G3. Data privacy, cybersecurity, intellectual property Data privacy and cybersecurity We continue to carry out our belief that every global citizen is entitled to strong privacy protection. This belief is carried out in our data privacy and cybersecurity programs. Our data privacy program is a single framework governing all processing of personal information, derived from the world’s strictest standards, including the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and the most stringent of requirements from various other state and federal privacy laws. Every processing activity follows this uniform framework, which ensures that we treat our employees, customers, partners, and general consumers in the proper way. As a few notable examples: “We train our workforce about • We never sell or provide personal information our privacy policy and other • We give individuals notice and choice – notice of how we process their personal data processing activities, information, including who we share it with, and a choice of such processing where and frequently refer to it in possible. This includes built-in consent in many instances where it is not legally required developing and maintaining our • We comply with data subject requests regardless of where the data subject is located, products and services.” including requests to access, delete, know, rectify, and not sell or share • Our privacy team routinely engages with consumers on data issues, even where there is no legally recognized privacy request • We demand best-in-class privacy clauses with our service providers/processors Our public privacy policy re昀氀ects our privacy practices globally, including every data processing activity in each of our various businesses. Going beyond simply legal compliance, our privacy policy was created and continues to evolve based on what is “right” rather than merely what is “required.” Our policy is routinely reviewed and updated in accordance with leading data privacy laws, internal policies, and to re昀氀ect improvements in internal practices consistent with the principles above. We train our workforce about our privacy policy and other data processing activities, and frequently refer to it in developing and maintaining our products and services. All partner engagements involving personal information are done with guidance from our privacy team, which seeks to ensure that our partners abide by our privacy expectations above. With our service providers/processors, this includes privacy clauses that including de昀椀nition of parties’ respective processing roles, restrictions on use and further transfer of personal information, de昀椀nition of data retention periods, and other forms of data minimization. We also deeply integrate our privacy and cybersecurity e昀昀orts, with the understanding that the con昀椀dentiality, integrity, and availability of personal information inherently impacts our delivery on privacy principles. In 2023, we obtained SOC2 Type 2 certi昀椀cation for 80
ESG Report Page 79 Page 81