Privacy Notice For California Residents
Personal Information We May Collect
Westat primarily collects personal information in conjunction with research activities in the public interest1, following informed consent, on behalf of the U.S. Government as well as businesses, foundations, and state and local governments. For Westat research activities, the information we collect depends on the parameters of the research we are conducting. Personal information may be collected as part of a potential or existing employment relationship and to meet legal and compliance obligations. Personal information may also be collected as part of the exploration or establishment of a business relationship. Based on personal information we may have collected during the past twelve (12) months, the section titled Categories of Personal Information & Examples below provides examples for each category of personal information we may collect, use, and share about you. The examples are intended to be illustrative but not exhaustive.
Under the CCPA, personal information does not include:
- Publicly available information from government records.
- De-identified or aggregated consumer information that cannot be reconstructed to identify you.
- Information excluded from the CCPA’s scope, for example:
- Any information covered under the Gramm-Leach-Bliley Act (GLBA) or the California Financial Information Privacy Act,
- Activities covered by the Fair Credit Reporting Act (FCRA), or
- Protected health information defined under the Health Insurance Portability and Accountability Act (HIPAA).
We obtain the categories of personal information listed above from the following Categories of Sources:
- Directly from you, for example, from forms that you complete on our website.
- Indirectly from you, for example, from observing your actions on our website or from information your computer or mobile device transmits when interacting with our website or mobile applications, among other things.
- Third-party service providers that provide services to us in connection with our business operations, for example, job applicant contact information from our applicant tracking system provider.
- Directly or indirectly from you in conjunction with research or business activities.
- Directly or indirectly from you as part of a potential or existing employment relationship.
How We Use Personal Information
We may use or disclose the Personal Information that we collect from you or about you to do one or more of the following:
- Fulfill or meet the purpose for which you provided the information.
- Provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- Engage in employment-related activities if, for example, you provide your information for the purposes of an employment application or your employment.
- Respond to law enforcement requests and as required by applicable law or as otherwise set forth in the CCPA.
- Serve the purposes for the collection of your Personal Information as described to you or as otherwise set forth in the CCPA or subsequently agreed to by you.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Disclosures of Personal Information for a Business Purpose
We will only share information with others for a business purpose and when we are legally permitted to do so. When we share information with others, we put contractual arrangements and security mechanisms in place as appropriate to protect the information and to comply with our information protection, confidentiality, and security standards.
The following are examples of Categories of Third Parties to whom we may share your personal information:
- Service providers.
- Those with whom you direct us to share your personal information.
- Those who are as part of our employment process, such as consumer reporting agencies for employment background checks.
- Clients on whose behalf we conduct research activities and research collaborators, pursuant to contract.
In the preceding twelve (12) months, we have not sold or leased any personal information. Westat does not sell or lease personal information.
Your CCPA Rights2
You may request access to the personal information that we have collected and maintained about you (along with information regarding its use and disclosure) over the past twelve (12) months upon appropriate verification. You may only make such requests twice (2) per every twelve (12) months.
You have the right to request that we delete personal information collected and maintained about you, subject to certain exceptions. Once your request is verified and we have determined that we are required to delete that information in accordance with applicable law, we will delete your personal information accordingly. Your request to delete your personal information may be denied if it is necessary for us to retain your information under one or more of the exceptions listed in the CCPA. Please note that a record of your deletion request may be kept pursuant to our legal obligations.
We may deny your deletion request if retaining the information is necessary for us or our service providers to:
- Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between us and you.
- Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
- Debug to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent.
- Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
- Comply with a legal obligation.
- Otherwise use the your personal information, internally, in a lawful manner that is compatible with the context in which your provided the information.
Exercising Your Rights
To exercise the access and deletion rights described above, please submit a request to us by either:
- Emailing us at firstname.lastname@example.org.
- Calling us at 1-855-962-0904.
In your request, you must specify the type of request (request to access and/or request to delete) and provide basic information, including:
- First, Middle (if available), and Last Name
- Physical California address
- Valid email address
- Valid phone number
- WINS, if known (for current or former employees)
- Study name (for research study participants)
- Any information that may be helpful in fulfilling your request such as describing your relationship to or engagement with Westat
The basic information requested is essential to our efforts to locate your personal information in our systems. If you do not provide sufficient basic information, we may not be able to process your request and no further action will be taken.
Please note that Consumers have a right to not receive discriminatory treatment for the exercise of their rights under the CCPA.
Verifying Your Request
Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. In the case of access and deletion, your request must be verifiable before we can process your request.
Verifying your request will require you, or a person authorized to act on your behalf, to provide sufficient information for us to reasonably verify that you are the person about whom we collected personal information (e.g., identifying information previously provided by you that is already maintained by us, name of the study for study participants).
If we are unable to verify your identity or authority to act on another’s behalf, we cannot respond to your request or provide you with personal information.
Please note that we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive, or manifestly unfounded.
If you have any questions regarding our privacy practices as it relates to this CCPA Privacy Notice, please contact us via email at email@example.com with the subject line, "CCPA Privacy Notice."
Categories of Personal Information & Examples
Identifiers A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers
Protected classification characteristics under California or federal law Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information)
Commercial information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
Biometric information Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data
Internet or other similar network activity Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement
Geolocation data Physical location or movements
Sensory data Audio, electronic, visual, thermal, olfactory, or similar information
Professional or employment-related information Current or past job history or performance evaluations
Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)) Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records
Inferences drawn from other personal information
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
1 The CCPA does not apply to information that is collected, used, or disclosed in research, as defined in Section 164.501 of Title 45 of the Code of Federal Regulations, including, but not limited to, a clinical trial, and that is conducted in accordance with applicable ethics, confidentiality, privacy, and security rules of Part 164 of Title 45 of the Code of Federal Regulations, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, good clinical practice guidelines issued by the International Council for Harmonisation, or human subject protection requirements of the United States Food and Drug Administration.
2 Until January 1, 2022, employee personal information is outside the scope of the CCPA requirements except for:
- The right to know, at or before the point of collection, the categories of personal information to be collected and the purposes for which the categories of personal information shall be used.
- The right of private action in the event of a data breach.
Last Updated: October 14, 2020