THE COCA-COLA COMPANY
CONSUMER HEALTH DATA PRIVACY POLICY
Effective Date: March 31, 2024
This Consumer Health Data Privacy Policy (Health Data Privacy Policy or Policy) explains how the Coca‑Cola Company and our affiliates (Coca‑Cola, we, us, or our) collect consumer health data from or about consumers, which may occur in the context of receiving, assessing and responding to product concerns. This Policy describes our practices with respect to the collection and use of consumer health data and describes rights you may have with respect to your consumer health data.
In addition to this Consumer Health Data Privacy Policy, please see our Consumer Privacy Policy for more information about our broader data practices.
When we refer to consumer health data in this Policy, we mean personal information that is linked or reasonably linkable to an individual and that identifies the individual's past, present, or future physical or mental health status.
We may also deidentify or collect deidentified data for these purposes. When collecting deidentified data, we will only process such data in a deidentified fashion and will not make any attempts to reidentify such data.
1. WHAT CATEGORIES OF CONSUMER HEALTH DATA DOES COCA-COLA COLLECT?
We collect the following categories of consumer health data:
a. Commercial information: information about the products you have ordered and/or consumed, whether you noticed anything unusual about the product, whether you have previously purchased or consumed the product
b. Medical information: whether you have any allergies or food sensitivities, medications you may be taking
c. Event information: symptoms you experienced, how long it took for the reaction to occur, how long the reaction persisted, whether you consumed anything (other than the product) in the 6 hours prior to the reaction
d. Inferences drawn from any personal information we collect, which inferences constitute consumer health data
2. FOR WHAT PURPOSES DOES COCA-COLA COLLECT CONSUMER HEALTH DATA?
We collect the categories of consumer health data identified for the following purposes:
Categories of Consumer Health Data | Purposes for Collection |
Commercial information: information about the products you have ordered and/or consumed, whether you noticed anything unusual about the product, whether you have previously had the product Medical information: whether you have any allergies or food sensitivities, medications you may be taking Event information: symptoms you experienced, how long it took for the reaction to occur, how long the reaction persisted, whether you consumed anything (other than the product) in the 6 hours prior to the reaction Inferences drawn from any personal information we collect, which inferences constitute consumer health data | To contact you to request additional information or provide information about your concern(s); to offer customer support from our customer services team; to track and document your concern(s); to report to regulatory entities or respond to valid legal process |
Commercial information: information about the products you have ordered and/or consumed, whether you noticed anything unusual about the product, whether you have previously had the product | To prevent fraud, activities that violate our Terms of Service, Consumer Privacy Policy, this Policy, or that are illegal; to protect our rights and the rights and safety of our users or others; to report to regulatory entities or respond to valid legal process |
3. FROM WHICH CATEGORIES OF SOURCES DOES COCA-COLA COLLECT CONSUMER HEALTH DATA?
We collect consumer health data directly from our consumers or their representatives reporting adverse reaction to a product when they submit a concern to us.
4. HOW DOES COCA-COLA SHARE CONSUMER HEALTH DATA WITH THIRD PARTIES?
Service providers may process data on our behalf to provide goods or services in a manner consistent with the purpose for which consumer health data was collected and disclosed. This includes our affiliates that provide processor services to us from time to time. In addition, the following chart describes the categories of consumer health we share with third parties, when we have obtained your consent to share such consumer health data:
Categories of Consumer Health Data | Categories of Third Parties to Which We Shared Consumer Health Data |
Commercial information: information about the products you have ordered and/or consumed, whether you noticed anything unusual about the product, whether you have previously had the product | Service providers such as professional services firms, companies that provide us with bottling services or support our IT-related functions. These services providers or “processors” are contractually restricted from using the data except as instructed by us to provide the services to us. |
Medical information: whether you have any allergies or food sensitivities, medications you may be taking | Service providers such as professional services firms, companies that provide us with bottling services or support our IT-related functions. These services providers or “processors” are contractually restricted from using the data except as instructed by us to provide the services to us. |
Event information: symptoms you experienced, how long it took for the reaction to occur, how long the reaction persisted, whether you consumed anything (other than the product) in the 6 hours prior to the reaction | Service providers such as professional services firms, companies that provide us with bottling services or support our IT-related functions. These services providers or “processors” are contractually restricted from using the data except as instructed by us to provide the services to us. |
Inferences drawn from any personal information we collect, which inferences constitute consumer health data | Service providers such as professional services firms, companies that provide us with bottling services or support our IT-related functions. These services providers or “processors” are contractually restricted from using the data except as instructed by us to provide the services to us. |
BUSINESS PURPOSES FOR SUCH SHARING
We disclosed the aforementioned categories of consumer health data to the categories of third parties identified above for the following purposes: to obtain information from you and provide information to you about your concern; assess and process your concern; document and identify your concern; operate our IT systems and secure our systems; prevent fraud and other illegal activities; and to obtain professional services such as advice about legal and accounting matters.
ADDITIONAL INFORMATION ABOUT HOW WE MAY SHARE CONSUMER HEALTH DATA AND PURPOSES FOR SHARING
We may also disclose your consumer health data as required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property, or safety of others, including to law enforcement agencies, and judicial and regulatory authorities such as the Food and Drug Administration. We may also disclose your consumer health data to third parties to help detect and protect against fraud or data security vulnerabilities. And we may disclose or transfer your consumer health data to a third party in the event of an actual or potential sale, merger, reorganization of our entity or other restructuring.
CATEGORIES OF CONSUMER HEALTH DATA WE SELL
We do not sell consumer health data.
5. HOW CAN I EXERCISE MY PRIVACY RIGHTS REGARDING CONSUMER HEALTH DATA?
Under certain state laws, you may have the following rights with respect to your consumer health data we collect:
a. Right to Know: The right to confirm whether we are collecting, sharing, or selling your consumer health data and to access such consumer health data.
b. Right to Access: The right to a portable and technically feasible copy of the consumer health data we have collected from you.
c. Right to Know Third Parties: The right to obtain a list of all third parties and/or affiliates with whom we have shared or sold your consumer health data and an online mechanism to contact these third parties.
d. Right to Opt-Out: The right to require that we stop collecting, sharing, or selling your consumer health data.
e. Right to Delete: The right to request deletion of the consumer health data that we have collected about you.
f. Right to Correct: The right to ask that we correct inaccuracies in the consumer health data we have collected about you.
You also have the right to withdraw your consent to our collection or sharing of your consumer health data.
Please note that for purpose of this section of this Policy, we consider consumer health data to mean:
For Connecticut residents: consumer health data as defined under the Connecticut Data Privacy Act, as amended.
For Nevada residents or individuals that have their consumer health data collected by us in Nevada: consumer health data as defined under the Nevada Consumer Health Data Privacy Law.
For Washington residents or individuals that have their consumer health data collected by us in Washington: consumer health data as defined under the Washington My Health My Data Act.
EXERCISING YOUR RIGHTS AND HOW WE WILL RESPOND
Click here, call toll-free to 1-800-438-2653, or email us here to exercise the rights described above. To submit your request, please be prepared with your name, email address and place of residence.
We will respond to such requests within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances. If we expect your request is going to take us longer than normal to fulfill, we will let you know. We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations.
VERIFICATION OF IDENTITY – REQUEST TO KNOW, REQUEST TO KNOW THIRD PARTIES, REQUEST A COPY, DELETE, CORRECT
We will ask you for two pieces of personal information and attempt to match those to information that we maintain about you. If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to the request. We will notify you to explain the basis of the denial.
WHEN WE DO NOT ACT ON A REQUEST – APPEAL PROCESS
In some cases, we may not act on your requests (e.g., if we cannot do so under other laws that apply). When this is the case, we will explain our reasons for not providing you with the information or taking the action (e.g., correcting data) you requested. Additionally, you have the right to appeal our decision by calling toll-free to 1-800-438-2653 or emailing us here within 30 days after your receipt of our decision. We will respond to your appeal within 45 days of our receipt of the request. If your appeal is unsuccessful, Washington residents can raise a concern or lodge a complaint with the Washington State Attorney General at https://www.atg.wa.gov/file-complaint.
THIRD PARTY COLLECTION OF CONSUMER HEALTH DATA
When you use our website or other online services to submit a concern, third parties will not be allowed to collect your consumer health data over time across different websites and other online services we offer.
6. HOW DOES COCA-COLA PROTECT CONSUMER HEALTH DATA?
We take care to secure and safeguard the consumer health data entrusted to us. Coca‑Cola uses technical, physical, and administrative safeguards intended to protect the consumer health data that we process. Coca‑Cola cannot, however, fully eliminate security risks associated with the processing of personal information. If we become aware of a breach that affects the security of your consumer health data, we will provide you with notice as required by applicable law. When permitted by applicable law, Coca‑Cola will provide this notice to you using the email address associated with your account or another permitted method associated with your account.
7. WHEN IS THIS POLICY CHANGED?
When we update this Policy, we will post the updated version and change the Effective Date above. We also will take appropriate measures to inform you in advance of significant changes that we believe affect your privacy rights so that you have an opportunity to review the revised Policy before it is effective. If your consent is required by applicable privacy laws, we will obtain your consent to changes before the revised Policy applies to you. Please regularly check this Policy to ensure you are aware of the updated version.
8. QUESTIONS?
Coca‑Cola is committed to protecting the privacy of your consumer health data. If you have any questions or comments about this Policy, please contact privacy@coca-cola.com.