Last Updated Date: [2/13/2024]

This California B2B and Job Applicant Privacy Notice (“Notice”) supplements, for California residents with which we interact in the business-to-business context (“B2B Context”) as well as our California job applicants (“Job Applicants”) (collectively referred to throughout this Notice as “you” or “your”), the general privacy policies of China Unicom Americas (Operations Limited) (“CUA,” “our,” “us,” or “we”), including, without limitation, our Website Privacy Policy and any other privacy policies, notices, or statements provided on a website, mobile app, or any other digital assets that we own and operate. CUA does not offer products or services to, or collect information (including PI) from, business-to-consumer individuals acting in an individual or household context. CUA only offers products and services in the B2B Context.

In the event of a conflict between any other CUA policy, notice, or statement and this Notice, this Notice will prevail as to California residents unless stated otherwise. You have certain privacy rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the regulations promulgated thereunder (together, the “CCPA”). This Notice is designed to meet our obligations under the CCPA and provides information regarding our data practices, including our collection, use, disclosure, and Sale of your personal information (“PI”). Capitalized terms used but not defined in this Notice shall have the meanings given to them under the CCPA. 

Applicability:

• Section 1 of this Notice provides notice of our data practices, including our collection, use, disclosure, and Sale/Sharing of your PI.
• Sections 2-5 of this Notice provide information regarding your rights and how you may exercise them.

Non-Applicability, Customer Information:  This Notice also does not apply to our other California personnel, such as current and former employees and independent contractors of CUA, which can learn about our data practices as relates to them in our California Personnel Privacy Notice available here.

TABLE OF CONTENTS

1. Notice of Data Practices

(a)         PI Sources and Use

(b)         PI Collection, Disclosure, and Retention – By Category of PI

2. Your Rights and How to Exercise Them

(a)         Right to Limit Sensitive PI Processing

(b)         Right to Know/Access

(1)         Categories

(2)         Specific Pieces

(c)         Do Not Sell / Share

(d)         Right to Delete

(e)         Correct Your PI

(f)     Automated Decision Making/Profiling

(g)         How to Exercise Your Privacy Rights

(1)         Your Request Must be a Verifiable Request

(2)         Agent Requests

(h)        Our Responses

3. Non-Discrimination/non-retaliation
4. Notice of Financial Incentive Programs
5. Our Rights and the Rights of Others
6. Contact Us

 

1. Notice of Data Practices

The description of our data practices in this Notice covers the twelve (12) months prior to the Last Updated Date above. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

• PI Sources and Use

We may Collect your PI directly from you such as when you fill out the contact us form on our website or when you apply for a position or with us (e.g., identification/identity data, contact details, educational and employment data); your devices; our affiliates; service providers; public sources of data; credit reporting agencies; third parties (e.g., references), or other businesses or individuals. Generally, we Process your PI to provide you services and as otherwise related to the operation of our business, including for one or more of the following Business Purposes: Performing Services; Managing Interactions and Transactions; Security; Debugging; Quality Assurance; Processing Interactions and Transactions; and Research and Development.

 

For example, in the course of you interacting with us on behalf of the business for which you work, we may use PI for the following purposes:

• Performing services;
• Communicating about our services;
• Processing requests;
• Invoicing and collections activities;
• Enabling features on our website;
• Detecting security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted PI;
• Verifying or maintaining the quality or safety of our products or services; and
• Improving, upgrading, or enhancing our products and services.

 

For example, in the Job Applicant context we may use PI for the following purposes:

• Recruitment;
• Running background checks;
• Maintaining personnel records;
• Facilitating diversity and inclusion programs;
• HR IT systems and security;
• Health & safety/occupational health; and
• Security (including electronic and of premises)

 

We may also use PI for “Additional Business Purposes” in a context that is not a Sale or Share under the CCPA, such as:

• Disclosing it to our Service Providers, Contractors, or Processors that perform services for us (“Vendors”);
• Disclosing it to you or to other parties at your direction or through your actions (e.g., some software platform operators);
• For the additional purposes explained at the time of collection (such as in the applicable privacy policy or notice);
• As required or permitted by applicable law;
• To the government or private parties to comply with law or legal process or protect or enforce legal rights or obligations or prevent harm;
• Where we believe we need to in order to investigate, prevent or take action if we think someone might be using information for illegal activities, fraud, or in ways that may threaten someone’s safety or violate our policies or legal obligations; and
• To assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”).

 

Subject to restrictions and obligations under the CCPA, our Vendors may also use your PI for Business Purposes and Additional Business Purposes, and may engage their own vendors to enable them to perform services for us.

 

We provide more detail on our data practices in the chart that follows.

• PI Collection, Disclosure, and Retention – By Category of PI

We collect, disclose, and retain PI as follows:

 

Category of PI	Examples of PI Collected and Retained	Categories of Recipients	Context Collected
1.      Identifiers	Real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address, e-mail address, and account name.	Disclosures for Business Purposes: ·        Vendors (e.g., web hosting and data analytics providers, processing and storage providers, fraud prevention and security providers, and employment verification providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes. Sale/Share: None	B2B Context Job Applicant Context
2.      Personal Records	Name, signature, description, address, and telephone number. Some PI included in this category may overlap with other categories.	Disclosures for Business Purposes: ·        Vendors (e.g., web hosting and data analytics providers, processing and storage providers, fraud prevention and security providers, and employment verification providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes.   Sale/Share: None	B2B Context Job Applicant Context
3.      Internet Usage Information	When you browse our sites or otherwise interact with us online, we may Collect browsing history, search history, and other information regarding your interaction with our sites, applications, or advertisements.	Disclosures for Business Purposes: ·        Vendors (e.g., web hosting and data analytics providers, processing and storage providers, fraud prevention and security providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes.   Sale/Share: None	B2B Context Job Applicant Context
4.      Sensory Data	We may Collect audio, electronic, or similar information when such as when you contact us through our customer service line, support services, and video security recordings.	Disclosures for Business Purposes: ·        Vendors (e.g., web hosting and data analytics providers, processing and storage providers, and fraud prevention and security providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes.   Sale/Share: None	B2B Context Job Applicant Context
5.      Professional or Employment Information	Professional, educational, or employment-related information.	Disclosures for Business Purposes: ·        Vendors (e.g., employment verification providers, web hosting and data analytics providers, processing and storage providers, and fraud prevention and security providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes.   Sale/Share: None	B2B Context Job Applicant Context
6.      Inferences from PI Collected	Inferences drawn from PI to create a profile reflecting preferences, abilities, and aptitudes.	Disclosures for Business Purposes: ·        Vendors (e.g., web hosting and data analytics providers, processing and storage providers, fraud prevention and security providers); ·        Governmental entities (making requests pursuant to legal or regulatory process); and/or ·        Other parties within the limits of Additional Business Purposes.   Sale/Share: Third-Party Digital Businesses	B2B Context Job Applicant Context

 

There may be additional information we Collect that meets the definition of PI under the CCPA but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category.

As permitted by applicable law, we do not treat Deidentified data or Aggregate Information as PI and we reserve the right to convert, or permit others to convert, your PI into Deidentified data or Aggregate Information, and may elect not to treat publicly available information as PI.  We will not attempt to reidentify data that we maintain as deidentified. 

 

Because there are numerous types of PI in each category of PI, and various uses for each PI type, our retention periods vary for each of the categories of PI described above. The length of time for which we retain each category of PI depends on the purposes for our collection and use and requirements pursuant to applicable laws. In no event do we retain your PI for any longer than reasonably necessary to achieve the purposes for which it was collected or processed, or as required by applicable law. The criteria used to determine the retention period of PI includes the nature and sensitivity of the PI, the potential risk of harm from unauthorized use or disclosure of the PI, as well as applicable laws (such as applicable statutes of limitation).

2. Your Rights and How to Exercise Them

As described more below, subject to meeting the verification requirements and limitations permitted by applicable laws, we provide you the privacy rights described in this section.  

To submit a request to exercise your privacy rights, or to submit a request as an authorized agent, use our California Resident Privacy Rights Form , or call us at 1-703-880-6888, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).  More details on the request and verification process is in Section 2(g) below.  The rights we accommodate are as follows:

• Right to Limit Sensitive PI Processing

CUA does not collect PI that qualifies as Sensitive PI from individuals with whom we interact in the B2B Context or our Job Applicant Context.  

• Right to Know/Access

You are entitled to access PI up to twice in a 12-month period.   

• Categories

You have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

• The categories of PI we have Collected about you.
• The categories of sources from which we Collected your PI.
• The Business Purposes or Commercial Purposes for our Collecting, Selling, or Sharing your PI.
• The categories of Third Parties to whom we have disclosed your PI.
• A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
• A list of the categories of PI Sold or Shared about you and, for each, the categories of recipients, or that no Sale or Share occurred.

 

• Specific Pieces

You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have Collected and are maintaining.  For your specific pieces of PI, as required by the CCPA, we will apply the heightened verification standards as described below.  We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests. 

• Do Not Sell / Share

We do not Sell or Share PI. We do not knowingly Sell or Share the PI of individuals under 16, unless we receive affirmative authorization (“opt-in”) from either the individual who is between 13 and 16 years old, or the parent or guardian of an individual who is less than 13 years old. If you think we may have unknowingly collected PI of an individual under 16 years old, please Contact Us

We may disclose your PI for the following purposes, which are not a Sale or Share:  (i) if you direct us to disclose PI; (ii) to comply with a rights request you submit to us; (iii) disclosures amongst the entities that constitute CUA as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

• Right to Delete

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI.

Note also that, we may not be required to delete your PI that we did not Collect directly from you. 

• Correct Your PI

You may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law. You can also make changes to your online account in the account settings section of the account. That will not, however, change your information that exists in other places.

• Automated Decision Making/Profiling

We do not believe we engage in Automated Decision Making or Profiling as of the Last Updated Date of this Notice.

• How to Exercise Your Privacy Rights

To submit a request to exercise your privacy rights, or to submit a request as an authorized agent, use our California Resident Privacy Rights Form , or call us at 1-703-880-6888, and respond to any follow-up inquiries we make. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). 

• Your Request Must be a Verifiable Request

As permitted or required by the CCPA, any request you submit to us must be a verifiable request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number and/or account information. We will review the information provided and may request additional information via e-mail or other means to ensure we are interacting with the correct individual.  We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the individual about whom we Collected PI. 

We verify each request as follows:

• Right to Know (Categories): We verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you.  If we cannot do so, we will refer you to this Notice for a general description of our data practices.
• Right to Know (Specific Pieces): We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the individual whose PI is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request.
• Right to Delete: We verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two reliable data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three reliable data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the individual posed by unauthorized deletion. 
• Correction: We verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two reliable data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three reliable data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the individual posed by unauthorized correction.

If we are unable to verify you sufficiently we will be unable to honor your request. We will use PI provided in a Verifiable Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

• Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you.  You can learn how to do this by visiting the agent section of our California Resident Privacy Rights Form . Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of the CCPA.

• Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a verified individual (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests.  If we deny a request, in whole or in part, we will explain the reasons in our response. 

We will make commercially reasonable efforts to identify PI that we Process to respond to your request(s).  In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest.  We reserve the right to direct you to where you may access and copy responsive PI yourself.  We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome.  If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision.  You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number in response to a privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

3. Non-Discrimination/non-retaliation

We will not discriminate or retaliate against you in a manner prohibited by the CCPA for your exercise of your privacy rights.

4. Notice of Financial Incentive Programs

We do not currently offer discounts or rewards to for providing us PI, or set price or service differences related to the collection, retention, sale, or sharing of PI.  If we offer such programs in the future, we will update this Notice to describe such program(s), including how you may opt-in and how we value the PI required.  

 

5. Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under the CCPA. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

6. Contact Us

If you have any questions, comments, or concerns about our privacy practices, please email us here [email protected]. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.