California Supplemental Privacy Statement

Your California Privacy Choices

If you are a California resident, you have rights under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Acts of 2020 (CPRA), from hereon referred to as CCPA. This supplement to the IBM Privacy Statement is an overview of the information that is required by the CCPA, and provides instructions for how to exercise the rights granted by the CCPA.

For more information on the purposes or categories of personal information that we collect and disclose, see Personal Information We Collect and Use on the IBM Privacy Statement.

For more information about your rights when it comes to the handling of your personal information, see Your Rights on the IBM Privacy Statement.

We may provide additional data privacy information by using a supplementary privacy notice with activity-specific or offering-specific information.

To support your relationship with IBM, or your use of our products and services, we may have collected and disclosed information within the past 12 months for the following types of business and commercial purposes.

Personal Information:

• To provide you with access to, and use of, our websites, products, and services.
• To respond to your request for information, orders, or support.
• As business contact information of clients, prospects, partners, and suppliers for commercial relationships.
• To provide information about visitors to our sites and their locations.
• For marketing and business intelligence, including targeted advertising.

Sensitive Personal Information:

• To run secure and safe events.
• To respond to data rights requests.

We may have collected and disclosed the following types of information for business and commercial purposes.

Personal Information:

• Identifiers such as IP address, mobile device ID and cookies.
• Personal information under the Customer Records provision of the California Civil Code such as your name, postal address, email address or payment information you provide to purchase an IBM product or service.
• Commercial information that is related to purchases of IBM products or services.
• Internet or network activity information relating to your interactions with IBM websites, applications, or emails.
• General geolocation data, such as information about the approximate location of your device when you use an IBM mobile application or visit an IBM website.
• Audio, electronic, and visual information such as visitors’ presence on security systems at IBM offices or recordings of your conversations with us.
  
• Professional information such as your employer’s name and job title.
• Inferences about your consumer preferences.

Sensitive Personal Information:

• State or Government issued identification such as a consumer’s social security, driver’s license, state identification card, or passport number.
• Financial Information such as a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account.

Retention:

For each category of personal information, IBM retains your personal information only for as long as necessary, based retention criteria including:

1. the time required to fulfill the business or commercial purposes for which personal information is processed,
2. the time required to comply with legal and regulatory retention requirements, and
3. the time required to maintain contractual and customer relationships.

For more information, see Information Security and Retention on the IBM Privacy Statement.

We may collect Personal Information directly from you, automatically from your interactions with IBM, from selected partners, or from your employer.

We may disclose information about you with our subsidiaries, suppliers and, where appropriate, with selected partners to help us provide you, or the company you work for, with products or services, or to fulfill your requests.

For more information, see the IBM Privacy Statement.

Sale:

We do not sell personal data as the term sell is commonly understood. In CCPA, a sale is defined to include disclosures of personal data to a third party for monetary or valuable consideration. Select third parties, such as advertising technology partners, data analytics providers, and social networks, may collect or receive information so that IBM can provide you with targeted advertising. These third parties may benefit from the use of this data for their own purposes, such as improving their own services, which may qualify as a sale under the CCPA. Within the last 12 months, we may have sold information within each of the following categories, with these third parties:

Personal Information:

• Identifiers such as email address, IP address, cookies, and other user tracking information.
• Internet or other network activity information relating to your interactions with IBM websites, applications, or emails.
  
• General geolocation data, such as information about the approximate location of your device when you use an IBM mobile application or visit an IBM website.
• Professional or employment-related information such as your job title and employer’s name.
  
• Inferences about your preferences.

Sensitive Personal Information:

• None.
  

You can make choices to allow or prevent such uses.

Share:

IBM may have shared certain personal information with third parties, such as advertising technology partners, data analytics providers, and social networks for the purpose of targeted advertising, which may qualify as sharing under the CCPA. Within the last 12 months, we may have shared each of the following categories of information, with these third parties:

Personal Information:

• Identifiers such as email address, IP address, cookies, and other user tracking information.
• Internet or other network activity information relating to your interactions with IBM websites, applications, or emails.
• General geolocation data, such as information about the approximate location of your device when you use an IBM mobile application or visit an IBM website.
• Professional or employment-related information such as your job title and employer’s name.
• Inferences about your preferences.

Sensitive Personal Information:

• None.

You can make choices to allow or prevent such uses.

As a California resident, you have the right to:

• Know your Personal Information: You can request specific pieces of Personal Information, or information about the categories of Personal Information that IBM holds about you by submitting a request through our webform here or by calling (toll free) 1-800-IBM-4YOU (1-800-426-4968).
• Request Deletion or Rectify your Personal Information: You can request the deletion of or seek to rectify (correct, update or modify) the Personal Information that IBM holds about you by submitting a request through our webform here or by calling (toll free) 1-800-IBM-4YOU (1-800-426-4968)
• Opt out of Sale or Sharing of your Personal Information.
  • To opt out of the use of cookie data for the purposes of targeted advertising, select Cookie Preferences and Do Not Sell or Share My Personal Information in the footer and set your cookie preferences to Required. If you are accessing our websites while located outside of California, you can opt-out by selecting Cookie preferences in the footer and setting your cookie preferences to Required.
  • To opt out of the use of email address for the purpose of marketing communications and targeted advertising, click here.
  • We also honor your opt-out preference by recognizing user-enabled Global Privacy Control (GPC) as a valid opt-out requests (on the browsers or browser extensions that support such a signal).
• Limit the Use or Disclosure of Sensitive Personal Information:
  • We generally do not collect sensitive personal information outside of the situations described in 1. Purpose and 2. Categories. We only use and disclose your SPI in ways that are necessary to perform our services, in ways that are reasonable and proportionate to the expectation of an average consumer.
  • In CCPA, you have the right to limit the use and disclosure of your SPI if we are using your SPI beyond what is reasonable and proportionate to provide the requested goods or services. To limit the use or disclosure of Sensitive Personal Information, click here, select Other as the Type of request, and insert the request details as needed.

If you choose to exercise any of these rights, we will not deny goods or services to you or provide different quality of services.

You may use an authorized agent to submit a request about your personal information by using our webform here or by calling (toll free) 1-800-IBM-4YOU (1-800-426-4968). To use an authorized agent, you must provide the agent with written authorization. In addition, you may be required to verify your own identity with IBM.

For the period between 01 January 2024 and 31 December 2024:

Number of CCPA requests to know:

• Received: 11
• Complied with in whole or in part: 10
• Denied due to lack of verification: 1
• Denied because the request involved job applicant data which is an exception: 0
• Mean number of days within which we substantively responded: 32

Number of CCPA requests to delete:

• Received: 27
• Complied with in whole or in part: 27
• Denied due to lack of verification: 0
• Mean number of days within which we substantively responded: 40

Number of US requests to opt out of sale or sharing:
(for IBM's purposes, opt-out of sale is functionally consenting to only required cookies)

• Received: 1,162,812
• Complied with in whole or in part: 1,162,812
• Declined: 0
  
• Mean number of days within which we substantively responded: < 1

As permitted under Health Insurance Portability and Accountability Act (HIPAA), IBM may Sell, Share, or disclose Deidentified Patient Information (as those terms are defined in CCPA) that has been deidentified pursuant to the deidentification methods described in HIPAA.

IBM possesses de-identified data. De-identified data cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable consumer, or a device linked to such person. IBM commits to maintain and use any de-identified data without attempting to reidentify de-identified data.

IBM does not knowingly sell or share the personal data of children under the age of 16.

Questions about this Policy or about IBM's handling of your Personal Information may be submitted through our webform here or by calling (toll free) 1-800-IBM-4YOU (1-800-426-4968).

For more information on IBM's privacy practices that apply to the Personal Information we collect, use and share, see the IBM Privacy Statement.