California Consumer Privacy Act (CCPA)

California Privacy Notice

Effective Date:  January 1, 2023

In accordance with the California Consumer Privacy Act (“CCPA”), this California Privacy Notice (“Notice”) supplements, for California residents, the general privacy policies of CoreLogic, Inc. (together with its relevant  subsidiaries, associates, and affiliated companies, “CoreLogic,” “us,” “we,” or the “Company”) including, without limitation, our Privacy Policy, and any other privacy policies, notices or statements on a “Service” (e.g., website, mobile app, or any other digital asset) that is owned and operated by the Company.  This Notice provides information regarding our data practices, including our collection, use, disclosure, and sale of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (collectively, “Personal Information”).

PLEASE NOTE:

If you are not a California resident, the rights described in this Notice do not apply to you. Even if you are a California resident, the rights described in this Notice may not apply to you as a result of certain exemptions in the CCPA, including those for publicly available data and data subject to certain other privacy laws, such as the Gramm-Leach-Bliley Act and Fair Credit Reporting Act (as described in more detail below).

The rights described in this Notice will apply to you only if you are currently a California resident and you are:

  • As of January 1, 2022, a current or former job applicant, employee, or contractor of CoreLogic (“HR Data Subject”). If you are an HR Data Subject, you may make a make an HR Data Subject CCPA request by visiting our online HR Data Subject Request Form or by calling our toll-free telephone number

OR

  • As of January 1, 2022, a current or former employee, owner director, officer, or independent contractor of a company, partnership sole proprietorship, non-profit, or government agency in connection with business-to-business (“B2B”) communications with CoreLogic, including if you have visited our website (“B2B Data Subject”).  If you are a B2B Data Subject, you may make a make a B2B Data Subject CCPA request by visiting our online B2B Data Subject Request Form, or by calling our toll-free telephone number.

Please note that although you will get a timely response using the toll-free telephone number, you will likely get a faster response using our online form.

1. CCPA Exemptions

We are a leading global property information, analytics and data-enabled software platforms and services provider. We provide B2B products and services and do not offer products or services directly to consumers. Except for HR Data Subjects and B2B Data Subjects, when we do collect and process Personal Information from or about consumers, we have determined it is in one of the following contexts that are exemptions under the CCPA:

Data That Is Processed in Our Capacity as a Service Provider. When we process consumer Personal Information as a service provider for another business, that business, not us, is the owner and controller of the Personal Information and responsible for any CCPA requests related to that data. If you want to inquire about Personal Information we process for our clients as their service provider, you should contact those entities directly. Due to confidentiality considerations, we do not disclose or confirm the identity of our clients or what data we process for them.

Data That Is Regulated and Protected by Other Laws. The CCPA recognizes that other privacy laws already exist to protect certain types of Personal Information under certain circumstances. We are subject to and comply with several of these laws, including the federal Fair Credit Reporting Act (FCRA), the federal Gramm-Leach-Bliley Act (GLBA), the Driver’s Privacy Protection Act of 1994 (DPPA), and the California Financial Information Privacy Act. The CCPA exempts Personal Information that is already regulated and protected by those laws, and we apply our obligations under those laws to that data.

Data That Is Publicly Available. The CCPA exempts Personal Information that is “publicly available,” which means information that is lawfully made available from federal, state, or local government records, or information that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media, or by the consumer; or information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.

Data That Is Deidentified or Aggregated. The CCPA does not consider deidentified or aggregated data to be Personal Information.  “Aggregated” data is information that relates to a group or category of consumers, from which individual consumer identities have been removed, that is not linked or reasonably linkable to any consumer or household, including via a device. “Deidentified” data is information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer.  We commit to maintain and use the information in deidentified form and not to attempt to reidentify the information, except that we may attempt to reidentify the information solely for the purpose of determining whether our deidentification processes are effective.

2. Notice of Data Practices

The description of our data practices in this Notice covers only the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates; however, if materially different from this Notice, we will provide pre-collection notice of the current practices, which may include references to other privacy policies, notices or statements posted or referenced on the Service that reflect current practices.

(a)   Personal Information Collection and Retention

In the last 12 months, we collected and retained Personal Information about Consumers as follows:

Category of Personal Information Examples of Personal Information Collected and Retained Maximum Retention Period
1.     Identifiers Real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address, email address, and account name. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
2.     Personal Records Name, signature, description, address, telephone number, and financial information (e.g., payment card information). Some Personal Information included in this category may overlap with other categories. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
3.     Personal Characteristics or Traits In some circumstances, we may collect Personal Information that is considered protected under U.S. law, such as age, gender, nationality, race or information related to medical conditions. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
4.     Customer Account Details/Commercial Information Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
5.     Biometric Information Physiological and biological characteristics, which can be used to establish individual identity, including but not limited to fingerprints. Only for HR benefits purposes. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
6.     Internet Usage Information When you browse our Services or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our Services or other sites, applications, or advertisements. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
7.     Geolocation Data If you interact with us online we may gain access to the approximate location of the device or equipment you are using. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
8.     Sensory Data We may collect audio, electronic, or similar information when you contact us through our customer service line. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
9.     Professional or Employment Information Professional, educational, or employment-related information. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
10.  Non-public Education Records Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
11.  Inferences from Personal Information Collected We may draw inferences from other information we collect about you. Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.
12.  Sensitive Personal Information This may include Personal Information that reveals:
  • Social security, driver’s license, state identification card, or passport number
  • Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
  • Racial or ethnic origin
  • The contents of email and text messages
  • Health information
  • Sex life or sexual orientation information
 Period of engagement / relationship with CoreLogic (if applicable) plus 7 years.

(b)   Sources of Personal Information

We collect Personal Information from visitors of our website as set forth in Section 2 of our Privacy Policy.  Additionally, we may purchase customer lists containing business contact information, which is considered Personal Information under the CCPA.

We collect Personal Information from HR Data Subjects in connection with their application for employment/engagement and actual employment/engagement with CoreLogic.

We collect Personal Information from B2B Data Subjects in connection with their business and/or website interaction with CoreLogic.

 

(c)   Use of Personal Information

Information regarding how we use Personal Information obtained from our website can be found in Section 2 of our Privacy Policy.  Personal Information obtained from customer lists is used for marketing purposes.

Personal Information from HR Data Subjects is used solely in connection with HR purposes.

Personal Information obtained from B2B Data Subjects is used for the purposes of the business transaction(s) with CoreLogic and may be further used for marketing purposes.

 

(d)   Personal Information Disclosure Practices

During the past 12 months, we did not “sell” or “share”, as those terms are defined by the CCPA, any of the categories of Personal Information described above.  To our knowledge, we have not collected, sold or shared Personal Information from children under the age of 16.

During the last 12 months, for the purposes explained in our Privacy Policy, we disclosed such Personal Information to our vendors, other members of our corporate group, government entities (when we are under a duty to disclose or as required to protect our rights or the rights of others), and other parties as more fully set forth below:

Category of Personal InformationCategories of Recipients
1.     Identifiers
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
2.     Personal Records
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
3.     Personal Characteristics or Traits
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
4.     Customer Account Details / Commercial Information
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
5.     Biometric Information
  • Vendors (HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
6.     Internet Usage Information
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
7.     Geolocation Data
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
8.     Sensory Data
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
9.     Professional or Employment Information
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
10.  Non-public Education Records
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
11.  Inferences from Personal Information Collected
  • Vendors (e.g., data analytics providers, payment processors, and marketing services providers; HR service providers)
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)
12.  Sensitive Personal Information
  • Vendors (e.g., records processors and data storage; HR service providers);
  • Other members of our corporate group
  • Governmental entities (making requests pursuant to legal or regulatory process)

3. Your Consumer Privacy Rights and How to Exercise Them

As discussed above, the data included in our products and services are not subject to the CCPA as a result of certain exemptions found in the CCPA. Therefore, consumers (other than HR Data Subjects and B2B Data Subjects) will not be able to exercise rights granted under the CCPA.

As described more below, subject to our being able to verify your identity (discussed below), you may exercise the privacy rights described in this section.   

(a)   Right to Know/Access

You are entitled to access the Personal Information that we maintain about you up to twice in a 12-month period.      

(1)   Categories

You have a right to submit a request for any of the following for the 12-month period preceding the request date:

  • The categories of Personal Information we have collected about you;
  • The categories of sources from which we collected your Personal Information;
  • The purposes for our collecting your Personal Information;
  • A list of the categories of Personal Information disclosed to third parties and, for each, the categories of recipients.

(2)   Specific Personal Information

You may request to confirm if we are processing your Personal Information and, if we are, to obtain a transportable copy, subject to applicable request limits, of your Personal Information that we have collected and are maintaining.  Before providing you with the specific Personal Information that we maintain about you, we will apply the heightened verification standards described in the How to Exercise Your Consumer Privacy Rights section below.  

(b)   Right to Delete

Subject to certain exceptions, you may request that we delete your Personal Information.  

(c)   Correct Your Personal Information

You may request that we correct any inaccuracies you find in the Personal Information that we maintain about you.

(d)   Right to Limit Use and Disclosure of Sensitive Personal Information

With regard to Personal Information that qualifies as “Sensitive Personal Information” under the CCPA, as of January 1, 2023, if you elect to provide us with Sensitive Personal Information you may limit the purposes for which we may process it to the following:

  • To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services.
  • To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal information.
  • To resist malicious, deceptive, fraudulent, or illegal actions directed at us and to prosecute those responsible for those actions.
  • To ensure the physical safety of natural persons.
  • For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with us.
  • To perform services on behalf of our business, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of our business.
  • To verify or maintain the quality or safety of a service or device that we own, manufacture or control, and to improve, upgrade, or enhance a service or device we own, manufactured or control.

(e)   How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your privacy rights as an HR Data Subject or B2B Data Subject, or to submit a request as an authorized agent, please follow the instructions at our HR Data Subject Request or B2B Data Subject Request, or call us at 1-800-634-4149 and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (for example, via fax, chats, social media, etc.).

(1)   We Must Verify Your Identity

When you submit a request, we may ask you to provide verifying information, such as your name, email, phone number and/or mailing address. We will review the information provided and may request additional information via email or other means to ensure we are interacting with the correct individual. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected Personal Information.  We do not verify requests to limit the processing of sensitive Personal Information unless we suspect fraud.

We will use Personal Information provided in your request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We verify each request as follows:

  • Right to Know (Categories of Personal Information):  We will verify your request by matching at least two data points you provide with data points we maintain, which we have determined to be reliable for the purpose of verifying you. 
  • Right to Know (Specific Personal Information):  We will verify your request by matching at least three data points you provide with data points we maintain, which we have determined to be reliable for the purpose of verifying you, together with a signed declaration under penalty of perjury that you are the Consumer whose Personal Information is the subject of the request. If you fail to provide the data points we will be unable to verify you sufficiently to honor your request, but we will then treat it as a request for disclosure of the categories of Personal Information we maintain about you.
  • Request to Limit the Processing of Sensitive Personal Information:  No specific verification required unless we suspect fraud.
  • Right to Delete:  We will verify your request by matching at least two or three data points you provide with data points we maintain, depending on the sensitivity of the Personal Information and the risk of harm posed by unauthorized deletion.
  • Right to Correction:  We will verify your request by matching at least two or three data points you provide with data points we maintain, depending on the sensitivity of the Personal Information and the risk of harm posed by unauthorized correction.

If you fail to provide the data points specified above, we will be unable to verify you sufficiently to honor your request.

(2)   Agent Requests

You may use an authorized agent to exercise your rights on your behalf.  Authorized agents may demonstrate that the agent has authority to exercise rights on the behalf of the requesting HR Data Subject or B2B Data Subject by any of the methods specified in Section 3(e) of this Notice.  Thereafter, we will require evidence of the agent’s identity (via submission of a driver’s license or other government-issued identification), and at least one of the following evidencing proof of your legal authority to act on the behalf of the individual who is the subject of this request:

  • Written authorization signed by the individual; or
  • Certified copy of a Power of Attorney granted under the California Probate Code.

Whenever you interact with us on behalf of another individual or entity, such as by providing or accessing Personal Information about another individual, you represent that your interactions and exchanges comply with applicable data privacy laws. You shall have sole responsibility for any violation of applicable laws as a result of a failure to obtain any necessary consent from such individual.

(f) Our Responses

Some Personal Information that we maintain is insufficiently specific for us to be able to associate it with a Consumer (e.g., clickstream data tied only to a pseudonymous browser ID).  We do not include such Personal Information in response to requests.  If we cannot comply with a request, we will explain the reasons in our response. 

We will not charge a fee to respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome.  If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. 

Consistent with our interest in the security of your Personal Information, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, any health or medical identification number, an account password, security questions or answers, or unique biometric information generated from measurements or technical analysis of human characteristics in response to a privacy rights request.

4. Non-discrimination

We will not discriminate against you in a manner prohibited by the CCPA for your exercise of your privacy rights.

5. Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use and disclose your Personal Information as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

6. Contact Us

If you have any questions, comments, concerns, or complaints about our privacy practices, please contact us by email at [email protected].