Welcome to the Coca‑Cola Consumer Privacy Policy

The Coca‑Cola Company and its affiliates (together, Coca‑Cola or we) take your right to privacy seriously.  We appreciate that you trust us with your personal information and respecting your privacy is at the core of our interactions with you.

Coca‑Cola’s handling of personal information is guided by these principles:

  • Transparency
  • Respect
  • Trust
  • Fairness

Effective Date:  January 10th  2024

The Coca‑Cola Consumer Privacy Policy (Privacy Policy) describes the personal information that Coca‑Cola collects from or about users of the websites, mobile applications (Apps), widgets and other online and offline services that Coca‑Cola operates (together, the Services) and how we use and protect that personal information.  This Privacy Policy also explains how users can make choices about their personal information.  

When we refer to personal information (sometimes referred to as personal data under some laws) in this Privacy Policy, we mean information that identifies or can be used to identify an individual human being.  This means that personal information includes direct identifiers (such as name) and indirect identifiers (such as computer or mobile device ID and IP address).  When we refer to you or user, we mean someone who uses any of the Services.  When we refer to controller, we mean the person or entity that determines what personal information is collected from or about you and how that personal information is used and protected.  

How we collect, use and protect your personal information is subject to the laws in the places in which we operate.  This means that we may have different practices in different places.  For more information, please see Privacy Rights and Choices, which includes additional descriptions of your rights and our obligations in certain key jurisdictions and who to contact.  

IF YOU HAVE QUESTIONS ABOUT HOW COCA-COLA PROCESSES YOUR PERSONAL INFORMATION, PLEASE CONTACT PRIVACY@COCA-COLA.COM.

WHAT’S IN THIS PRIVACY POLICY?

This Privacy Policy is divided into the following sections: 

1. WHEN DOES THIS PRIVACY POLICY APPLY? 

This Privacy Policy was posted and is effective for new users on January 10, 2024.

The prior versions of our Privacy Policies apply until January 20, 2024 and are available upon request to privacy@coca-cola.com.

2. WHERE DOES THIS PRIVACY POLICY APPLY? 

The Privacy Policy applies to the personal information collected from users of the Services in which the Privacy Policy is posted or linked, when the Privacy Policy is specifically referenced in the Services or when Coca‑Cola asks you to acknowledge it.  This Privacy Policy also covers personal information that we collect from consumers who contact us by email, telephone and offline, such as during an in-person event. 

This Privacy Policy also may apply to personal information provided to us by consumers who engage with us through social media.  Please contact us at Privacy@coca-cola.com if you have questions about whether this Privacy Policy applies to specific personal information connected with social media.

This Privacy Policy does not apply to websites and other online services operated by other organizations.  Those other websites and services follow their own privacy policies, not this Privacy Policy.  Please make sure to check those privacy policies so you know how your information is handled.

3. WHAT TYPES OF PERSONAL INFORMATION DOES COCA-COLA COLLECT AND WHY? 

a. Information you choose to give us

We collect the personal information you choose to share with us.

The personal information that you choose to give to us typically includes the following types of personal information.  Please review below to learn more about the categories of personal information that Coca‑Cola collects and why it is collected:

Contact and Account Information

Coca‑Cola requests your first and last name, email address and/or mobile telephone number and date of birth to create an account on the Services.  We also may collect username and password, age, mailing address, government-issued identifier and similar contact information.

  • To maintain your online account if you choose to create one

  • To verify identity and eligibility for certain Services

  • To customize your experience of the Services

  • To offer access to exclusive content, discounts and other opportunities

  • To administer a sweepstakes, contest or other promotion or a loyalty program

  • To complete a purchase and deliver products 

  • To send information that we think will interest you, which is sometimes personalized based on the information associated with your account

  • To request your feedback, such as through a survey about a new product

  • To respond to your questions and provide customer service

  • For research and innovation

  • When you attend an in-person event, such as events  sponsored or hosted by Coca‑Cola or product sampling

User Generated Content (UGC)

Coca‑Cola collects the posts, comments, opinions, voice recordings, photos and videos that you choose to submit through the Services

  •  To monitor online communities 
  • To record and act on your comments and opinions, such as in surveys, customer service inquiries and other free-form text boxes

  • To administer your participation in promotions that include submission of UGC

  • In connection with participation in specific promotions or other Services, such as Coca‑Cola’s smart coolers.

Photos, voice recordings and videos that you choose to share may constitute biometric data under some laws. Coca‑Cola collects biometric data only with your specific consent.

Information associated with an account on a social media platform

When you connect or log into the Services through your social media account, such as Facebook and Twitter, we collect the personal information permitted by the social media platform and your account permissions, such as your profile photo, email, like and interest and friends, followers or similar lists.

  •  To personalize your experience of the Services
  • To respond to your comments and inquiries posted on the social media platform and analyze communications (such as tweets or posts) with or about Coca‑Cola to better understand how consumers view Coca‑Cola

(If you decide later that you do not want to provide us with information from your social media account, then please adjust the privacy settings in your social media account.)

Location Data

We collect precise geolocation ( aka GPS) data when permitted through our Apps when you choose to allow it through your mobile device’s operating system and otherwise with your consent, as required.

Approximate location from an IP address or connections to WiFi, Bluetooth or a wireless network service is automatically collected when you use the Services.

We collect this location data:

  •  To customize your experience of the Services
  • To let you know when products, promotions or events are available near you or allow other users to see your location when you choose to allow it

  • To send geographically-relevant advertising

Other Personal Information shared through the Services

We collect

  •  To administer our online communities 
  • To manage promotions and other features of the Services that allow you to share your personal information

b. Information about use of our Apps

When you download and install one of our Apps, the information that we collect depends on your mobile device’s operating system and permissions.  Our Apps need to use certain features and data from your mobile device in order to function.  For example, if you want a seamless online to App experience we need to collect and link information from your web browser.

To learn more about the specific information collected by an App, please check your device settings or review the permissions information available on the particular platform (e.g., Google Play and the App Store) from which you downloaded the App.  Certain Apps also allow you to check or change your status for certain data collection in the App settings.  If you change your settings, certain App features may not function properly.  

To stop collection of all information through an App, please uninstall the App.

c. Information automatically collected during use of the Services

We automatically collect certain information from and about use of the Services from users’ computers and mobile devices.  Some automatically-collected information is personal information under certain laws.  This information is automatically collected using cookies, pixel, web beacons and similar data collection technology (collectively, data collection technology). 

The information that we automatically collect includes:

  • information about your computer or mobile device, such as device type and identification number, browser type, internet service provider, mobile network and operating system

  • IP address and broad geographic location (e.g., country or city-level location) 

  • how a computer or mobile device interacts with the Services, including the date and time the Services are accessed, search requests and results, mouse clicks and movements, specific webpages accessed, links clicked and videos watched

  • traffic and usage measurements 

  • data about the third-party sites or services accessed before interacting with the Services, which is used to make advertising more relevant for users

  • interactions with our marketing communications, such as whether and when a Coca‑Cola email is opened

d. Information collected from third parties

From time to time, we receive personal information from third parties that we use to learn more about our users, personalize user experience and more effectively promote and improve the Services.

The types of personal information that we receive from third parties are:

  • Personal information associated with purchases.  Payment card purchases are processed by third-party payment processors. Coca‑Cola does not have access to complete bank account numbers, credit card numbers or debit card numbers

  • Personal information that is commercially available from marketing services providers or collected by marketing partners through campaigns and events, which is used to help identify individuals who may be interested in learning more about Coca‑Cola and to supplement personal information we already have.  This personal information includes insights from matching our pseudonymized data sets with third parties’ pseudonymized data sets, including though data clean rooms (see also Section 4 below).

  • Personal information that we receive from the third-party advertising partners that help us provide more relevant advertising 

  • Personal information shared with Coca‑Cola by bottler partners

  • Personal information from publicly-available sources

  • Personal information from law enforcement and other government authorities (but only in rare cases)

We may combine information that Coca‑Cola has about you or combine data from third-party data sources.  We require that each third-party data provider confirm that its sharing of personal information with Coca‑Cola is transparent to consumers and otherwise lawful.

e. Other information collected with your consent

We may ask you for your consent to collect specific types of personal information so that you can participate in new activities, receive exclusive content or test new features.  Under some privacy laws, Coca‑Cola is required to obtain consent before collecting and using personal information.  Please see Section 9 for details.

4.  HOW DOES COCA-COLA USE PERSONAL INFORMATION?

Coca‑Cola uses personal information to provide and improve the Services, manage our business, protect users and enforce our legal rights.

We use personal information to provide, personalize and improve the Services (in each case as permitted by applicable law), including:

  • To create and update users’ accounts and fulfill users’ requests

  • To centralize consumers’ personal information in a database managed by a third party on our behalf and append information collected from third parties

  • To send marketing and non-marketing communications to users

  • To enable communications among users, such as an online community

  • For targeted advertisements (also sometimes referred to as personalized or interest-based advertising) based on information generated by a user’s online activity, such as visiting websites that contain our advertising partners’ ads or cookies, some of which are based on geo-location.  

  • To learn more about our users so we can recommend content that we think will interest particular users

    - In particular, we develop insights about users by participating in ‘data clean rooms.’  Through a data clean room, we run queries and extract outputs and insights from data offered by third parties that also participate.  Data used in data clean rooms is shared by other businesses and participants in a format that does not directly reveal or expose personal information; instead, before matching, an identifier is created and used to match the third-party data sets with Coca‑Cola’s pseudonymized personal information. (Using personal information for the purpose of creating pseudonymized data involves prior profiling of data sets.)   After the matching process, we receive aggregated information about our audience that does not allow for enrichment of individual data sets unless we inform you or otherwise obtain separate consent.  Data sharing in data clean rooms is for the purpose of audience discovery, audience expansion, audience targeting and look-alike audience modelling. 

  • For promotion and loyalty program administration

  • For customer service 

  • For facilitating payment

  • To analyze how users interact with the Services and activity trends so that we can develop new features and content that meet our consumers’ expectations 

  • To improve the Services and users’ experience of them

  • For data analytics, research, product development and machine learning that enable us to better understand our consumers and offer innovations for them

  • For monitoring and testing the Services, including to troubleshoot operational problems

  • To create anonymized data, which are not subject to this Privacy Policy, that are used in improving Coca‑Cola’s products and services and similar business purposes and otherwise as permitted by contract and law 

  • To detect and protect against fraud, abusive and unauthorized use of the Services

  • For risk management and similar administrative purposes, such as to monitor and enforce compliance with user agreements and otherwise comply with laws applicable to Coca‑Cola

5. DOES COCA-COLA USE COOKIES AND OTHER DATA COLLECTION TECHNOLOGY?

We use cookies and other data collection technology to recognize you and/or your device(s) when you use the Services and collect personal information about you.  

In some rare cases, there may be some websites that are part of the Services which have specific notices about cookies and other data collection technology that apply to specific websites and consumers.  If you visit a Coca‑Cola website with a notice about cookies, then that website’s cookie notice applies.

What are cookies?

Cookies are small text files that are sent to or accessed from your web browser or your computer's hard drive. A cookie typically contains the name of the domain (internet location) from which the cookie originated, the “lifetime” of the cookie (i.e., when it expires) and a randomly generated unique number or similar identifier. A cookie also may contain information about your computer or device, such as settings, browsing history and activities conducted while using the Services.

Coca‑Cola also uses “pixels” (sometimes called web beacons). Pixels are transparent images that can collect information about email opens and website usage across websites and over time.

Cookies that Coca‑Cola sets in the Services are called first-party cookies. Cookies set in the Services by any other party are called third-party cookies. Third-party cookies enable third-party features or functionality on or through the Services, such as analytics and marketing automation. The parties that set third-party cookies can recognize your device both when you use it to access the Services and also when you use it to visit certain other websites.  To learn more about cookies generally, visit www.allaboutcookies.org

Some web browsers (including Safari, Internet Explorer, Firefox and Chrome) incorporate a “Do Not Track” (DNT) or similar feature that signals to websites that a user does not want to have his or her online activity and behavior tracked.  If a website that responds to a particular DNT signal receives the DNT signal, the browser blocks that website from collecting certain information from the browser cache. Not all browsers offer a DNT option and DNT signals are not yet uniform. For this reason, many website operators, including Coca‑Cola, do not yet respond to DNT signals.

Why does Coca‑Cola use cookies and other data collection technology?

Some cookies are required for the Services to operate. Other cookies enable us to track the interests of users for targeted advertising and to enhance the experience of the Services.

The types of cookies served on through the Services and why they are used is as follows:

  • Strictly necessary cookies are required for the Services to operate.

  • Performance or Analytics cookies collect information about how the Services are used so we can analyze and improve the Services. Performance or analytics cookies typically remain on your computer after you close your browser until you delete them.

  • Advertising cookies are used to make advertising messages more relevant to you by helping us display advertisements that are based on your inferred interests, prevent the same ad from appearing too often and ensure that ads are properly displayed for advertisers.

  • Social media cookies allow users to interact more easily with social media platforms. We do not control social media cookies and they do not allow us to gain access to your social media accounts without your permission. Please refer to the relevant social media platform’s privacy policy for information about the cookies used.  

Data collection technology enables Coca‑Cola to monitor the traffic patterns from one webpage to another, to deliver or communicate with cookies, to understand whether users visit the Services after seeing our online advertisement displayed on a third-party website, to improve performance of the Services and to measure the success of our email marketing campaigns.  Coca‑Cola’s Cookie Policies (available in certain jurisdictions) describe Coca‑Cola’s use of data collection technology. 

Google Products

Where permitted by applicable law, the Services use Google Analytics for targeted advertising (which Google sometimes refers to as ‘remarketing’).  Google uses cookies that Google recognizes when consumers visit various websites.  The data collected through Google’s cookies helps Coca‑Cola analyze how the Services are used and, for some Services and in some jurisdictions, to personalize marketing communications and digital advertising.

The Services also embed videos from YouTube (a Google company) by framing.  This means that, after you click the button to play a YouTube video through the Services, a connection between the Services and  the YouTube servers is established.  Then, an HTML link provided by YouTube is inserted into the code of the Services to create a playback frame. The video stored on the YouTube servers is then played by the frame in the Services.  YouTube also receives information that informs YouTube that you are currently using the Services: your IP address, browser information, the operating system and settings of the device you are using, the URL of the current web page, previously-visited web pages if you have followed a link, and the videos you watched.  If you are logged into your YouTube account, the information may be associated with your YouTube user profile. You can prevent this association by logging out of your YouTube account before using the Services and deleting the corresponding cookies.

For more information about how Google collects, uses and shares your information, please visit Google’s Privacy Policy.

For more information about how Google uses cookies in advertising, please visit Google’s Advertising page.

To prevent Google Analytics from using your data, you can install Google’s opt-out browser add-on.

To opt out of ads on Google that are targeted to your interests, use your Google Ads settings.

If you are located in the EEA, Switzerland or UK, please note in particular that, if you allow Google’s cookies in Coca‑Cola’s Privacy Preference Center, the information generated by those cookies about use of the Services is transmitted to and stored by Google on servers in the United States. Coca‑Cola used technology tools, including Google’s IP Anonymization tool, to exclude the last part of your IP address before the data is transferred by Google to the United States, as well as Google’s tools for deactivation of data sharing and Google signals and User-ID settings in Google Analytics for certain jurisdictions.  Google will not associate an IP address with any other data held by Google.  

On behalf of Coca‑Cola, Google will use the data described above to compile reports that help Coca‑Cola operate and provide the Services.

Meta Products

Some part of the Services use products and features offered by Facebook, Instagram and Messenger and Facebook apps (Meta Products).  The Meta Products use tags, pixels (the Meta Pixel) and other unique tracking codes and technology that collect user information (including personal information) from the Services.  Facebook tracks user interactions with the Services after a user clicks on an ad placed on Facebook or other services provided by Meta (called a conversion) and enables Coca‑Cola to learn more about how users engage with ads and similar information.    The Meta Products use the collected data for Meta’s own purposes, including to improve the Meta Products.  Meta may transfer data that it collects from the Services to the USA and other countries, where you may have fewer rights to related to your personal information.  To learn more about how the Meta Products collect, use and process personal information and how you can manage or delete personal information about you, please see the Privacy Policy for the Meta Products at https://www.facebook.com/about/privacy.

Your Cookie Choices

You can set your browser to refuse all cookies or to indicate when a cookie is set. (Most browsers accept cookies automatically but allow you to disable them but note that some features of the Services may not work properly without cookies.) 

As noted above, Google has developed an opt-out browser add-on if you want to opt out of the cookies used for Google Analytics.  You can download and install the add-on for your web browser here.  You may refuse the use of these cookies by selecting the appropriate settings on your browser.  To learn more about how to view and manage your information on the Meta Products, please see here.

Certain jurisdictions in which the Services are available also have cookie policies which are separate from and supplement this Privacy Policy and tools to manage cookies.  Please refer to Section 9 for details.

6. HOW DOES COCA-COLA SHARE PERSONAL INFORMATION?

Coca‑Cola shares personal information with people and businesses that help operate the Services and carry out our business and when we are legally permitted or required to do so.  We also share personal information when a user requests that we share it.  We require that recipients of personal information from us comply with this Privacy Policy unless and until users are made aware that a different privacy policy or notice will apply.

Coca‑Cola shares personal information with the following categories of recipients:

  • Professional advisors, such as lawyers, accountants, insurers and information security and forensics experts.

  • Marketing vendors that help promote the Services (such as by email marketing) and from time to time supplement personal information that we already have.  For example, Meta receives and uses certain data related to the use of the Services to help us deliver personalized advertising on its platform and assess the effectiveness of this advertising.  

  • Service providers to enable them to perform services on our behalf, including data analytics, data security, ecommerce operations, surveys, research, administration of promotions, offers and loyalty programs and otherwise to help us carry out our business.  Some of these service providers have global responsibilities.

  • For strategic partnerships, such as with sports leagues and manufacturers and other providers of complementary offerings.

  • Through data clean rooms as described in Section 4.  Data sharing in a data clean room is for the purpose of audience discovery, audience expansion, audience targeting and look-alike audience modelling. 

  • Cloud storage providers.

  • Potential or actual acquirers or investors and their professional advisers in connection with any actual or proposed merger, acquisition or investment in or of all or any part of our business. We will use our best efforts to ensure that the terms of this Privacy Policy apply to personal information after the transaction or that users receive advance notice of changes to personal information processing.

  • Coca‑Cola affiliates and bottler partners.

  • Competent law enforcement, government regulators and courts when we believe disclosure is necessary (i) to comply with the law, (ii) to exercise, establish or defend legal rights, or (iii) to protect the vital interests of users, business partners, service providers or another third party.

  • Other third parties with your permission.

If we share personal information, we require that the recipients handle personal information in compliance with this Privacy Policy and our confidentiality and security requirements.

7. HOW DOES COCA-COLA PROTECT PERSONAL INFORMATION?

Coca‑Cola takes care to secure and safeguard the personal information entrusted to us.  We use a variety of measures to help us protect personal information from unauthorized access and use.

Coca‑Cola uses technical, physical, and administrative safeguards intended to protect the personal information that we process. Our safeguards are designed to provide a level of security appropriate to the risk of processing your personal information and include (as applicable) measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and a procedure for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of personal information.  Coca‑Cola cannot, however, fully eliminate security risks associated with the processing of personal information.  

You are responsible for maintaining the security of your account credentials. Coca‑Cola will treat access to the Services through your account credentials as authorized by you. 

Coca‑Cola may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security.  If you believe that information you provided to Coca‑Cola or your account is no longer secure, please notify us immediately at Privacy@coca-cola.com.

If we become aware of a breach that affects the security of your personal information, we will provide you with notice as required by applicable law. When permitted by applicable law, Coca‑Cola will provide this notice to you using the email address associated with your account or another permitted method associated with your account.

UNAUTHORIZED ACCESS TO PERSONAL INFORMATION THROUGH THE SERVICES – INCLUDING SCRAPING – IS PROHIBITED AND MAY LEAD TO CRIMINAL PROSECUTION.

8. HOW LONG DOES COCA-COLA RETAIN PERSONAL INFORMATION?

We retain personal information about a user for as long as user’s account is active and otherwise as long as necessary for the purposes described above.  We also retain personal information as long as necessary to comply with legal obligations, resolve disputes, and enforce our agreements.

We intend to keep your personal information accurate and up-to-date.  We retain the personal information that we handle subject to this Privacy Policy in accordance with our data retention policy.   When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you and mandatory retention periods under applicable law.  At the end of relevant retention period, we either delete or anonymize personal information or, if we cannot delete or anonymize personal information, then we segregate and securely store personal information until deletion or anonymization is possible.  

Once we anonymize personal information, it is no longer personal information. We use anonymized data subject to applicable law and contracts.

9. WHAT CHOICES ARE AVAILABLE FOR PERSONAL INFORMATION?

You can make choices about Coca‑Cola’s handling of your personal information.  You can exercise your privacy rights by contacting Coca‑Cola as described in this Section 9 or using various tools available through your browser or that Coca‑Cola makes available. In some cases, your ability to access or control your personal information is limited by applicable law.

Mobile Device Preferences

Mobile operating systems and app platforms (e.g., Google Play, App Store) have permission settings for specific types of mobile device data and notifications, such as for access to contacts, geo-location services and push notifications.  You can use the settings on your mobile device to consent to or deny certain information collection and/or push notifications.  Certain Apps also may have settings that allow you to change permissions and push notifications.  For some Apps, changing settings may cause certain aspects of the App to not functional properly.

You can stop all information collection from an App by uninstalling the App.  If you uninstall the App, please also consider checking your operating system’s settings to confirm that the unique identifier and other activity associated with your use of the App is deleted from your mobile device. 

Opting out of Coca‑Cola’s Emails and Text Messages

To stop receiving promotional emails from Coca‑Cola, please click the “Unsubscribe” link at the bottom of the email.  After you opt out, we may still send you non-promotional communications, such as receipts for purchases or administrative information about your account.  

Your account settings also may allow you to change your notification preferences, such as push notifications from an App.  

To stop receiving promotional text messages (SMS or MMS), please send a reply text message indicating that you wish to stop receiving promotional text messages from us – such as by testing the word “Stop”.  You also may let us know as directed below in the “Contacting Us” section.  Please specify which types of communications you no longer wish to receive together with the relevant telephone number, address, and/or e-mail address.  If you do opt-out of receiving marketing-related messages from us, we may still send you important administrative messages, such as emails about your accounts or purchases

INFORMATION ABOUT PRIVACY RIGHTS AND CHOICES FOR SPECIFIC JURISDICTIONS IS PROVIDED IN SECTION 13 AT THE END OF THIS PRIVACY POLICY.  WE ENCOURAGE YOU TO REVIEW THE RELEVANT SECTIONS.  

IF YOU ARE LOCATED IN A JURISDICTION WITH PRIVACY LAWS THAT OFFER YOU PRIVACY RIGHTS NOT DESCRIBED IN THIS PRIVACY POLICY, PLEASE CONTACT US AT PRIVACY@COCA-COLA.COM. We respect your privacy rights and will do our best to accommodate your requests.

10. HOW DOES COCA-COLA PROTECT CHILDREN'S PRIVACY?

Some of the Services have age restrictions which means that we may ask questions to verify your age before we allow you to use those Services.  

In accordance with our Responsible Marketing Policy, Coca‑Cola does not direct marketing for our products to children under age 13.  If you become aware that a child under age 13 or the age set under local law has provided us with personal information without parental consent or other than as allowed by applicable law, please contact our Privacy Office at privacy@coca-cola.com. Once we become aware, we will take steps to remove the child’s personal information as required by applicable law.

11. DOES COCA-COLA TRANSFER PERSONAL INFORMATION TO OTHER COUNTRIES?

Coca‑Cola may transfer personal information across borders to any of the places where we and our suppliers and business partners operate. These other places may have data protection laws that are different from (and, in some cases, less protective) than the laws where you reside. 

If your personal information is transferred across borders by us or on our behalf, we use appropriate safeguards to protect your personal information in accordance with this Privacy Policy and applicable law.  These safeguards include agreeing to standard contractual clauses or model contracts for transfers of personal information among the Coca‑Cola affiliates and among our suppliers and partners.  When in place, these contracts require our affiliates, suppliers and partners to protect personal information in accordance with applicable privacy laws.  

Please also see our Data Privacy Framework Privacy Policy, which describes how Coca‑Cola handles personal data that Coca‑Cola receives in the U.S. from the EU, UK and Switzerland in reliance on the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce (collectively, the DPF Framework).  If the terms in this Privacy Policy and the DPF Privacy Policy conflict, then the DPF Privacy Policy governs with respect to personal information that Coca‑Cola receives in the U.S. under the DPF Framework.  To learn more about the Data Privacy Framework program and to view our certification, please visit https://www.dataprivacyframework.gov/.

To request information about our standard contractual clauses or other safeguards for cross-border personal information transfers, please contact privacy@coca-cola.com.

12. WHEN IS THIS PRIVACY POLICY CHANGED? 

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments.  The most current version always is available through the Services.

When we update this Privacy Policy, we will post the updated version and change the Effective Date above.  We also will take appropriate measures to inform you in advance of significant changes that we believe affect your privacy rights so that you have an opportunity to review the revised Privacy Policy before it is effective.  If your consent is required by applicable privacy laws, we will obtain your consent to changes before the revised Privacy Policy applies to you.  Please regularly check this Privacy Policy to ensure you are aware of the updated version.

13. PRIVACY RIGHTS AND CHOICES FOR SPECIFIC JURISDICTIONS 

Residents of Canada

Coca‑Cola collects, uses, and discloses Personal Information for the purposes identified in our Privacy Policy and for any additional purposes, as permitted by law, with notice to you and your express or, where permitted, implied consent.

You have certain rights in respect of your information. To access or correct your Personal Information, please complete the form at the following link. Please note we may verify your identity before we can act on your request. 

For residents of Quebec: The person in charge of the protection of personal information about individuals residing in Quebec is Larissa Barbara Lourenco, who can be contacted by email at privacy@coca-cola.com.

The controller of your personal information is Coca‑Cola Ltd. (CCL). CCL is the indirect, wholly owned subsidiary of TCCC (incorporated under federal Canadian law). 

14. The DPF

THE EU-US DATA PRIVACY FRAMEWORK POLICY
The Coca‑Cola Company (“Coca‑Cola” or “we”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. 

Coca‑Cola has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the Processing of Personal Information received from the European Union (EU) in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Coca‑Cola has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) about the Processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit https://www.dataprivacyframework.gov.

(Note: the Swiss-U.S. DPF is awaiting finalization as of the date of this DPF Policy. Please visit here for more information.)

DEFINITIONS

In this Coca‑Cola Company Data Privacy Framework Privacy Policy (DPF Policy), the following terms have the following meanings:

  • Agent means any third party that collects or uses Personal Information under the instructions of, and solely for, Coca‑Cola or to which Coca‑Cola discloses Personal Information for use on Coca‑Cola's behalf.

  • Data Subject  (or you) means a natural person whose Personal Information is covered by this DPF Policy.

  • Controller means a person or organization which, alone or jointly with others, determines the purposes and means of the Processing of Personal Information.

  • DPF Principles means the EU-U.S. DPF Principles (defined above) and Swiss-U.S. DPF Principles (defined above), as set forth by the U.S. Department of Commerce here.

  • DPF Program means, collectively, EU-U.S. DPF, UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

  • Personal Information means any information, including Sensitive Personal Information, relating to an identified or identifiable natural person that is received by Coca‑Cola in the U.S. from the EEA, Switzerland or UK/Gibraltar, and recorded in any form.

- An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

  • Processing means any operation or set of operations performed on Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

  • Sensitive Personal Information means Personal Information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information specifying an individual’s sex life, and any Personal Information received by Coca‑Cola from a third party that the third party identifies and treats as sensitive.

WHEN THIS DPF POLICY APPLIES

This DPF Policy applies to Personal Information transferred from member countries of the European Economic Area (EEA, which is the member states of the EU plus Iceland, Liechtenstein and Norway), the United Kingdom (UK), and Switzerland to Coca‑Cola in the U.S. in reliance on the EU-U.S. DPF, UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF.  

Personal Information that Coca‑Cola Processes in compliance with the DPF Program is covered by Coca‑Cola’s other privacy-related requirements and policies (collectively, the Coca‑Cola Privacy Policies), such as:

  • Personal Information Processed about users of Coca‑Cola’s websites, mobile applications, widgets and other online and offline services (together, the Services) is subject to the Coca‑Cola Privacy Policy (available at https://www.coca-cola.com/gb/en/legal/privacy-policy for the UK, and, for the EEA and Switzerland, by selecting the relevant country here) or, for some Services, the privacy policy, notice or statement linked or posted in those Services. 

  • Personal Information regarding external job applicants is described in The Coca‑Cola Applicant Privacy Notice applies to Personal Information collected from or about applicants.

  • Personal Information regarding Coca‑Cola’s current or past employees, interns, contractors and contingent workers is subject to Coca‑Cola’s Employee Privacy Notices and to Coca‑Cola’s DPF Policy for HR Data, which are available on KO Connect (Coca‑Cola’s intranet). 

This DPF Policy does not apply to Personal Information transferred under Standard Contractual Clauses or any approved derogation from the EU General Data Protection Regulation, the UK General Data Protection Regulation or the Swiss Federal Data Protection Act.   While the DPF Program is an authorized international transfer mechanism to enable Coca‑Cola to receive Data Subjects’ Personal Information in the U.S., Coca‑Cola’s obligations and Data Subject rights under the DPF Program are separate from those under EU General Data Protection Regulation, the UK General Data Protection Regulation and the Swiss Federal Data Protection Act. 

COCA-COLA’S COMMITMENT TO THE DPF PRINCIPLES

Coca‑Cola commits to applying the DPF Principles to all Personal Information that Coca‑Cola in the U.S. receives from the EEA, UK and Switzerland in reliance on the DPF Program.  Coca‑Cola’s adherence to this DPF Policy may be limited to the extent required to meet Coca‑Cola’s legal, regulatory, governmental or national security obligations.

The DPF Principles
The DPF Principles are: 1. Notice; 2. Choice; 3. Accountability for Onward Transfer; 4. Security; 5. Data Integrity and Purpose Limitation; 6. Access; and 7. Recourse, Enforcement and Liability.

1. Notice Principle
Coca‑Cola provides notice to Data Subjects about its Processing Practices for Personal Information received by Coca‑Cola in the U.S. from the EEA, UK and Switzerland in reliance on the DPF Program through the Coca‑Cola Privacy Policies and this DPF Policy, including: 

  • the types of Personal Information it collects about them

  • the purposes for which it Processes the Personal Information (see also 5. below)

  • the types of Agents and other third parties to which Coca‑Cola discloses Personal Information and the purposes for doing so (see also 3. below)

  • the rights of Data Subjects to access their Personal Information (see 6 below)

  • the choices that Coca‑Cola offers Data Subjects for limiting use and disclosure of their Personal Information (see also 2. below)

  • how Coca‑Cola’s obligations under the DPF Program are enforced, including Coca‑Cola’s designated independent dispute resolution mechanism to address complaints and provide appropriate recourse free of charge, the possibility, under certain conditions, to invoke binding arbitration (see also 7. below)

  • Coca‑Cola’s liability in cases of onward transfers to third parties (see also 3. below)

  • how Data Subjects can contact Coca‑Cola with questions or complaints.

Coca‑Cola is not required to apply the Notice Principle or the Choice or Accountability for Onward Transfer Principles (see 2. and 3. below)  to public record information  (i.e., records kept by government agencies or entities at any level that are open to consultation by the public in general) or information that is already publicly available to the public at large as long as this information  is not combined with non-public record information and, for public record information, any conditions for consultation established by the relevant jurisdiction are respected.  

2. Choice Principle

Coca‑Cola provides Data Subjects with choices about their Personal Information before Coca‑Cola uses Personal Information covered by this DPF Policy for a new purpose that is materially different from the purpose for which the Personal Information was originally collected or subsequently authorized or before disclosure to a non-Agent third party that was not already authorized. 

Coca‑Cola will obtain affirmative consent (i.e., opt-in) from Data Subjects before Sensitive Personal Information is disclosed to a third party.  

Coca‑Cola will obtain the Data Subject’s affirmative express consent (i.e., opt in) before Sensitive Personal Information covered by this DPF Policy is (i) disclosed to a third party or (ii) used for a new purpose that is different from that for which the Personal Information was originally collected or subsequently authorized by the Data Subject. Under the DPF Principles, Coca‑Cola is not required to provide choice when disclosure is made to a third party that is acting as an Agent if Coca‑Cola enters into a written contract with the Agent (see 3. below). 

To opt out of these uses or disclosures of Personal Information or Sensitive Personal Information, please contact Coca‑Cola as follows:

  • Send an email to privacy@coca-cola.com 

  • Complete the form available here

  • Send mail to Consumer Interaction Centre, PO Box 73229, London E14 1RP

Coca‑Cola may engage with a Data Subject to request sufficient information to allow Coca‑Cola to confirm the identity of the Data Subject making an opt-out request.   Coca‑Cola may use information for certain direct marketing purposes when it is impracticable for Coca‑Cola to provide a Data Subject with an opportunity to opt out before using the Personal Information but only when Coca‑Cola promptly offers the Data Subject the opportunity at the same time (and upon request at any time) to decline (at no cost) to receive any further direct marketing communications and Coca‑Cola complies with the individual’s wishes.

3. Accountability for Onward Transfer Principle

Coca‑Cola offers Data Subjects the opportunity to choose (i.e., opt out) whether their Personal Information is (i) disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which the Persona Information was originally collected or subsequently authorized.  

Transfers to Controllers: Coca‑Cola will transfer Personal Information covered by this DPF Policy to a third party acting as a Controller consistent with the relevant Coca‑Cola Privacy Policies provided to each affected Data Subject and the Data Subject’s consent given to Coca‑Cola.  

Coca‑Cola also will make these transfers only if the Controller has agreed in a written contract that it will (i) Process the Personal Information for limited and specified purposes consistent with the consent provided by the Data Subjects, (ii) provide at least the same level of protection as is required by the DPF Principles and notify us if it makes a determination that it cannot do so; and (iii) cease Processing of the Personal Information or take other reasonable and appropriate steps to remediate the Processing if it makes such a determination. 

Coca‑Cola will take reasonable and appropriate steps to prevent, stop or remediate the Processing if Coca‑Cola becomes aware that a Controller is Processing Personal Information covered by this DPF Policy contrary to the DPF Principles. 

Transfers to Agents: Coca‑Cola will transfer to each Agent only the Personal Information needed for the Agent to provide the services or products as Coca‑Cola has instructed.  

Coca‑Cola will require that each Agent:

  • Process the Personal Information only for limited and specified purposes as instructed by Coca‑Cola; 

  • Provide at least the same level of privacy protection as is required by the DPF Principles; 

  • Take reasonable and appropriate steps to ensure that the Agent effectively Processes the Personal Information transferred in a manner compliant with Coca‑Cola’s obligations under the DPF Principles; and 

  • Notify Coca‑Cola if the Agent determines that it can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles. 

Upon receiving notification from an Agent that the Agent can no longer meet its obligation to provide the same level of protection as is required by the DPF Principles, Coca‑Cola will take reasonable and appropriate steps to stop and remediate the unauthorized Processing.  Coca‑Cola also provides summaries of the relevant privacy provisions of its contracts with Agents to the Department of Commerce upon request.

In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. 

Coca‑Cola remains liable under the DPF Principles if an Agent Processes Personal Information covered by this DPF Policy in a manner inconsistent with the DPF Principles unless Coca‑Cola proves that Coca‑Cola is not responsible for the event giving rise to the damages.

4. Security Principle

Coca‑Cola takes reasonable and appropriate measures to protect Personal Information covered by this DPF Policy from loss, misuse and unauthorized access, disclosure, alteration, and destruction, considering the risks involved in the Processing and the nature of the Personal Information.

5. Data Integrity and Purpose Limitation Principle

Coca‑Cola limits its collection of Personal Information to information that is relevant for the purposes of Processing. Coca‑Cola does not Process Personal Information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the Data Subject.

Coca‑Cola takes reasonable steps to ensure that such Personal Information is reliable for its intended use, accurate, complete, and current. Coca‑Cola takes reasonable and appropriate measures to comply with the requirement under the DPF Program to retain Personal Information in identifiable form only for as long as it serves a purpose of Processing. Specifically, Coca‑Cola will retain Personal Information in accordance with Coca‑Cola’s legitimate business purposes and legal obligations, unless a longer retention period is required or permitted by law.

Coca‑Cola will adhere to the DPF Principles for as long as it retains Personal Information covered by this DPF Policy.

6. Access Principle

Data Subjects whose Personal Information is covered by this DPF Policy have the right (i) to obtain from Coca‑Cola confirmation of whether or not Coca‑Cola is Processing Personal Information relating to them and to access that Personal Information and (ii) to correct, amend, or delete their Personal Information if it is inaccurate or if Coca‑Cola Processes it in violation of the DPF Principles - except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, when the rights of persons other than the Data Subject would be violated or disclosure is likely to interfere with the safeguarding of important countervailing public interests, such as national security, defense or public security.  

Coca‑Cola will make good-faith, reasonable and practical efforts to comply with requests, so long as our doing so would be consistent with applicable law, Coca‑Cola’s contractual requirements, and/or the laws applicable to Coca‑Cola.   

Coca‑Cola may engage with a Data Subject to request sufficient information to allow Coca‑Cola to confirm the Data Subject’s identity or if an access request is vague or broad in scope or to better understand the motivation for the request and to locate responsive information.  Coca‑Cola also may inquire about how the Data Subject interacted with Coca‑Cola or about the nature of the Personal Information or its use that is the subject of the request. Coca‑Cola may deny or limit access to the extent that granting full access would reveal Coca‑Cola’s own confidential commercial information, such as the confidential commercial information of another that is subject to a contractual obligation of confidentiality.  Coca‑Cola may set reasonable limits on the number of times within a given period that access requests from a particular Data Subject will be met.  

To make a data access request, Data Subjects may contact Coca‑Cola by:

  • Sending an email to privacy@coca-cola.com 

  • Completing the form available here

  • Sending mail to Consumer Interaction Centre, PO Box 73229, London E14 1RP

Coca‑Cola will respond to access requests within a reasonable time period.

7. Recourse, Enforcement, and Liability

The Federal Trade Commission (FTC) has jurisdiction over Coca‑Cola’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Coca‑Cola commits to resolve complaints about our collection or use of Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.   

EU, UK and Swiss individuals with inquiries or complaints should first contact Coca‑Cola by email to privacy@coca-cola.com or Coca‑Cola’s EU Data Protection Officer is available at dpo-europe@coca-cola.com.

Coca‑Cola has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS.  If you do not receive timely acknowledgment of your complaint or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. The service of BBB NATIONAL PROGRAMS is provided free or charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms. 

* * * * *

Coca‑Cola agrees to periodically review and verify its compliance with the DPF Principles and to remedy any issues arising out of Coca‑Cola’s failure to comply with the DPF Principles. Coca‑Cola acknowledges that its failure to provide an annual self-certification to the U.S. Department of Commerce will remove it from the Department’s list of DPF participants.

All Coca‑Cola personnel who have access in the U.S. to Personal Information covered by this DPF Policy are responsible for ensuring that Personal Information Processing complies with this DPF Policy.  Coca‑Cola personnel also are responsible for ensuring that Agents or other unaffiliated third parties that Process Personal Information subject to this DPF Policy comply with this DPF Policy and Process Personal Information in accordance with the DPF Principles, including contracts required by the DPF Program.

CHANGES TO THIS DATA PRIVACY FRAMEWORK POLICY

This DPF Policy may be amended from time to time consistent with the requirements of the DPF. When we make changes to this DPF Policy, we will revise the “Last Updated” date at the beginning of this DPF Policy.   We also will take appropriate measures to inform you in advance of changes we feel are significant so that you have an opportunity to review the revised DPF Policy before it is effective.  If your consent is required by the DPF Principles, we will obtain your consent.  We encourage you to regularly check this DPF Policy to ensure you are aware of the updated version. 

QUESTIONS?

Coca‑Cola is committed to protecting the privacy of your Personal Information. If you have any questions or comments about this DPF Policy, please contact privacy@coca-cola.com.