Consumer Health Privacy Policy

Effective Date: March 26, 2024

This Consumer Health Privacy Policy supplements our CVS Retail Privacy Policy and applies solely to (i) residents of the State of Washington and/or (ii) individuals whose consumer health data is collected in the State of Washington (collectively, “you” or “consumers”), and describes how CVS Pharmacy, Inc. and its subsidiaries and affiliates (“CVS,” “we,” “us,” or “our”) collect consumer health data from or about these consumers from any source, including its online services (e.g., CVS.com^®, CVS^® mobile applications) and in store.

Under the Washington My Health My Data Act (“MHMDA”), consumers have the right to receive certain disclosures regarding a business’ processing of “consumer health data,” as defined under the MHMDA, as well as certain rights with respect to processing of such consumer health data. The terms used in this Privacy Policy have the same meaning given to them in the MHMDA.

This Privacy Policy also does not apply to (i) CVS Health^® health care services, such as pharmacy, medical and health plan services; and (ii) CVS customers that are not residents of the State of Washington or individuals whose consumer health data is not collected in the State of Washington. If you are looking for information about how CVS Health collects and uses information for any health care services, you should review the privacy policy provided for those services. If you are a CVS customer, but not a resident of the State of Washington nor had your consumer health data collected in the State of Washington, you should review our CVS Retail Privacy Policy. Please visit our Privacy Center at: https://www.cvshealth.com/privacy-center.html to view our other CVS Health privacy policies.

We may change this Privacy Policy. The "Effective Date” at the top of this page shows when it was last revised. Any changes take effect when we post the revised Privacy Policy.

TABLE OF CONTENTS

1. Consumer health data we collect
2. Sources we collect consumer health data from
3. Purposes for collection and how we use consumer health data
4. Consumer health data we share
5. Third parties with whom we share consumer health data
6. Your privacy rights

1. Consumer health data we collect

We want you to know how we collect and use your consumer health data. Some examples of the consumer health data we may collect about you include:

• Information about your health conditions, treatment, medication, diseases, diagnosis, diagnostic testing, sexual health, reproduction, bodily functions, vital signs, symptoms, and health-related measurements. For example, your shopping and purchase history of health-related products, including but not limited to, at-home diagnostic tests, contraceptives, and diabetic testing supplies
• Use or purchase of prescribed medication. For example, if you choose to participate in our Rewards at the Pharmacy program
• Precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies. For example, GPS coordinates and Wi-Fi location may reveal health-related information if you consent to the use of location services or choose to use in-store Wi-Fi services  
• Data that identifies a consumer seeking health care services. For example, if you search for health-related products or topics on CVS.com or in the CVS mobile application
• Biometric data. For example, facial images captured via cameras when you enter our stores and voice recordings if you call our Customer Care team
• Inferences or derived information based on the information we collect about you. For example, if you choose to participate in our ExtraCare^® program we may infer products or services you may be interested in

2. Sources we collect consumer health data from

We may collect the consumer health data described above from the following sources.

• Directly from you. We collect consumer health data directly from you when you interact with us through our services and automatically when you visit our websites and mobile applications.
• From subsidiaries and affiliates. We collect consumer health data from our subsidiaries and affiliates you interact with as permitted by applicable law.
• Publicly available information and other sources. We may collect information about you from both publicly available and other third-party sources to enhance and improve the accuracy of our information about you. We may combine the information we collect from you through the services with information we get from and about you from other online and offline sources. We may use the combined information in accordance with this Privacy Policy.

3. Purposes for collection and how we use consumer health data

We use your consumer health data to provide you with the services you request, for any other purpose for which you provide consent or as otherwise permitted under applicable law. For example, we may collect and use your consumer health data for the following purposes, including:

• To communicate with you. We use your consumer health data to respond to your requests and otherwise communicate with you about your orders or accounts. For instance, we may use your consumer health data to fulfill your order, contact you with information about your order, send you email alerts, send you newsletters and provide you with related customer service. We may use your consumer health data to send marketing communications and administrative information. This may include push notifications in our mobile applications.
• To manage your accounts, orders and subscriptions. We use consumer health data to manage your orders and payments/billing if you make a purchase as well as your accounts and subscription services, if you choose to enroll in these services.
• To administer our customer loyalty program. If you enroll, we use consumer health data to administer our loyalty and membership programs, including ExtraCare and ExtraCare Plus™.
• Business transfers. We may use consumer health data to consider and implement mergers, acquisitions, reorganizations and other business transactions.
• Business operations. Where necessary, we may use consumer health data to perform essential business functions in support of providing you with requested products and services, including accounting, recordkeeping and legal functions.
• To protect our legal rights and preventing misuse. To meet our legal obligations; to protect the services and our business operations; to prevent and detect fraud, unauthorized activities and access, and other misuse; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our terms and conditions or this Privacy Policy.
• Other purposes. We may also use consumer health data for other purposes with your consent.

4. Consumer health data that we share

We may share your consumer health data to provide you with the services you request, for any other purpose for which you provide consent, or as necessary to comply with applicable law or authorities. We may share the following categories of consumer health data depending on the services you use.

• Information about your health conditions, treatment, medication, diseases, diagnosis, diagnostic testing, sexual health, reproduction, bodily functions, vital signs, symptoms and health-related measurements. For example, your shopping and purchase history of health-related products, including but not limited to, at-home diagnostic tests, contraceptives and diabetic testing supplies
• Use or purchase of prescribed medication. For example, if you choose to participate in our rewards at the pharmacy program
• Precise location information that could reasonably indicate your attempt to acquire or receive health services or supplies. For example, GPS coordinates and Wi-Fi location may reveal health-related information if you consent to the use of location services or choose to use in-store Wi-Fi services  
• Data that identifies a consumer seeking health care services. For example, if you search for health-related products or topics on CVS.com or in the CVS mobile application
• Biometric data. For example, facial images captured via cameras when you enter our stores and voice recordings if you call our Customer Care team
• Inferences or derived information based on the information we collect about you. For example, if you choose to participate in our ExtraCare program, we may infer products or services you may be interested in

5. Third parties with whom we share consumer health data

We may share your consumer health data with the following third parties to provide you with the services you request, when you provide consent for such sharing, or as necessary to comply with applicable law or authorities. For clarity, third parties do not include vendors whom we contract with to help us provide you with products and services you request.

• Government or public authorities, parties to litigation and others. We may share consumer health data to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request; (b) to enforce our agreements, policies and terms of service; (c) to protect the security or integrity of our services, (d) to protect the property, rights and safety of CVS, our users or the public from harm or illegal activities; (e) to respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person; or (f) to investigate and defend ourselves against any third-party claims or allegations.

6. Your privacy rights

If you are a consumer and we collect, use or share consumer health data subject to MHMDA, you may have the following rights under the MHMDA with respect to your consumer health data, subject to applicable exceptions.

• Right to access. You have the right to confirm whether or not we are processing your consumer health data and to access such consumer health data.
• Right to delete. You have the right to ask us to delete certain consumer health data we have collected about you.
• Right to withdraw consent. If you consent to any collection or sharing of consumer health data, you have the right to withdraw your consent at any time.
  
  

A.  How to submit a request

If you are a consumer and wish to exercise these rights, you can reach us in one of the ways shown below.

Right to access or delete

• ExtraCare account only via our  interactive webform
• CVS.com account password-protected web portal (includes ExtraCare, if linked): Sign in here
• 1-800-746-7287 (TTY: 711)

Right to withdraw consent

If you are a consumer and you provided consent for collection or sharing of your consumer health data, you can withdraw your consent using the methods below.

• To manage cookie consents, select the cookie settings icon in the bottom left of any CVS.com page.
  
  

B. Verifying requests

Before we fulfill a request to access or delete, we will verify your identity and ability to exercise these rights. There are also some exclusions and exceptions that may apply. So that we can verify your identity, if you have a CVS.com account, you will need to first sign into your account. If you do not have a CVS.com account, you will be asked to give us certain information via webform or on the phone, as described above. If we are unable to verify your identity, we may request additional information reasonably necessary to authenticate your identity and the request.