AvalonBay Communities California Privacy Notice

Effective Date: November 10, 2021

This California Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (together with related regulations the “CCPA”) as a supplement to AvalonBay Communities, Inc.’s, and our subsidiaries’ (“Company” “us” “we” “our”) other privacy policies or notices. In the event of a conflict between any other Company policy, statement or notice and this Notice, this Notice will prevail as to California Consumers and their rights under the CCPA. Please see also any privacy policy or notice of general applicability posted or referenced on our websites, apps, products, or services including, without limitation, avaloncommunities.com; avalonbay.com; and AvalonAccess.com.

This Notice covers our collection, use, disclosure, and sale of California Consumers’ “Personal Information” (“PI”) as defined by the CCPA, except to the extent such PI is exempt from the notice obligations of the CCPA. This Notice also explains the rights California Consumers have under the CCPA, and provides other notices to Californians required by other laws. The description of our data practices in Sections 1 and 2 of this Notice, as required by the CCPA, covers only calendar year 2020 and will be updated annually. Our practices in calendar year 2021 may change; however, if materially different such that we think a Consumer would reasonably expect notice we will provide pre-collection notice of the current practices, which may include reference to our general privacy policy or other applicable privacy policies and notices.

Consistent with the CCPA, job applicants, current and former employees and independent contractors (“Personnel”), and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered Consumers for purposes of this California Privacy Notice or the rights described herein. However, our Personnel may obtain a separate privacy notice that is applicable to them by contacting our Human Resources department. Publicly available information is also not treated as PI under the CCPA, so this notice is not intended to apply to that data and your Consumer privacy rights do not apply to that data.

To aid in readability, in some places we have abbreviated or summarized CCPA terms or language, but a full copy of the CCPA is available at Title 1.81.5 of the California Civil Code, Sections 1798.100 - .199. Terms defined in the CCPA that are used in this Notice with initial capitalizations shall have the same meaning as in the CCPA.

The CCPA is a new law and there remain differing interpretations of it and the regulations that implement it. Accordingly, we may from time-to-time update information in our notices regarding our data practices and your rights, modify our methods for you to make and for us to respond to your requests, and/or supplement our response(s) to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

You can click on the following links to navigate to the different sections in this Notice.

1. PI We Collect

(A) Sources of PI

(B) Purposes

2. Sharing of PI

(A) Disclosures for Business Purposes, at Your Direction and In Corporate Transactions and Intra-Company Transfers

(B) Sale

3. California Privacy Rights

(A) The Right to Know

i. Specific Pieces

ii. Categories

(B) Do Not Sell

(C) Delete

(D) Non-Discrimination and Financial Incentive Programs

(E) Authorized Agents

(F) Limitation of Rights

4. Additional California Notices

(A) Third Party Marketing and Your California Privacy Rights

(B) Online Privacy Practices

(C) Tracking and Targeting

(D) California Minors

5. Contact Us

1. PI WE COLLECT

Based on our our 2020 and 2021 to date data practices, we give you notice that we collect (and, in some instances, share) the following types of PI about California Consumers. This notice will be updated annually, and our current privacy notices at the point of collection as well as general privacy policies may reflect more current practices.

Category of PIExamples of PICategories of Recipients
Identifiers
(as defined in CCPA §1798.140(o)(1)(A))
This may include but is not limited to: a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers.Business Purposes:

(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) selected marketing partners that offer services to our residents, such as credit card issuers, (3) public authorities / government bodies and (4) Third Parties as compelled or required by law. 

Sale: We share some of this information with selected marketing partners that offer services to our residents, such as credit card issuers, and such sharing may be deemed “sale” under the applicable law. 
Personal Records
(as defined in CCPA §1798.140(o)(1)(B))
This may include information such as: physical characteristics or description, signature, telephone number, education, employment, employment history, insurance policy number, bank account number, credit card number, debit card number, or any other financial information medical information, or health insurance information, or emergency contact details.Business Purposes:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Consumer Characteristics
(as defined in CCPA §1798.140(o)(1)(C))
This may include, but is not limited to: age, sex, marital status, religion, veteran status, familial status, disability, gender identity, citizenship status, payment history.Business Purposes:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Customer Account Details / Commercial Information
(as defined in CCPA §1798.140(o)(1)(D))
This may include, but is not limited to: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.Business Purpose Disclosure:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) selected marketing partners that offer services to our residents, such as credit card issuers, (3) public authorities / government bodies and (4) Third Parties as compelled or required by law. 

Sale: We share some of this information with selected marketing partners that offer services to our residents, such as credit card issuers, and such sharing may be deemed “sale” under the applicable law.
Biometric Information
(as defined in CCPA §1798.140(o)(1)(E))
This may include, but is not limited to: scans of facial geometry, or fingerprints.Business Purpose Disclosure:
Service providers such as lock or gate operators or security companies.
Internet Usage Information
(as defined in CCPA §1798.140(o)(1)(F))
This may include, but is not limited to: browsing history, search history, and information regarding your interaction with an Internet Web site, application, or advertisement.Business Purpose Disclosure:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Geolocation Information
(as defined in CCPA §1798.140(o)(1)(G))
This includes your location in person or when engaging in internet activity.Business Purpose Disclosure:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Sensory Data
(as defined in CCPA §1798.140(o)(1)(H))
This may include, but is not limited to: audio recordings of customer care calls.Business Purpose Disclosure:
(1) Service Providers such as internet listing services, delivery services, distributors, payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Professional or Employment Information
(as defined in CCPA §1798.140(o)(1)(I))
This may include, but is not limited to: professional, educational, or employment-related information.Business Purpose Disclosure:
(1) Service Providers such as fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Non-public Education Information
(as defined in CCPA §1798.140(o)(1)(J))
This includes education information that is not publicly available.Business Purpose Disclosure:
(1) Service Providers such as payment processors, fraud prevention and security providers, marketing providers, analytics providers, consumer service and support providers, and external auditors; and (2) public authorities / government bodies and (3) Third Parties as compelled or required by law

Sale: Not Sold
Inferences Drawn from Any of the Above
(as defined in CCPA §1798.140(o)(1)(K))
This includes inferences drawn from any PI to create a profile about a consumer reflecting preferences, characteristics, trends, predispositions, behaviorsBusiness Purpose Disclosure:
Marketing; Data Analytics; Business process improvement Service providers, analytics providers, operating systems and platforms, and governmental entities; Business Partners; External Agencies; External Auditors; Public Authorities/Government Bodies.

Sale: Not Sold

The chart above reflects the categories of PI required by the CCPA. There may be additional information that we collect that meets the CCPA’s definition of PI but is not reflected by a category, in which case we will treat it as PI as required by the CCPA, but will not include it when we are required to describe our practices by category of PI.

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information and may elect not to treat publicly available information as PI. We have no obligation to re-identify such information or keep it longer than we need it to respond to your requests. This helps us practice data minimization, which we consider to be a privacy best practice consistent with our mission to respect our customers.

Return to top

A. Sources of PI

We may collect your PI directly from you or from service providers, such as internet listing services, fraud prevention and security providers, marketing providers, and consumer service and support providers, credit reporting agencies, our affiliates, or other individuals and businesses, as well as public sources of data such as government databases.

Return to top

B. Purposes

Generally, we collect, retain, use, and disclose your PI to provide you services and as otherwise related to the operation of our business. For more specific detail on our disclosures of PI, see the next section Sharing of PI.

We may collect, use and disclose the PI we collect for one or more of the following Business Purposes:
  • Processing Interactions and Transactions
  • Managing Interactions and Transactions
  • Performing Services
  • Research and Development
  • Quality Assurance
  • Security
  • Debugging

Additional Business Purposes include Sharing PI with Third Parties for other than a Sale or one of the foregoing Business Purposes as required or permitted by applicable law, such as to our vendors that perform services for us, to the government or private parties to comply with law or legal process, to the consumer or other parties at the consumer’s request, for the additional purposes explained in our Privacy Policy, and to assignees as part of a merger or asset sale, for auditing, data analytics, business process improvement, resident screening, and payment processing (“Other Business Purposes”).

Subject to restrictions and obligations of the CCPA, our vendors may also use your PI for some or all of the above listed Business Purposes. Our vendors may themselves engage Service Providers or subcontractors to enable them to perform services for us, which sub-processing is, for purposes of certainty, an additional Other Business Purpose for which we are providing you notice.

In addition, we may collect, use and disclose your PI as required or permitted by applicable law.

Return to top

2. SHARING OF PI

We may share your PI with our service providers, other qualified vendors, affiliates, and/or third parties, including without limitation during the current and previous calendar year including as set forth in the chart set forth above.

We do not believe that in 2020 we “sold” PI, but going forward, some of the information we share with selected marketing partners that offer services to our residents, such as credit card issuers, may be deemed a “sale” under applicable law. For more information on your Do Not Sell rights, see the Do Not Sell subsection of the California Privacy Rights section of this Privacy Notice at Section 3.B below.

Return to top

3. CALIFORNIA PRIVACY RIGHTS.

We provide California Consumers the privacy rights described in this section. You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations. As permitted by the CCPA, any Right to Know or Right to Delete request you submit to us is subject to an identity verification process (“Verifiable Consumer Request”). To protect consumer privacy we will not provide or delete PI unless you have provided sufficient information for us to verify you are the Consumer about whom we collected PI. Please follow the instructions at our Consumer Rights Request page here or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday, and respond to any follow up inquires we may make. You may also obtain information on how to make a request by asking a manager at any of our communities.

Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. You are not required to create an account with us to make a Verifiable Consumer Request, but if you have an account we may require you to use it to be verified. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use and to respond to your California Consumer privacy rights requests. In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest that you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest or not. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your social security number, driver’s license number or other government-issued id number, financial account number, any health or medical identification number, an account password, security questions or answers, or unique biometric data generated from measurements or technical analysis of human characteristics in response to a CCPA request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

Your California Consumer privacy rights are as follows:

A. The Right to Know:

i. Specific Pieces:

You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining. To make a request, click here, or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. For any request using any of these methods, we will undertake to verify your request which will require that you provide us with additional data so that we may connect your identity to data that retain, as well as verify that the person making the request is the subject of that data. If we cannot verify you to a high degree of certainty we will not provide you your specific pieces of PI, but will automatically convert your request to a Categories request (explained below) and apply the less stringent Categories verification standard. If we cannot verify you to that standard, we will refer you to this Notice for general information on our data practices. This is required by the CCPA and designed to protect your privacy.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

ii. Categories:

You have the right to send us a request, no more than twice in a twelve-month period, for the following information about your PI for the period that is twelve months prior to the request date:

  • The categories of PI we have collected about you.
  • The categories of sources from which we collected your PI.
  • The business or commercial purposes for our collecting or selling your PI.
  • The categories of third parties to whom we have shared your PI.
  • A list of the categories of PI disclosed for a business purpose in the prior 12 months, and, for each, the categories of recipients, or that no disclosure occurred.
  • A list of the categories of PI sold about you in the prior 12 months, and, for each, the categories of recipients, or that no sale occurred.

To make a request, you may click here or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. For any request using any of these methods, we will undertake to verify your request which will require that you provide us with additional data so that we may connect your identity to data that retain, as well as verify that the person making the request is the subject of that data. If we cannot verify you to a reasonable degree of certainty, we will refer you back to this Notice. This is required by the CCPA and designed to protect your privacy.

Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

B. Do Not Sell:

We share information with selected marketing partners that offer services to our residents, such as credit card issuers, and some of this sharing may be deemed a “sale” under applicable law, and you can opt-out of the sale by following the instructions at our Consumer Rights Request page here.

However, you can exercise control over browser-based cookies by adjusting the settings on your browser, and mobile devices may offer ad and data limitation choices. In addition, third party tools may enable you to search for and opt-out of some of these trackers, such as the Ghostery browser plug-in available at https://www.ghostery.com/. For more information on cookies and your choices regarding them, see our Cookie Policy.

Some browsers have signals that may be characterized as do not track signals, but we do not understand them to operate in that manner or to indicate a do not sell expression by you so we currently do not recognize these as a do not sell request, nor do we look for or recognize these signals for any other purposes such as to limit tracking or other cookie activities. We understand that various parties are developing do not sell signals and we may recognize certain such signals if we conclude such a program is appropriate.

We do not knowingly sell PI of children under 16. If you are 16 years of age or older, you have the right to direct us to not sell your PI. To make a do not sell request, you may click here or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday.

We may disclose your PI for the following purposes, which are not a sale: (i) if you direct us to share PI; (ii) to comply with your requests under the CCPA; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.

C. Delete:

Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. To make a request, you may click here or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. For any request using any of these methods, we will undertake to verify your identity as explained above before we can honor a request. This is to protect you. Also, you can always opt-out of our commercial emails without making a deletion request by following the unsubscribe instructions on the bottom of those messages.

D. Non-Discrimination and Financial Incentive Programs:

We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

Return to top

E. Authorized Agents:

You may designate an agent to exercise your CCPA rights on your behalf. To exercise your rights via an agent, your agent must (1) if an entity, show proof of registration to do business in California; and (2) submit a written authorization of his or her authority to act on your behalf or a valid power of attorney authorizing the agent to make the request on your behalf. Requests by authorized agents may be submitted 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday. Once such authorization is submitted, you will receive an email at your email address asking you to verify the agent’s authority to submit a Consumer Rights Request on your behalf and to verify your identity, or in the case that a power of attorney was provided we will need to verify its authenticity. Once your agent’s authority is confirmed (s)he may exercise rights on your behalf subject to the agency requirements of the CCPA.

Return to top

F. Our and Other's Rights:

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights. In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

Return to top

4. ADDITIONAL CALIFORNIA NOTICES

In addition to CCPA rights, certain Californians are entitled to certain other notices, including:

A. Third Party Marketing and Your California Privacy Rights:

California’s “Shine the Light” law permits California residents to request certain information regarding our disclosure of PI to third parties for their own direct marketing purposes.

Separate from your CCPA “Do Not Sell” rights you have the following additional rights regarding disclosure of your information to third parties for their own direct marketing purposes:

We may from time to time elect to share certain “personal information” (as defined by California’s “Shine the Light” law) about you with third parties for those third parties’ direct marketing purposes. California Civil Code § 1798.83 permits California residents who have supplied personal information, as defined in the statute, to us to, under certain circumstances, request and obtain certain information regarding our disclosure, if any, of personal information to third parties for their direct marketing purposes. If this applies, you may obtain the categories of personal information shared and the names and addresses of all third parties that received personal information for their direct marketing purposes during the immediately prior calendar year (e.g. requests made in 2021 will receive information about 2020 sharing activities). To make such a request, please provide sufficient information for us to determine if this applies to you, attest to the fact that you are a California resident and provide a current California address for our response. You may make this request by emailing us at privacy@avalonbay.com, or in writing at: 4040 Wilson Blvd., Suite 1000, Arlington, VA 22203, (Attention: Legal Counsel). Any such request must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year.

As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.

B. Online Privacy Practices:

For more information on our online practices and your California rights specific to our online services see our online Privacy Policy. Without limitation, Californians that visit our online services and seek or acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights (Sections C and D):

C. Tracking and Targeting:

When you visit our online services, we and third parties may use tracking technologies to collect usage information based on your device for a variety of purposes, including serving you advertising, based on your having visited our services or your activities across time and third-party locations. Some browsers may enable you to turn on or off a so-called “Do Not Track” signal. Because there is no industry consensus on what these signals should mean and how they should operate, we do not look for or respond to “Do Not Track” signals. For more information on tracking and targeting and your choices regarding these practices, see our online Privacy Policy.

D. California Minors:

Although our online service(s) are intended for an audience over the age of 18, any California residents under the age of eighteen (18) who have registered to use our online services, and who posted content or information on the service, can request removal by contacting us at privacy@avalonbay.com detailing where the content or information is posted and attesting that you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines and others that we do not control.

Return to top

Contact Us

For more information on your California privacy rights email us at privacy@avalonbay.com, or write to us at: 4040 Wilson Blvd., Suite 1000, Arlington VA 22203, Attn: Legal Counsel. To make a request, you may click here or call us at 1-833-605-4293 between the hours of 9 AM and 5 PM ET, Monday through Friday.

Return to top