you with certain products, services or information.

   
   

   We may also combine information that does not personally identify you with personal information. If we do, we will treat the combined information as personal information for as long as it stays combined. Please note that personal information collected as described in this Privacy Policy may be used and disclosed in a de-identified format. Personal information is no longer within the scope of this Privacy Policy once it has been de-identified. Unless you take some action you take to re-identify your de-identified information, we will not attempt to re-identify this information so that it may be associated with you.

   
   

3. Sources we collect personal information from

   We collect the personal information described above from the following sources.

   
   
   • Directly from you. We collect personal information directly from you when you interact with us through our Commercial Services and automatically when you visit our websites and mobile applications.
   • From subsidiaries and affiliates. We collect personal information from our subsidiaries and affiliates you interact with as permitted by applicable law.
   • Publicly available information and other sources. We may collect information about you from both publicly available and other third-party sources to enhance and improve the accuracy of our information about you. We may combine the information we collect from you through the Commercial Services with information we get from and about you from other online and offline sources. We may use the combined information in accordance with this Privacy Policy.
   
   

4. How we use personal information

   We use your personal information to provide you with the Commercial Services and products you purchase from us as well as to provide customer service to you. Additionally, we may use the personal information we collect about you for the purposes listed below.

   
   
   • To communicate with you. We use your personal information to respond to your requests and otherwise communicate with you about your orders or accounts. For instance, we may use your personal information to fulfill your order, contact you with information about your order, send you email alerts, send you newsletters, and to provide you with related customer service. We may use your personal information to send marketing communications and administrative information. This may include push notifications in our mobile applications.
   • To manage your accounts, orders and subscriptions. We use personal information to manage your accounts, orders, billing, and improve reorder experiences. We also use personal information to manage subscription services.
   • To enhance your experience. We may use your personal information to personalize your experience shopping and interacting with us. We may present products and offers tailored to your interests. We may also use personal information to offer other products and services that may interest you including those that we recommend from third parties through the CVS media company, CMX.
   • For our internal business purposes. We may use your personal information for our internal business purposes, such as training, data analysis, audits, fraud monitoring and prevention. We may also use it for developing our Commercial Services and new product and services, to assess the effectiveness of our campaigns, and to operate and expand our business activities.
   • To administer our customer loyalty program. As further described below in Sections 12 and 13, we use personal information to administer our loyalty and membership programs, including CVS ExtraCare and ExtraCare Plus™.
   • Business transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.
   • To protect our legal rights and preventing misuse. To protect the Commercial Services and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms and conditions or this Privacy Policy.
   • Other permissible uses. We also may use personal information in other ways, for which we provide specific notice at the time of collection.
   
   

5. How we disclose personal information

   We may disclose personal information described above with the following parties:

   
   
   • Vendors and partners. We may disclose personal information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel. We may disclose personal information to partners to support program activities, such as customer service.
   • Subsidiaries and affiliates. We may disclose personal information we collect to our subsidiaries or affiliates.
   • Third-party ad networks and providers. We may disclose personal information to third-party ad network providers, sponsors and/or traffic measurement services. These third parties may use cookies, JavaScript, web beacons (including clear GIFs), and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party's specific privacy policy, not this one.
   • Our marketplace retailers. We will sometimes enable other businesses to make their products available on our Online Services, such as through CVS.com. When you purchase these products or services, we disclose personal information related to your purchase of their products.
   • Government or public authorities. We may disclose personal information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Commercial Services, (d) to protect the property, rights, and safety of CVS, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.
   
   

   We may disclose personal information for the following purposes:

   
   
   • To provide information to our service providers, contractors, and partners. We may disclose personal information to our service providers. They provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and infrastructure, customer service, email delivery, auditing and other services.
   • In connection with a sale or transfer of business assets. We may disclose or transfer your personal information to other parties if some or all of our business, assets or stock are sold, transferred or used as security. This includes in connection with any bankruptcy or similar proceeding.
   • To respond to law enforcement officials or enforce our rights. We may disclose your personal information only as permitted or if required to do so by law enforcement officials or other government authorities. We disclose personal information in matters involving claims of personal or public safety, or in litigation. This may include disclosure of your personal information to allow us to pursue remedies or to limit the damages we may sustain. We may also use or disclose your information to enforce our terms and conditions, to protect our operations or those of any of our affiliates, to prevent misuse of our Commercial Services, or to protect our rights, privacy, safety or property and/or that of our affiliates, you or others.
   • To maintain and enhance the safety and security of our Commercial Services. We may disclose personal information to detect, prevent and address issues involving our Commercial Services, including security breaches.
   
   

6. Third-Party services and features

   The Services may contain links to, or make available, third-party websites, services, features or other resources not run by us or on our behalf (the “Third-Party Services.”) We make these Third-Party Services available as a convenience to you and are not affiliated with, endorsing or sponsoring the Third-Party Services.

   
   

   Any information you give to such third parties is not subject to the terms of this Privacy Policy. We are not responsible for the privacy or security of the information you give to Third-Party Services or how they handle your information. We also are not responsible for the information collection, use, sharing or security practices of Third-Party Services. You should review the privacy policy of any Third-Party Service to whom you give information in connection with the Commercial Services.

   
   

   Our Online Services include certain social media features such as our Facebook and Twitter accounts or widgets on our Online Services. If you engage with the Commercial Services using a social media platform your friends and connections and others who use our Commercial Services may also see it, as might your social media account provider. The social media provider’s privacy policy governs the use of the information you share on or through the social media platform.

   
   

7. Security

   We use reasonable physical, technical and administrative safeguards. Please be aware that despite our efforts, no data security measures can guarantee security. You should take steps to ensure your personal information is protected like using passwords that would be difficult to guess, not using the same password for multiple accounts and periodically changing your password.

   
   

8. Cookies and other technologies

   What are cookies? Cookies are small computer files we transfer to your computer’s hard drive. These are usually small text files. They help us personalize content for you on our pages and provide programs like e-coupons. You can set your browser to accept or reject cookies. Instructions for resetting the browser are in the Help section of most browsers.

   
   

   How we use cookies. Like many other websites and online services, we collect traffic and usage patterns. We use cookies, Web server logs and similar technologies to do this.

   
   

   We use this information for various purposes:

   
   
   • To ensure that the Online Services function properly
   • To help with navigation (or how you find your way around the site)
   • To personalize your experience
   • To understand use of the Online Services
   • To diagnose problems
   • To measure the success of our marketing campaigns and targeted ads
   • To otherwise administer the Online Services
   
   

   We also use cookies to collect and receive certain information about a website user, such as the type of web browser used, Internet service provider (“ISP”), referring/exit pages, operating system, date/time stamp, clickstream data, device platform, device version, and/or other device characteristics including your choice of settings such as Wi-Fi, Bluetooth, and Global Positioning System ("GPS"), CPU ID and type, build, model, manufacturer, operating system version, screen size, screen resolution, mobile network status, device locale, and carrier ID. We review our web server logs and our customers’ use of our site. This helps us to gather statistics on how many people are using our site and why.

   
   

   Internet providers assign your device an IP address number. We may identify and log your IP address automatically in our Web server log files when you use our Online Services. We may also collect the time of your visit and the pages you look at. We use IP addresses to do things like gauge usage levels of the Online Services, help find server problems, and administer the Commercial Services.

   
   

   CVS uses tracking technologies (e.g., cookies, pixels, tags) to collect and record your activities and movements across our websites throughout your browsing session, including device information, page hits, mouse movements, scrolling, typing, out-of-the-box errors and events, and API calls (“Session Data”). We use this information to (1) remember your information so you do not have to re-enter it, (2) track and understand how you use and interact with the services, (3) perform analytics, (4) tailor the site and services around your preferences; (5) provide contextual and personalized advertisements; (6) measure the usability of the services and the effectiveness of our communications; and (7) improve our products, services, and your experience. Such tracking may also include recorded sessions, which we may play back for these purposes. We may share Session Data with our vendors and third party partners (which may change over time) for these purposes. CVS respects your privacy and offers you the choice to allow or reject some types of tracking technologies. Please note your experience on the site and services available to you may be impacted based on your choices.

   
   

9. Interest-based advertising

   Like many companies, CVS participates in interest-based advertising. We may use or partner with third-party companies, including social media and third-party advertising companies tailored to your individual interests based on how you browse and shop online. Doing so helps us to measure services and display targeted ads when you access and use the Online Services.

   
   

   These are ads about goods and services we feel may interest you based on your access to and your use of our Commercial Services and other online services. To do so, these companies may place or recognize a unique cookie on your browser. These third parties may also use pixel tags, web beacons and other storage technologies to collect or receive information about your online activities over time and across our website and elsewhere on the Internet.

   
   

   We may also use analytics providers that use cookies, pixel tags, web beacons and other similar technologies. They may collect or receive data about your use of our Commercial Services and other websites or online services. These analytics services (like Adobe Analytics or Google Analytics) provide services that analyze information regarding visits to our Online Services.

   
   

   To learn more about Adobe Analytics privacy practices, click https://www.adobe.com/privacy.html.

   
   

   To learn more about how Google uses your data from our sites and how you can control the information collected by Google, click https://policies.google.com/technologies/partner-sites.

   
   

   At any time, you may be able to opt out of the collection and use of your personal information for ad targeting. For more information, and to exercise your right to opt out, you may use various consumer choice tools created under self-regulation programs. For instance:

   
   
   • NetworkAdvertising.org/managing/opt_out.asp
   • AboutAds.info/
   • Digitaladvertisingalliance.org
   
   

   Even if you opt out of receiving targeted ads, you may still see or get other types of online ads.

   
   

   Lastly, you may manage cookies in your web browser. You can set your browser to accept or reject cookies, which you can learn more about in the Help section of most browsers.

   
   

   Do-Not-Track. Our websites are not designed to respond to “do-not-track” signals received from browsers. However, see below for more information about the Global Privacy Control.

   
   

10. Your choices and access

    You can take yourself off our email list for promotional offers at any time. Just update your Email Communications preference in your Account Profile. Start in the My Account section or follow the instructions in the email. If you opt out of getting promotional emails from us, we may still send you important administrative messages. You cannot opt out of these messages.

    
    

    You may stop push notices through your mobile device settings. You may be able to allow or deny us to collect your device’s location by using the settings on your mobile device, and/or to avoid the collection of location by beacons by disabling Bluetooth on your mobile device. If you deny such collection, we and our service providers may not be able to offer you certain personalized services and content.

    
    

    You can stop all further collection of information by a CVS mobile app. All you need to do is uninstall it.

    
    

    If you uninstall the mobile app from your device, the CVS unique identifier associated with your install and/or device may continue to be stored. If you re-install the app on the same device, we might be able to link this identifier to your past activities.

    
    

    If you are a minor, you may remove or request removal of any content or information you post on our site. To request removal of content or information you have posted to our site, please Contact Us. Removal or requests for removal of content or information that has been posted to our website does not ensure complete or comprehensive removal.

    
    

11. Contact information

    If you have any questions or concerns about the way we collect and use your information, Contact Us. Or call us toll-free at 1-888-607-4287.

    
    

    If you have any other questions about the content of this Privacy Policy contact the CVS Health Privacy Office by email at ConsumerPrivacy@CVSHealth.com or at the address below.

    
    

    CVS Pharmacy
    Attn: Privacy Office
    1 CVS Drive
    Woonsocket, R.I. 02895
    1-888-607-4287

    
    

12. Your California privacy rights

    Last Updated: March 26, 2024

    
    

    This section supplements the CVS Pharmacy Privacy Policy and applies solely to California residents about whom we have collected personal information from any source, including through the use of our website(s), mobile applications or other online services, by buying our products or services, or by communicating with us electronically, in paper correspondence, or in person (collectively, "you"). Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020 (the “CCPA”), California residents have the right to receive certain disclosures regarding our information practices related to “personal information,” as defined under the CCPA. The terms used in this section have the same meaning given to them in the CCPA.

    
    

    This section does not apply to CVS personnel, job applicants, or individuals with a business-to-business relationship with us. If you are a CVS Health employee, former employee, job applicant, contractor or other CVS professional, that information is governed by the Workforce Privacy Policy. To the extent that information is provided as part of a business-to-business relationship (e.g., prescribers, providers, suppliers, clients) with a CVS Health entity, that information is governed by the California Business-to-Business Privacy Policy.

    
    

    1. What personal information we collect

       We may collect the following categories of personal information (as enumerated in the CCPA) about you. For more information about the personal information we collect, please see Section 2 above.

       
       
       • Identifiers, which may include your name, mailing address, email address, telephone number, and government-issued ID numbers.
       • Commercial information, which may include purchase history, returns, exchanges, and enrollment in programs (e.g., ExtraCare).
       • Information relating to Internet activity or other electronic network activity, which may include your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads.
       • Geolocation data, which may include Global Positioning System ("GPS") data or in-store location.
       • Audio, electronic or visual information, which may include images you provide to us (e.g., when you upload photos) or that are viewed or recorded on an in-store security camera.
       • Professional or employment-related information, such as whether you are a CVS Health colleague.
       • Inferences about you, such as head of household or caregiver status.
       • Information not listed above and related to characteristics protected under California or federal law, which may include demographic information such as your age or date of birth, gender and/or sex, language preferences.
       • Other personal information not listed above and described in California Civil Code § 1798.80(e), which may include payment card information and other financial or health information and other information you provide to us.
       
       

       We may also collect the following categories of sensitive personal information about you:

       • Government identification, such as government issued identification.
       • Account log-in information, which may include your account username and password, if you make an account with us.
       • Precise geolocation data, to identify the Commercial Services nearest or most applicable to you.
       • Information concerning your health, which may include your interactions with our Pharmacy or information made available via connected health devices (e.g., smart watches, health apps).
       • Information concerning your sex life, such as your purchases of sexual health products using the Commercial Services.
       • Biometric information, which may include voice recognition information, facial scans, and/or other similar biometric identifiers.
       • Racial or ethnic origin, such as information that reveals your race or ethnic origin.
       
       

    2. How long we retain personal information

       We retain personal information only as long as necessary and in alignment with our data retention schedules. Information may be retained to comply with applicable law, adhere to contractual requirements, in anticipation of litigation or a legal matter, or as otherwise necessary and proportionate to provide you with a product or service.

       
       

    3. What we do with personal information

       We may use your personal information for the purposes described above in Section 4 of our Privacy Policy and for the following business and commercial purposes specified in the CCPA:

       
       
       • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services
       • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
       • Short-term, transient use, including, but not limited to, the contextual customization of ads shown as part of the same interaction
       • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
       • Debugging to identify and repair errors that impair existing intended functionality
       • Undertaking internal research for technological development and demonstration
       • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
       
       

    4. Sources of collected information

       We may collect personal information about you from these sources:

       
       
       • Directly from you or your device, including via purchasing goods and services in our stores, your use of our websites and mobile applications, and your communications with us, including by telephone, text message, postal mail, social media, forums, message boards, chatbots, or other means
       • Our subsidiaries and affiliates
       • Our service providers, including but not limited to, marketing/customer relationship management providers, technology/website hosting providers, analytics providers, and systems administrators/security and fraud investigations providers
       • Advertising networks and social media networks
       • Government entities, regulators and law enforcement
       • Third parties, including companies that collect and sell publicly available information, or business partners that collect information and provide it to us according to their privacy policies and terms of service
       
       

    5. What personal information we share and who we share personal information with

       
       
       

       Category of Personal Information	Category of third parties to whom we disclosed personal information	Category of third parties to whom we “Sold” or “Shared” personal information
       Identifiers	Subsidiaries and affiliates Government entities, regulators and law enforcement	Advertising networks
       Commercial information	Government entities, regulators and law enforcement	Advertising networks
       Information relating to Internet activity or other electronic network activity	Subsidiaries and affiliates Regulators, government entities, and law enforcement	Advertising networks
       Geolocation data	Subsidiaries and affiliates Government entities, regulators and law enforcement	Advertising networks
       Audio, electronic, or visual information	Government entities, regulators and law enforcement	N/A
       Professional or employment-related information	Government entities, regulators and law enforcement	N/A
       Inferences about you	N/A	N/A
       Other personal information not listed above and described in California Civil Code § 1798.80(e)	Subsidiaries and affiliates Government entities, regulators and law enforcement	N/A
       Sensitive personal information	Government entities, regulators and law enforcement	N/A
       Information not listed above and related to characteristics protected under California or federal law	Subsidiaries and affiliates Government entities, regulators and law enforcement	N/A

       
       

       We do not sell your personal information to third parties in exchange for monetary consideration.

       
       

       As with other companies that conduct digital marketing, we do share a limited set of personal information identified in the table above with certain third parties (such as online advertising services and social media networks). We may allow these third parties to collect your personal information, such as online activity, via automated technologies (such as cookies and pixels) on our websites and mobile applications in exchange for non-monetary consideration. We and these third parties may gather this data when you visit or use our websites, mobile applications and other web-based services. We may make this personal information, including inference information, available to third parties for online advertising purposes (e.g., to tailor digital ads about our products and services) and to provide third-party social network features and functionality on our website and mobile applications. We may also share this personal information to enhance our ability to communicate with you and provide you with promotional information. To the extent these activities are considered “sharing” or a “sale” under the CCPA's broad definitions of those terms, you have the right to opt out of this disclosure of your information. You can read more about opting out in Section 12(G), below.

       
       

       We do not knowingly sell the personal information of minors under 16 years of age.

       
       

    6. Your privacy rights

       If you are a California resident and we collect, use, or disclose personal information subject to CCPA, you may have the following rights under the CCPA with respect to your personal information.

       
       
       • Right to know/access. With respect to the personal information we have collected about you, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of personal information about you we have collected; (ii) the sources from which we have collected that personal information; (iii) our business or commercial purposes for collecting, selling, or disclosing that personal information; (iv) the categories of third parties to whom we have disclosed that personal information; and (v) a copy of the specific pieces of your personal information we have collected.
       • Right to delete. Subject to certain conditions and exceptions, you may have the right to ask us to delete certain personal information we have collected from you.
       • Right to correction. You may have the right to ask us to correct inaccuracies in the personal information we have collected.
       • Right to opt out of sale/sharing. You have the right to opt out of the sale and sharing of your personal information by us. You will find our Notice of Right to Opt-Out here.
       • Limit certain uses and disclosures of sensitive personal information. We do not engage in uses or disclosures of “sensitive personal information” that would trigger the right to limit use or disclosure of sensitive personal information under applicable law.
       • Right to non-discrimination. We will not discriminate against you if you exercise any of these privacy rights.
       
       

    7. How to submit a request

       If you are a California consumer and wish to exercise these rights, you can reach us in one of the ways shown below.

       
       

       Right to Know / Delete / Correct:

       
       
       • ExtraCare account only interactive webform; or
       • CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
       • 1-800-SHOP-CVS (1-800-746-7287)
       
       

       See Section 12(J), below, for instructions on how to opt-out of sale or sharing.

       
       

       You may also give someone else permission to exercise these rights for you. To submit a request as an authorized agent on behalf of a consumer, write us at ConsumerPrivacy@CVSHealth.com or call us at 1-800-SHOP-CVS (1-800-746-7287). We will need proof showing you have asked someone else to make a request on your behalf, which may include a Power of Attorney form or other signed document. If we have information on your minor child, you may exercise these rights for them.

       
       

    8. Verifying requests

       Before we fulfill a request, we must verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, if you have a CVS.com account, you will need to first sign into your account. If you do not have a CVS.com account, you will be asked to give us certain personal information via webform or on the phone, as described above. If you do not have a CVS.com account and request access to, correction or deletion of your personal information, we may require you to provide any of the following information: ExtraCare number, full legal name, email address, and/or phone number. In addition, if you do not have a CVS.com account and you ask us to provide you with specific pieces of personal information, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.

       
       

       To learn more about this Privacy Policy, or if you have any questions or concerns, Contact Us.

       
       

    9. Notice of Financial incentives

       As further described below, in exchange for your enrollment in our ExtraCare program, we may offer you special pricing or service differences, including those you become eligible for when you opt in to earn rewards at the pharmacy or enroll in ExtraCare Plus, which may be considered “financial incentive” programs under the CCPA.

       
       

       ExtraCare Member special pricing and promotions

       
       

       We offer ExtraBucks and other exclusive rewards, including special pricing on certain products and brands, for individuals who are ExtraCare members. To offer these discounts to our ExtraCare members, we collect the following categories of personal information:

       
       
       • Identifiers. We collect identifiers such as your contact information.
       • Commercial information. We collect information such as your purchasing history.
       • Information concerning your health. We collect information such as your searches and purchases of healthcare products (e.g., diabetic supplies, pain relievers).
       
       

       Manufacturer funding

       
       

       We may receive funding from manufacturers to offer special pricing on their products or to cover the administrative costs of sending marketing communications (e.g., direct mail, email messages) to ExtraCare members. These funding sources and amounts depend on our ability to communicate with a certain number or population of customers who are ExtraCare members. To offer these special prices, we may collect the following categories of personal information:

       
       
       • Identifiers. We collect identifiers such as your contact information.
       • Commercial information. We collect information such as your purchasing history.
       • Inferences. We collect information such as household income and marital status.
       • Information relating to Internet activity or other electronic network activity. We collect information such as your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads.
       
       

       ExtraCare rewards at the pharmacy

       
       

       Participants in the ExtraCare program are given the opportunity to earn rewards at the pharmacy for pharmacy activities, such as filling a prescription or receiving an immunization. As part of this program, we may collect the following personal information:

       
       
       • Identifiers. We collect identifiers such as your contact information.
       • Information concerning your health. We collect information such as your interactions with our Pharmacy.
       
       

       ExtraCare Plus

       
       

       If you join our ExtraCare Plus membership, we may offer additional ExtraBucks and members-only rewards by tracking additional data elements. As an ExtraCare Plus member, you may have the opportunity to join a third-party partners’ program at a discount. If you choose to join a third-party partners’ program through your ExtraCare Plus membership, you may receive additional ExtraBucks and members-only rewards in exchange for access and use of your information you provide to our partners as part of these third-party partners’ programs. As part of the ExtraCare Plus program, including any third-party partners’ programs you link to your ExtraCare Plus membership, we may collect the following personal information:

       
       
       • Identifiers. We collect identifiers such as your contact information.
       • Commercial information. We collect information such as your purchasing history.
       • Information concerning your health. We may collect information such as your activity or weight made available via connected health devices (e.g., smart watches, health apps) that you link to your ExtraCare Plus membership.
       
       

       For participants in the aforementioned financial incentive programs, the value of the personal information you provide is reasonably related to the value of the financial rewards provided to you. The value of personal information will vary slightly for each member depending on several factors, including but not limited to your interactions and purchases with CVS, the administrative and technical expenses associated with maintaining the ExtraCare program (e.g., IT infrastructure, customer service, marketing strategy & planning), and the extent to which you take advantage of the program’s offerings and discounts (e.g., 2% ExtraBucks rewards for purchases).

       
       

       You have the right to withdraw from the ExtraCare program at any time. To withdraw from the program, you must submit a request to delete your personal information from ExtraCare, as set forth in Section 12(G) above.

       
       

    10. Notice of right to opt-out of sharing or sale

        California residents have the right to opt out of sales and sharing of personal information. If you wish to opt out of our sharing of the limited data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising as described in Section 12(E), above, you may do so in one of the ways described below.

        
        
        • Fill out this interactive webform
        • Call us at 1-800-SHOP-CVS (1-800-746-7287)
        
        

        The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

        
        
        • Use the same device that was used to exercise the opt-out request
        • Have not cleared cookies from your web browser
        • Are not using a private mode in your web browser
        • Provide the same personal information that you provided previously
        
        

        We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

        
        

        You also have the right to opt-out of “sales” and “sharing” of your personal information, including through the use of an opt-out preference signal. If our website detects that your browser is transmitting an opt-out preference signal, such as the “global privacy control”—or GPC— signal, we will opt that browser out of cookies on our website that result in a “sale” or “sharing” of your personal information. Please note, if you come to our website from a different device or a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well.

        
        

    11. CCPA reporting metrics

        To learn more about the consumer requests that CVS has processed in the past calendar year, click here.

        
        

    12. California Shine the Light Law

        If you are our customer and a California resident and wish to exercise your rights under the California Shine the Light Law, please submit a right to opt-out of sale and sharing of personal information request as described in Section 12(J) above.

        
        

13. Your Colorado privacy rights

    Under the Colorado Privacy Act (“CPA”), Colorado residents have the right to receive certain disclosures regarding a business’ processing of “personal data,” as defined under the CPA, as well as certain rights with respect to our processing of such personal data. To the extent you are a resident of Colorado and we collect, use or disclose personal data subject to the CPA, the following applies. For more information about the personal data we collect, use, and disclose, please see Sections 2-5 above.

    
    

    1. What sensitive data we collect

       We may collect the following categories of sensitive data (as enumerated in the CPA) about you. For more information about the personal data we collect, please see Section 2 above.

       
       
       • Physical health condition or diagnosis, which may include your interactions with our Pharmacy or information made available via connected health devices (e.g., smart watches, health apps).
       • Personal data revealing your sex life, such as your purchases of sexual health products using the Commercial Services.
       • Biometric information, which may include voice recognition information, facial scans, and/or other similar biometric identifiers.
       • Racial or ethnic origin, citizenship or immigration status, such as information that reveals your race or nationality.
       
       

    2. What personal data we share and who we share personal data with

       
       
       

       Category of personal data	Category of third parties to whom we disclosed personal data	Category of third parties to whom we disclosed personal data for “targeted advertising”
       Contact and demographic information	Subsidiaries and affiliates Government entities, regulators and law enforcement	Advertising networks
       Transactions and services information	Government entities, regulators and law enforcement	Advertising networks
       Online services interactions and device information	Subsidiaries and affiliates Regulators, government entities, and law enforcement	Advertising networks
       Geolocation information	Subsidiaries and affiliates Government entities, regulators and law enforcement	Advertising networks
       Photographic and video information	Government entities, regulators and law enforcement	N/A
       Professional or employment-related information	Government entities, regulators and law enforcement	N/A
       Inferences about you	N/A	N/A
       Sensitive data	Government entities, regulators and law enforcement	N/A

       
       

       We do not sell your personal data to third parties in exchange for monetary consideration. We also do not use or disclose personal information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

       
       

    3. Your privacy rights

       If you are a Colorado resident and we collect, use, or disclose personal data subject to CPA, you may have the following rights under the CPA with respect to your personal data.

       
       
       • Right to access. You have the right to confirm whether or not we are processing your personal data and to access such personal data.
       • Right of portability. You may have the right to obtain a copy of the personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller or business where the processing is carried out by automated means.
       • Right to delete. You have the right to ask us to delete certain personal data we have collected about you.
       • Right to correction. You have the right to ask us to correct inaccuracies in the personal data we have collected.
       • Right to opt out of sale and profiling. Under the CPA, a “sale” includes exchanging personal data with a third party for monetary or other compensation. Please see our Notice of Right to Opt-Out here. Colorado residents have the right to opt out of the processing of your personal data for decisions that produce legal or similarly significant effects concerning you. We do not process personal data for such profiling.
       • Right to opt out of targeted advertising. You have the right to opt out of targeted advertising based on your personal data. To opt out of targeted marketing, please see our Notice of Right to Opt-Out here.
       
       

    4. How to submit a request

       If you are a Colorado consumer and wish to exercise these rights, you can reach us in one of the ways shown below.

       
       

       Right to Access / Portability / Delete / Correct:

       
       
       • ExtraCare account only interactive webform
       • CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
       • 1-800-SHOP-CVS (1-800-746-7287)
       
       

       See Section 13(G) for instructions on how to opt-out of targeted advertising.

       
       

    5. Verifying requests

       Before we fulfill a request, we must verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, if you have a CVS.com account, you will need to first sign into your account. If you do not have a CVS.com account, you will be asked to give us certain personal data via webform or on the phone, as described above. If you do not have a CVS.com account and request access to, correction or deletion of your personal data, we may require you to provide any of the following information: ExtraCare number, full legal name, email address, and/or phone number. In addition, if you do not have a CVS.com account and you ask us to provide you with specific pieces of personal data, we may require you to sign a declaration under penalty of perjury that you are the consumer whose personal data is the subject of the request.

       
       

       To learn more about this Privacy Policy, or if you have any questions or concerns, Contact Us.

       
       

    6. Notice of Bona Fide Loyalty Program

       As further described below, we may offer you special pricing or service differences in exchange for your enrollment in our ExtraCare program, including when you opt in to earn rewards at the pharmacy or enroll in ExtraCare Plus, which may be considered bona fide loyalty programs under the CPA. We may provide your personal data to advertising networks as part of the Bona Fide Loyalty Programs.

       
       

       Please note that we need your personal data for you to participate in these bona fide loyalty programs. If you choose to exercise your right of deletion, your ExtraCare card, ExtraCare Plus membership, and/or your CVS.com account will be deleted as part of this process. This means that we will no longer have the personal data we need to offer you the bona fide loyalty program benefits (e.g., personalized offers) as we will be unable to tie you to your interactions with us (e.g., store purchases) or contact you to provide the benefits to you as part of these programs. Be advised that the personal data we maintain, such as your store purchases, may reveal certain sensitive physical health condition or diagnosis information.

       
       

       ExtraCare Member special pricing and promotions

       
       

       We offer ExtraBucks and other exclusive rewards, including special pricing on certain products and brands, for individuals who are ExtraCare members. To offer these discounts to our ExtraCare members, we collect the following categories of personal data. Contact and demographic information. We collect identifiers such as your contact information.

       
       
       • Transactions and services information. We collect information such as your purchasing history.
       • Physical health condition or diagnosis. We collect information such as your searches and purchases of healthcare products (e.g., diabetic supplies, pain relievers).
       
       

       Manufacturer funding

       
       

       We may receive funding from manufacturers to offer special pricing on their products or to cover the administrative costs of sending marketing communications (e.g., direct mail, email messages) to ExtraCare members. These funding sources and amounts depend on our ability to communicate with a certain number or population of customers who are ExtraCare members. To offer these special prices, we may collect the following categories of personal data.

       
       
       • Contact and demographic information. We collect identifiers such as your contact information.
       • Transactions and services information. We collect information such as your purchasing history.
       • Inferences about you. We collect information such as head of household and caregiver status.
       • Online services interactions and device information. We collect information such as your interactions with our websites or mobile sites, mobile apps, Wi-Fi, emails, communications, content and ads.
       • Physical health condition or diagnosis. We collect information such as your searches and purchases of healthcare products (e.g., diabetic supplies, pain relievers).
       
       

       ExtraCare rewards at the pharmacy

       
       

       Participants in the ExtraCare program are given the opportunity to earn rewards at the pharmacy for pharmacy activities, such as filling a prescription or receiving an immunization. As part of this program, we may collect the following personal data.

       
       
       • Contact and demographic information. We collect identifiers such as your contact information.
       • Physical health condition or diagnosis. We collect information such as your interactions with our Pharmacy.
       
       

       ExtraCare Plus

       
       

       If you join our ExtraCare Plus membership, we may offer additional ExtraBucks and members-only rewards by tracking additional data elements. As a ExtraCare Plus member, you may have the opportunity to join a third-party partners’ program at a discount. If you choose to join a third-party partners’ program through your ExtraCare Plus membership, you may receive additional ExtraBucks and members-only rewards in exchange for access and use of your information you provide to our partners as part of these third-party partners’ programs. As part of the ExtraCare Plus program, including any third-party partners’ programs you link to your ExtraCare Plus membership, we may collect the following personal data.

       
       
       • Contact and demographic information. We collect identifiers such as your contact information.
       • Transactions and services information. We collect information such as your purchasing history.
       • Physical health condition or diagnosis. We may collect information such as your activity or weight made available via connected health devices (e.g., smart watches, health apps) that you link to your ExtraCare Plus membership.
       
       

       You have the right to withdraw from the ExtraCare program at any time. To withdraw from the program, you must submit a request to delete your personal data from ExtraCare, as set forth in Section 13(D) above.

       
       

    7. Notice of right to opt-out

       If you wish to opt out of processing of personal data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising, you may do so in one of the ways described below.

       
       
       • Fill out this interactive webform
       • Call us at 1-800-SHOP-CVS (1-800-746-7287)
       
       

       The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

       
       
       • Use the same device that was used to exercise the opt-out request
       • Have not cleared cookies from your web browser
       • Are not using a private mode in your web browser
       • Provide the same personal data that you provided previously
       
       

       We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

       
       

       You also have the right to opt-out of targeted advertising using your personal data, including through the use of a universal opt-out mechanism. If our website detects that your browser is transmitting a universal opt-out mechanism, such as the “global privacy control” —or GPC— signal, we will opt that browser out of cookies on our website that result in a disclosure for targeted advertising of your personal data. Please note, if you come to our website from a different device or a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well.

       
       

       You may also give someone else permission to exercise the right to opt out sale or targeted advertising for you. To submit a request as an authorized agent on behalf of a consumer, write us at ConsumerPrivacy@CVSHealth.com or call us at 1-800-SHOP-CVS (1-800-746-7287). If we have information on your minor child, you may exercise these rights for them.

       
       

    8. Process to appeal a decision related to your rights

       If we refused to fulfill your request to exercise your privacy rights in Section 13(C), above, you may appeal this decision by contacting us at ConsumerPrivacy@CVSHealth.com. We will respond to your request within 45 days of receipt of your appeal with an explanation about our decision to fulfill or refuse your request.

       
       

       You may contact the Colorado Attorney General to file a complaint related to the denial of your request by phone at 1-720-508-6000.

       
       

14. Your Connecticut privacy rights

    Under the Connecticut Data Privacy Act (“CTDPA”), Connecticut residents have the right to receive certain disclosures regarding a business’ processing of “personal data,” as defined under the CTDPA, as well as certain rights with respect to our processing of such personal data. To the extent you are a resident of Connecticut and we collect, use or disclose personal data subject to the CTDPA, the following applies. For more information about the personal data we collect, use and disclose, please see Sections 2-5 above.

    
    

    1. Your privacy rights

       If you are a Connecticut resident, you have the following rights under the CTDPA with respect to your personal data.

       
       
       • Right to access. You have the right to confirm whether or not we are processing your personal data and to access such personal data.
       • Right of portability. You may have the right to obtain a copy of the personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller or business where the processing is carried out by automated means.
       • Right to delete. You have the right to ask us to delete certain personal data we have collected about you.
       • Right to correction. You have the right to ask us to correct inaccuracies in the personal data we have collected.
       • Right to opt out of sale and profiling. Under the CTDPA, a “sale” includes exchanging personal data with a third party for monetary or other compensation. Please see our Notice of Right to Opt-Out here. CTDPA provides the right to opt out of the processing of personal data for decisions that produce legal or similarly significant effects concerning you. We do not process personal data for such profiling.
       • Right to opt out of targeted advertising. You have the right to opt out of targeted advertising based on your personal data. To opt out of targeted marketing, please see our Notice of Right to Opt-Out here.
       
       

    2. How to submit a request

       If you are a Connecticut resident and wish to exercise these rights, you can reach us in one of the ways shown below.

       
       

       Right to Access / Portability / Delete / Correct:

       
       
       • ExtraCare account only interactive webform; or
       • CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
       • 1-800-SHOP-CVS (1-800-746-7287)
       
       

       See Section 14(D), below, for instructions on how to opt-out of targeted advertising.

       
       

    3. Process to appeal a decision related to your rights

       If we refused to fulfill your request to exercise your privacy rights in Section 14(A), above, you may appeal this decision by contacting us at ConsumerPrivacy@CVSHealth.com. We will respond to your request within 45 days of receipt of your appeal with an explanation about our decision to fulfill or refuse your request.

       
       

       You may contact the Connecticut Attorney General to file a complaint related to the denial of your request by phone at 1-860-808-5318.

       
       

    4. Notice of right to opt-out

       If you wish to opt out of processing of personal data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising, you may do so in one of the ways described below.

       
       
       • Fill out this interactive webform
       • Call us at 1-800-SHOP-CVS (1-800-746-7287)
       
       

       The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

       
       
       • Use the same device that was used to exercise the opt-out request
       • Have not cleared cookies from your web browser
       • Are not using a private mode in your web browser
       • Provide the same personal information that you provided previously
       
       

       We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

       
       

       You also have the right to opt-out of targeted advertising using your personal data, including through the use of an opt-out preference signal. If our website detects that your browser is transmitting an opt-out preference signal, such as the “global privacy control” —or GPC— signal, we will opt that browser out of cookies on our website that result in a disclosure for targeted advertising of your personal data. Please note, if you come to our website from a different device or a different browser on the same device, you will need to opt out, or use an opt-out preference signal, for that browser and/or device as well.

       
       

       You may also give someone else permission to exercise the right to opt out sale or targeted advertising for you. To submit a request as an authorized agent on behalf of a consumer, write us at ConsumerPrivacy@CVSHealth.com or call us at 1-800-SHOP-CVS (1-800-746-7287). If we have information on your minor child, you may exercise these rights for them.

       
       

15. Your Utah privacy rights

    Under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of “personal data,” as defined under the UCPA, as well as certain rights with respect to our processing of such personal data. To the extent you are a resident of Utah and we collect, use or disclose personal data subject to the UCPA, the following applies. For more information about the personal data we collect, use and disclose, please see Sections 2-5 above.

    
    

    1. Your privacy rights

       If you are a Utah resident, you have the following rights under the UCPA with respect to your personal data.

       
       
       • Right to access. You have the right to confirm whether or not we are processing your personal data and to access such personal data.
       • Right of portability. You may have the right to obtain a copy of the personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller or business where the processing is carried out by automated means.
       • Right to delete. You have the right to ask us to delete certain personal data that you have provided to us.
       • Right to opt out of sale. Under the UCPA, a “sale” includes exchanging personal data with a third party for monetary consideration. We do not “sell” personal data as defined by UCPA.
       • Right to opt out of targeted advertising. You have the right to opt out of targeted advertising based on your personal data. To opt out of targeted marketing, please see our Notice of Right to Opt-Out here.
       
       

    2. How to submit a request

       If you are a Utah resident and wish to exercise these rights, you can reach us in one of the ways shown below.

       
       

       Right to Access / Portability / Delete:

       
       
       • ExtraCare account only interactive webform; or
       • CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
       • 1-800-SHOP-CVS (1-800-746-7287)
       
       

       See Section 15(C), below, for instructions on how to opt-out of targeted advertising.

       
       

    3. Notice of right to opt-out of targeted advertising

       If you wish to opt out of processing of personal data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising, you may do so in one of the ways described below.

       
       
       • Fill out this interactive webform
       • Call us at 1-800-SHOP-CVS (1-800-746-7287)
       
       

       The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

       
       
       • Use the same device that was used to exercise the opt-out request
       • Have not cleared cookies from your web browser
       • Are not using a private mode in your web browser
       • Provide the same personal information that you provided previously
       
       

       We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

       
       
    
    

16. Your Virginia privacy rights

    Under the Virginia Consumer Data Protection Act (“VCDPA”), Virginia residents have the right to receive certain disclosures regarding a business’ processing of “personal data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such personal data. To the extent you are a resident of Virginia and we collect, use or disclose personal data subject to the VCDPA, the following applies. For more information about the personal data we collect, use and disclose, please see Sections 2-5 above.

    
    

    1. Your privacy rights

       If you are a Virginia resident, you have the following rights under the VCDPA with respect to your personal data.

       
       
       • Right to access. You have the right to confirm whether or not we are processing your personal data and to access such personal data.
       • Right of portability. You may have the right to obtain a copy of the personal data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your personal data to another controller or business where the processing is carried out by automated means.
       • Right to delete. You have the right to ask us to delete certain personal data we have collected about you.
       • Right to correction. You have the right to ask us to correct inaccuracies in the personal data we have collected.
       • Right to opt out of sale and profiling. Under the VCDPA, a “sale” includes exchanging personal data with a third party in exchange for monetary consideration. Please see our Notice of Right to Opt-Out here. VCDPA provides the right to opt out of the processing of personal data for decisions that produce legal or similarly significant effects concerning you. We do not process personal data for such profiling.
       • Right to opt out of targeted advertising. You have the right to opt out of targeted advertising based on your personal data. To opt out of targeted marketing, please see our Notice of Right to Opt-Out here.
       
       

    2. How to submit a request

       If you are a Virginia resident and wish to exercise these rights, you can reach us in one of the ways shown below.

       
       

       Right to Access / Portability / Delete / Correct:

       
       
       • ExtraCare account only interactive webform; or
       • CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
       • 1-800-SHOP-CVS (1-800-746-7287)
       
       

       See Section 16(D), below, for instructions on how to opt-out of targeted advertising.

       
       

    3. Process to appeal a decision related to your rights

       If we refused to fulfill your request to exercise your privacy rights in Section 16(A), above, you may appeal this decision by contacting us at ConsumerPrivacy@CVSHealth.com.

       
       

       We will respond to your request within 60 days of receipt of your appeal with an explanation about our decision to fulfill or refuse your request.

       
       

       You may contact the Virginia Attorney General to file a complaint related to the denial of your request by contacting mailoag@oag.state.va.us.

       
       

    4. Notice of right to opt-out

       If you wish to opt out of processing of personal data that is gathered when you visit our websites and other web-based services for purposes of targeted digital advertising, you may do so in one of the ways described below.

       
       
       • Fill out this interactive webform
       • Call us at 1-800-SHOP-CVS (1-800-746-7287)
       
       

       The effectiveness of your opt-out request may be limited by our ability to associate the cookies and/or pixels that we may collect with your identity, browser, device and/or browsing session. As a result, your opt-out request will be more effective for future visits if you:

       
       
       • Use the same device that was used to exercise the opt-out request
       • Have not cleared cookies from your web browser
       • Are not using a private mode in your web browser
       • Provide the same personal information that you provided previously
       
       

       We encourage you to re-submit opt-out requests from any other devices that you may be using to visit our websites, mobile applications and other web-based services. If you sign up and log in to your CVS.com account, we will be able to associate you more easily with your visits to our websites, mobile applications and other web-based services. This will also allow us to apply a more persistent opt-out request across devices, browsers and browsing sessions, subject to the above limitations.

       
       
    
    

17. Your Washington privacy rights

    To the extent that we collect consumer health data subject to the Washington My Health My Data Act and you are a resident of the State of Washington or an individual whose consumer health data is collected in the State of Washington, the collection and use of your consumer health data is governed by our Consumer Health Privacy Policy.