Privacy Notice for California Residents

Effective Date: October 14, 2024

This Privacy Notice for California Residents (“Privacy Notice”) supplements the information contained in Citadel’s Privacy Policy and provides eligible California residents with specific rights with respect to our collection, retention, and use of Personal Information. Any terms not defined in this section have the same meaning as defined in the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”).
A PDF copy of this Privacy Policy is available for printing here.

A. Information we collect:

In the course of our business we collect information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“Personal Information”). Depending on how you interacted with us, we may have collected the following categories of Personal Information from you in the last twelve (12) months, which we may also share with third parties for the purposes outlined in this Privacy Notice. The categories below are those identified in the CCPA, as amended by the CPRA.

Please note that we do not collect every type of Personal Information identified in the Examples below from every consumer. The types of Personal Information we have collected on any consumer depends on how the consumer has interacted with us. For example, the Personal Information collected on a consumer who visits the website may differ from the information collected on an applicant for employment.

Category Examples Collected?
Identifiers This category may include name, postal address, unique personal identifiers, online identifiers, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. Under the CCPA, “unique identifier” or “unique personal identifier” means a persistent identifier that can be used to recognize a consumer or a device that is linked to a consumer, over time and across different services, such as an IP address or customer number. YES
Sensitive Personal Information The category may include Personal Information that identifies a consumer’s Social Security, driver’s license, state ID card, or passport number; a consumer’s account log-in, financial account number, password, or credentials allowing access to an account; a consumer’s precise geolocation; a consumer’s racial or ethnic origin, religious or philosophical beliefs, sexual orientation, or union membership; or the contents of a consumer’s mail, email, and other electronic messages where business is not the intended recipient of the communication. YES
Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) and protected classification characteristics under California or federal law PThis category may include name, signature, Social Security number, physical characteristics, address, phone number, passport number, driver’s license or state ID card number, insurance policy number, education or employment information, financial account numbers, medical information, health insurance information, age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex and gender information, veteran or military status, or genetic information. YES
Commercial information This category may include records of services obtained, considered, or provided. YES
Biometric information This category may include imagery of the face, from which an identifier template, like a face print, can be extracted. YES
Internet or other electronic network activity information This category may include browsing history, search history, and information regarding interactions with a website, application, or advertisement. Citadel makes reasonable efforts to respect Do Not Track settings in browsers. YES
Geolocation data This category may include physical location, such as if you share the information with us at an event. YES
Sensory data This category may include audio, electronic, visual, or similar information, such as from the use of security cameras. YES
Professional or employment-related information This category may include current or past job history or performance. YES
Non-public education information This category may include education records directly related to a student maintained by an educational institution or party acting on its behalf (e.g., grades, transcripts, and student ID numbers). YES
Inferences drawn from other Personal Information This category may include inferences drawn from the above information that may reflect your preferences, characteristics, predispositions, behavior, interests, attitudes, or similar behavioral information. YES

 

Please note that some categories of Personal Information described in the CCPA, as amended by the CPRA, overlap with each other.  For instance, your name is both an Identifier and a type of data described in Cal. Civil Code 1798.80(e).

Personal Information does not include publicly available information from government records or any deidentified or aggregated consumer information.  In addition, the CCPA, as amended by the CPRA, excludes from its scope health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, and Personal Information covered by sector-specific privacy laws that include the Fair Credit Reporting Act (FRCA), Gramm-Leach-Bliley Act (GLBA), California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

B. Use, Sharing, and Sale of Personal Information:
We may use or disclose the Personal Information we collect for the purposes described in the “Purpose for Personal Data Collection, Use, and Disclosure” Section in Citadel’s Privacy Policy.

Over the last twelve (12) months, Citadel disclosed the following categories of Personal Information for a business purpose: identifiers; Sensitive Personal Information; California Customer Records Personal Information categories; protected classification characteristics under California or federal law; commercial information; internet or other similar network activity; geolocation data; professional or employment-related information (for prospective employees, contractors, or consultants); non-public education information (for prospective employees, contractors, or consultants); and inferences drawn from other Personal Information.
Over the last twelve (12) months, Citadel did not sell Personal Information. However, we may have shared your Personal Information in the following ways:

  • With our affiliated companies;
  • With our third party service providers that provide business, professional, or technical support functions for us;
  • As necessary if we believe that there has been a violation of our Terms of Use or of our rights or the rights of any third party;
  • To respond to judicial process or provide information to law enforcement or regulatory agencies or in connection with an investigation on matters related to public safety, as permitted by law, or otherwise as required by law; and
  • As otherwise described to you at the point of collection.

C. California Privacy Rights & Choices:
“Shine the Light” and “Eraser” Laws: California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure, if any, of their Personal Information to third parties for their direct marketing purposes. To make a request, please email or write to us using our information provided in the “Contact Us” section below.
Non-affiliated third parties are independent from Citadel. If you wish to receive information about your disclosure choices or stop communications from such third parties, you will need to contact those non-affiliated third parties directly.

CCPA/CPRA: The CCPA, as amended by the CPRA, provides eligible California residents with specific rights regarding our collection, retention, and use of Personal Information.

(a) Right to Know About Personal Information Collected, Disclosed, or Sold
You have the right to request that we provide certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Specifically, you have the right to request disclosure of the categories of Personal Information and specific pieces of Personal Information we collected about you over the last 12 months. Upon submission of a verifiable consumer request (see Exercising Your California Privacy Rights below), we will disclose to you:

  • the categories of Personal Information we collected about you;
  • the categories of sources from which Personal Information was collected;
  • the business or commercial purpose for collecting Personal Information;
  • the business or commercial purpose for disclosing or selling Personal Information; and
  • the categories of third parties with whom we sold or shared Personal Information for a business purpose.

Upon your request, we will also provide the specific pieces of Personal Information we collected about you, subject to certain exceptions under applicable law.

(b) Right to Request Deletion of Personal Information
You have the right to request that we delete Personal Information that we have collected and maintain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will conduct a reasonable search of our records to locate any Personal Information we collected about you that is eligible for deletion and delete such Personal Information. To the extent we shared any Personal Information collected about you that is eligible for deletion with service providers, we will direct those service providers to delete that Personal Information. Citadel may not be able to comply entirely with your request under the CCPA to delete all your Personal Information. Specifically, we are not required to delete any Personal Information we collected about you that is necessary for us or our service provider(s) to:

  • Complete the transaction for which the Personal Information was collected, provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract with you.
  • Detect security incidents or protect against or prosecute malicious, deceptive, fraudulent, or illegal activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise a right provided for by law.
  • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 of Title 12 of Part 2 of the Penal Code.
  • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
  • Comply with a legal obligation, such as complying with local, state, or federal data retention requirements.
  • Otherwise use your Personal Information internally in a lawful manner that is compatible with the context in which you provided your information.

Following a deletion request, any Personal Information about you that was not deleted from our systems due to one of the above exceptions will only be used for the purposes provided for by the applicable exception.  Personal Information about you that is not subject to a deletion exception will be (1) permanently deleted on our existing systems (with the exception of archived or back-up systems maintained for emergency disaster recovery and business continuity purposes); (2) de-identified; or (3) aggregated to not be personal to you.

Following a deletion request, any Personal Information about you that was not deleted from our systems due to one of the above exceptions will only be used for the purposes provided for by the applicable exception. Personal Information about you that is not subject to a deletion exception will be (1) permanently deleted on our existing systems (with the exception of archived or back-up systems maintained for emergency disaster recovery and business continuity purposes); (2) de-identified; or (3) aggregated to not be personal to you.

(c) Right to Opt-Out of Sale or Sharing of Personal Information
California residents have the right to opt-out of the sale of their Personal Information by submitting a request when accessing our website or by contacting us using the information in the “Contact Us” section below.

Please note that we do not knowingly sell the Personal Information of any individuals under the age of 16.

Where we are sharing your Personal Information with third parties for the purposes of cross-context behavioral advertising or profiling, you may opt-out of such sharing at any time by submitting a request when accessing our website or by contacting us using the information in the “Contact Us” section below.

(d) Right to Limit Use of Sensitive Personal Information
California residents have the right to request that we limit our use of any sensitive Personal Information to those uses that are necessary to perform the services or for other specifically-enumerated business purposes under the CCPA, as amended by the CPRA.

(e) Right to Correct
Under the CCPA, as amended by the CPRA, California residents have the right to request that we correct any inaccurate Personal Information we maintain about you, considering the nature of the Personal Information and the purposes for which we are processing such Personal Information. We will use commercially reasonable efforts to correct such inaccurate Personal Information about you.

(f) Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
We will not discriminate against you for exercising your privacy rights. Unless permitted by applicable law, we will not:

  • Deny you services.
  •  Charge you different prices or rates for services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of services.
  • Suggest that you may receive a different price or rate for services or a different level or quality of services.

(g) Exercising Your California Privacy Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

Requests to exercise your rights under the CCPA, as amended by the CPRA, require verification of your identity and may be made only by you, your parent or guardian (if you are under 18 years of age), a person to whom you have given power of attorney pursuant to California Probate Code sections 4000 to 4465, or an authorized agent that is registered with the California Secretary of State. If a parent or guardian submits a request on behalf of a minor, the parent or guardian must submit proof that they are the parent or guardian of the consumer and must verify the consumer’s identity (such as by providing a notarized letter). If someone with power of attorney makes a request on behalf of a consumer, they must verify the individual consumer’s identity and submit documentation establishing the power of attorney. If an authorized agent submits a request on behalf of a consumer, they must verify the individual consumer’s identity, provide written permission from the consumer to submit the request on the consumer’s behalf, and submit documentation establishing registration with the Secretary of State. If Citadel cannot verify that the requestor is authorized by the consumer to act on the consumer’s behalf, Citadel is not obligated to provide information or respond to the request. If you have any questions about making a request on behalf of another consumer, please email us at [email protected].

Your verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected Personal Information or that you are an authorized representative of such person. We will not respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request or confirm the Personal Information relates to you. While we may ask for Personal Information to verify the requestor or consumer’s identity, we will only use that Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority. Making a verifiable consumer request does not require you to create an account with us. You may only make a verifiable consumer request for access twice within a 12-month period.

(h) Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Within ten (10) business days of receiving the request, we will confirm receipt and provide information about our verification and processing of the request. Citadel will maintain consumer requests made pursuant to the CCPA and our response to said requests for at least twenty-four (24) months.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If you have an account with us, we may require you to take delivery of our written response through that account. If you do not have an account with us, we will deliver our written response electronically, though you may alternatively choose to receive delivery by mail. The response will also explain the reasons we cannot comply with a request, if applicable. Requests for the specific pieces of information that we have collected about you will be sent in a portable, readily useable format that you may transmit to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

D. Contact Us
We hope this Privacy Policy answers your questions about our collection, use, and disclosure of your personal data. If you have additional questions about this Privacy Policy or the practices described here, you may contact us at [email protected] or write to us at the following address:

Privacy Officer
Citadel Enterprise Americas LLC
Southeast Financial Center
200 S. Biscayne Blvd
Suite 3300
Miami, FL 33131