California CCPA/CPRA and Virginia VCDPA Privacy Notice

  • For EU and UK residents, click here for GDPR privacy notice.
  • For US residents, click here for US privacy notice.

Privacy Statement – For California and Virginia Consumers and California Employees

To comply with the California Consumer Privacy Act of 2018 (“CCPA”), updated to the California Privacy Rights Act (“CPRA”), the Virginia Consumer Data Protection Act (“VCDPA”) and other applicable privacy laws, this privacy notice supplements the information contained in the Privacy Notice www.psbinsights.com of PSB Insights LLC and WPP Brands U.K. Ltd. and PSB UK (collectively, “PSB,” “we,” “us,” or “our”). This notice applies to visitors and users who are residents of the states of California and Virginia (collectively “consumers”). Additionally, this notice applies to residents of the State of California who are current, former, or prospective employees of PSB (collectively “employees”). The categories, sources, purposes, sharing, and retention of personal information are displayed separately below for both consumers and employees. Any terms defined in the CCPA/CPRA have the same meaning when used in this notice.

Categories of Personal Information We Collect about Consumers

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”). Within the last 12 months, when operating as a Business (controller), we have collected the following categories of personal information from consumers:

Category of Personal InformationExamplesCollected
IdentifiersUnique personal identifier, online identifier, Internet Protocol address, mobile device IDYes
Personal informationName, email address, phone numberYes
Internet or other similar network activityBrowsing history, search history, information on a consumer’s interaction with a website, application, or advertisementYes

Personal information does not include publicly available information from government records, de- identified or aggregated consumer information.

Sources, purposes, sharing, and retention of personal information

The table below outlines how we collect or receive the categories of personal information, the business purpose for this and, if we sell or share the personal information, the categories of third parties with whom we sell or share the personal information, and for how long we may retain each category of personal information.

We may disclose your personal information to other group companies, affiliates and third parties to help us process your personal information for the purposes set out in this notice. When we disclose personal information for a business purpose, we enter a contract that describes the purpose of the processing and prevents the recipient from retaining, using or disclosing the personal information for any purpose other than performing the contract.

Category of Personal Information Category of Source of Personal Information Business Purpose for which the Personal Information is Collected Categories of Third Parties with whom the Personal Information is Sold or Shared How Long the Personal Information may be Retained
Identifiers Direct from consumers Certain short-term uses Not sold or shared Only as long as necessary
Personal information categories listed in the California Customer Records statute Direct from consumers Certain short-term uses Not sold or shared Only as long as necessary
Internet or other similar network activity Direct from consumers Certain short-term uses, performing services Not sold or shared Only as long as necessary
Sale of Personal Information

For the purposes of the CCPA/CPRA and VCDPA, in the preceding twelve (12) months, we have not sold or shared any personal information about consumers.

Categories of Personal Information We Collect about Employees

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”). Within the last 12 months, when operating as a Business (controller) we have collected the following categories of personal information from employees:

Category of Personal InformationExamplesCollected
IdentifiersUnique personal identifier, online identifier, Internet Protocol address, mobile device IDYes
Personal informationName, email address, phone numberYes
Protected classificationsRace, nationality, medical condition, marital status, ageYes
Internet or other similar network activityBrowsing history, search history, information on a consumer’s interaction with a website, application, or advertisementYes
Professional or employment-related informationCurrent or past job history or performance evaluationsYes
Sensitive personal informationSocial security number, driver’s license numberYes

Personal information does not include publicly available information from government records, de- identified or aggregated consumer information.

Sources, purposes, sharing, and retention of personal information

The table below outlines how we collect or receive the categories of personal information, the business purpose for this and, if we sell or share the personal information, the categories of third parties with whom we sell or share the personal information, and for how long we may retain each category of personal information.

We may disclose your personal information to other group companies, affiliates and third parties to help us process your personal information for the purposes set out in this notice. When we disclose personal information for a business purpose, we enter a contract that describes the purpose of the processing and prevents the recipient from retaining, using or disclosing the personal information for any purpose other than performing the contract.

Category of Personal Information Category of Source of Personal Information Business Purpose for which the Personal Information is Collected Categories of Third Parties with whom the Personal Information is Sold or Shared How Long the Personal Information may be Retained
Identifiers Direct from employees Auditing interactions with employees, Certain short-term uses, Security Not sold or shared Only as long as necessary
Personal information categories listed in the California Customer Records statute Direct from employees Certain short-term uses Not sold or shared Indefinitely, or only as long as legally required
Protected classification characteristics under California or federal law Direct from employees Certain short-term uses Not sold or shared Indefinitely, or only as long as legally required
Internet or other similar network activity Direct from employees Certain short-term uses Not sold or shared Only as long as necessary
Professional or employment-related information Direct from employees Certain short-term uses Not sold or shared Indefinitely, or only as long as legally required
Sensitive personal information Direct from employees Certain short-term uses Not sold or shared Indefinitely, or only as long as legally required

Sale of Personal Information

For the purposes of the CCPA/CPRA and VCDPA, in the preceding twelve (12) months, we have not sold or shared any personal information about employees.

Your Rights

The CCPA/CPRA and VCDPA provides California and Virginia residents with specific rights regarding their personal information, these are explained below.

Request to Access to your Personal Information and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and verify your request, you may ask that we disclose to you:

  • The categories of personal information we collected about you.
  • For each category of personal information we collected about you:
    • The categories of sources from which this was collected.
    • Our business or commercial purpose for collecting that personal information.
    • Our business or commercial purpose for selling or disclosing that personal information.
    • The categories of third parties with whom we disclose or sell your personal information.
  • The specific pieces of personal information we collected about you.

For data portability requests, we will provide your personal information in a format that is readily useable and should allow you to transmit the information from us to another entity.

Request for Deletion

You have the right to request that we delete any of your personal information that we collected from you and retained. We may deny your deletion request if it is necessary for us or our service providers to retain your personal information, based upon allowed exceptions.

Once we receive and verify your request, and no exception applies, we will delete and direct our service providers to delete your personal information as requested. We will contact you to confirm the deletion and the manner in which it was deleted.

Request to Limit the Use of My Sensitive Personal Information

Under the CPRA, you have the right to request that we limit the use and disclosure of your sensitive personal information. We may deny your request if it is legally necessary for us, or our service providers, to use and or disclose your sensitive personal information, based upon allowed exceptions.

Once we receive and verify your request, and if no exception applies, we will limit the use and disclosure of your sensitive.

Non-Discrimination

We will not discriminate against you for exercising any of your rights under the CCPA/CPRA.

Exercising Access, Data Portability, Deletion, and Limitation Rights

To exercise the rights described above please submit your request to us by either:

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information.

For the purpose of verification, we may request further information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request.

There is no charge for exercising your request, however, if it is excessive, repetitive, or manifestly unfounded we may charge a reasonable fee based upon the administrative costs of providing the information to you or taking the action requested. We may also refuse to act on the request and will notify you of the reason for refusing the request.

Response Timing

Upon receiving a verifiable consumer request, we aim to deliver the required information within 45 days. Where we require more time (up to a further 45 days), we will inform you of the reason and extension period.

How to Contact Us

If you have any queries about any information contained in this privacy notice, or how we use your personal information, please let us know by contacting us at the following address:

Privacy Officer, PSB Insights, 1801 K Street, 9th Floor, NW Washington, DC 20006.

Or via email at [email protected]

Changes to this Privacy Notice

We review this privacy notice on a regular basis to ensure that it is up-to-date with our use of your personal information, and compliant with applicable data protection laws.

We reserve the right, at our discretion, to revise this privacy notice at any time. The updated privacy notice will be posted on our website. You are encouraged to review this privacy notice from time to time.

Responsible Disclosures

PSB appreciates and values the identification and reporting of security vulnerabilities carried out by well-intentioned, ethical security researchers. Please read our Responsible Disclosures Policy in full.

Effective Date

This privacy notice was last updated to V1.6 May 2023.