Consumer Health Data Privacy Notice

Last Updated: Mar 31, 2024

We are a member of the L’Oreal USA family of brands. When we say “Us”, “Our”, “We”, or “L’Oréal”, We are referring to L’Oréal USA S/D, Inc.  Our Privacy Notice for consumers is available HERE. Our Privacy Notice describes the types of information We collect from You directly, from Your interactions with Us (on Our websites, mobile apps, digital tools (collectively, “Sites”) and advertising), how We use it, how We protect it, and rights available to You depending on Your relationship with Us. This notice supplements Our Privacy Notice and applies to personal information defined as “consumer health data” subject to the Washington State My Health My Data Act (MHMDA).

Consumer Health Data We Collect & Use

Consumer Health Data Collected: As described in the “What Personal Information We Collect and Use” section of the Privacy Notice, the personal information We collect depends on the context of Your interactions with Us and the choices You make (including Your privacy settings), the products and features You use, Your location, and applicable law. Because the definition of consumer health data is broad, many of the categories of data We collect could be considered consumer health data.

Examples of consumer health data include:

  • Information about Your health-related conditions, diseases, symptoms, status, diagnoses, testing, or treatments (including surgeries, procedures, medications, or other interventions). For example, We may collect information such as skin conditions or medical conditions that may impact Your skin (acne, rosacea, psoriasis, diabetes, etc.) directly from You in connection with research studies, quizzes, 1:1 consultations, use of Our services, or product finders where You directly provide Us with this data.   
  • Measurements of bodily functions, vital signs, symptoms, measurements, or characteristics, including photographs (which may also be considered biometric information).  For example, when You use Our digital services available in select retail stores or on Our website We collect and analyze an image You upload to provide You with this service.  These services will detect facial landmarks to localize the region around key facial features (e.g., outline of eyes, lower part of nose, outline of lips, etc.);   the service will then assess and measure signs of skin aging using multiple dimensions (e.g., location of wrinkles, redness, cheek pores, etc.) to calculate and provide You with a list of skin concerns (e.g., blotchiness, lack of radiance, size of pores, pigmentation, fine lines, firmness, depth of wrinkles, UV damage), results, and product recommendations.  Quizzes and product finders may ask information about your skin and skin concerns to provide you with recommendations (routines or recommended products). 
  • Information that could identify Your attempt to seek health care services or information, including services that allow You to assess, measure, improve, or learn about Your or another person’s health. For example, while browsing Our website You may read an article to learn how certain health conditions impact Your skin, use a service to analyze Your skin, participate in 1:1 teleconsultations, use a quiz or product finder to obtain information to assess or improve Your skin, precise geolocation information, or You may buy a product designed to address and improve specific skin conditions.  
  • Health and safety data, such as information about accidents or health emergencies that occur in Our physical premises, information collected if you have an adverse reaction to our products, or other data collected in connection with a request for a reasonable accommodation. 
  • Other information that may be used to infer or derive data related to the above or other health information.

How Consumer Health Data is Used:

We collect and use consumer health data for the purposes described in the ”What Personal Information We Collect and Use” section of the Privacy Notice. Primarily, We collect and use consumer health data as reasonably necessary to provide You with the products and services You have requested or authorized. This may include:

  • fulfilling and delivering requested products and services and their features, 
  • personalizing certain features of the products or services; 
  • completing requested transactions; 
  • ensuring the secure and reliable operation of the services and the systems that support them, 
  • communicating with You; 
  • fulfilling product purchases and processing payments; 
  • purposes of de-identification of personal information; 
  • collecting, evaluating, and monitoring reports of undesirable events during or after use of Our products and services; 
  • understanding how Our products and services are used, troubleshooting, and improving the products and services, and 
  • other essential business operations that support the provision of the services (such as analyzing Our performance, complying with laws and regulations and meeting Our legal obligations, corporate governance (including mergers, acquisitions, divestitures, and other corporate restructurings), enforcing Our Terms of Use and other service or program-specific terms, developing Our workforce, and conducting research and development).

We use consumer health data for other purposes for which We give You choices and/or obtain Your consent as required by law – for example, advertising and marketing purposes.

Please see the “Privacy Rights Available Under State Law” section of the Privacy Notice and the How to Exercise Your Rights section below, for more details on the controls and choices You may have.

Sources of Consumer Health Data

As described further in the ”How We Collect Personal Information”  section of the Privacy Notice, We collect personal information (which may include consumer health data) directly from You (i.e., information You provide when You interact with Us, such as creating an account, subscribing to Our emails or other marketing subscriptions, making purchases, user generated content (e.g., leaving ratings or reviews), provide the information in connection with surveys or research, or otherwise during Your use of Our websites and Services); information We observe or collect automatically from Your interactions with Our products and services (e,g, such as via cookies (and other similar technologies)); and personal information from third parties, including publicly available sources.

Our Sharing of Consumer Health Data

In connection with the purposes described above, We disclose all the categories of consumer health data We collect with third parties as summarized in this section.  For more information please see “How We Share Personal Information” in Our Privacy Notice. For example, some of the features and functionality on Our site are provided by Our third party service provider(s)/data processor(s).  For example, when You take a product quiz or engage with Our chat tools, Our service provider/data processor will have access to consumer health data. If You make a purchase, We will share information about the transaction as necessary to process the payment, including to protect against fraud, and to ship the product to the selected address. We may also disclose data when We believe that doing so is necessary to comply with applicable law or respond to valid legal process. In some cases, consumer health data is shared with third parties for that third parties’ own use (see Other Third Parties, such as Ad Networks and Advertising Companies, below).

We share consumer health data with the following categories of third parties:

  • Service providers. Vendors or agents (“processors”) working on Our behalf may access consumer health data for the purposes described above. For example, companies we’ve hired to provide customer service support, to provide digital and e-commerce services, to provide marketing technologies that help Us deliver Our campaigns and analyze effectiveness, and to provide other technical services such as assisting in protecting and securing Our systems and services.
  • Business partners. We may share consumer health data with other companies, for example, where You use a service that is cobranded and jointly operated with another company, or where You use Our services to interact with another company.  
  • Financial institutions & payment processors. When You make a purchase or enter into a financial transaction, We will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services.  If You use a third-party service to checkout – such as Apple Pay, PayPal, or Afterpay – information is shared with those third parties to complete Your requested transaction.
  • Parties to a corporate transaction. We may disclose consumer health data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, reorganization, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of Our business or assets.
  • Affiliates.  Other members of the L’Oreal group may access consumer health data about You when they perform services on Our behalf.  For example, We receive services from the following affiliates of L’Oreal:
    • L’Oreal S.A.: L’Oreal S.A. is our parent company.  They provide services to L’Oreal USA S/D, Inc. and other L’Oreal entities worldwide.   
    • L’Oreal USA AFP, Inc.: L’Oreal USA AFP, Inc. is an affiliate of L’Oreal USA S/D and is the owner of certain brands headquartered in the U.S.  It provides services to L’Oreal USA S/D, Inc., which is the marketing entity for the U.S. 
  • Government agencies. We transfer and disclose information to third parties to comply with Our legal and compliance obligations, when We believe that the law requires it, or at the request of governmental authorities conducting an investigation.  
  • Other third parties. In certain circumstances, it may be necessary to provide data to other third parties, for example, to (i) comply with the law or to protect Our rights or those of Our customers; (ii) prevent, detect investigate, and respond to fraud, unauthorized activities and access, illegal activities, and misuse of the services; (iii) respond to situations involving potential threats to the health, safety, or legal rights of any person or third party; or (iv) enforce, and detect, investigate, and take action in response to, violations of Our Terms of Use or other applicable terms.  We also disclose information related to litigation and other legal claims or proceedings in which We are involved, as well as for Our internal accounting, auditing, compliance, recordkeeping, and legal function.  
  • Other users and individuals. If You use Our services to interact with other users of the service or other recipients of communications, such as during a 1:1 consultation, We will share data, including consumer health data, as directed by You and Your interactions.
  • Other Third Parties, such as Ad Networks and Advertising Companies.  We share or make available consumer health data (e.g., identifiers, internet and network browsing activities, commercial information, inferences) with third party marketing and advertising networks and social media platforms to service tailored and personalized advertisements on other websites and services and across other devices You may own.  When You use Our sites and services, We use cookies (or other similar technologies) provided by third parties.        Information collected by these third parties is used to build a profile of Your interest to show You relevant advertising on other websites or to other devices connected to You (cross-device advertising) by Us or other companies.  These companies use personal information they receive to improve their own products and optimize their own ad targeting systems. 
  • The public. You may select options available through Our services to publicly display and disclose certain information, such as Your profile, ratings & reviews, demographic data, content and files, or geolocation data, which may include consumer health data.

Updates to this Notice

Please note, We may change information in this Privacy Notice at any time and any changes will be effective immediately upon the publication of revisions.

How to Exercise Rights Available to You

MHMDA provides certain rights with respect to consumer health data, including rights to:

  • request confirmation whether We are collecting, sharing, or selling Your consumer health data; 
  • access Your consumer health data;
  • access a list of the third parties and affiliates with whom Your consumer health data has been shared or sold and an email address or other online mechanism You may use to contact such third parties;
  • request We delete Your consumer health data; and
  • withdraw consent to collection, sharing, or selling of Your consumer health data (including to withdraw an authorization for the ‘sale’ of consumer health data to third parties), subject to certain exceptions. 

If Your request to exercise a right under the MHMDA is denied, You may appeal that decision by contacting Our privacy team at [email protected]. If Your appeal is unsuccessful, You can raise a concern or lodge a complaint with the Washington State Attorney General at www.atg.wa.gov/file-complaint.

You must provide sufficient information that allows Us to reasonable verify You are the person about whom We collected consumer health data.   We may not be able to respond to Your request or provide You with consumer health data if We cannot verify Your identity or authority to make the request and confirm the consumer health data relates to You or if We are unable to locate You in Our system.  

We will ask You for the email information that You used to interact with Us or sign up for a loyalty or email or other marketing subscription.   We will use information You submit along with other information in Our systems to help verify Your entity or authority to make the request and confirm that You information is in Our system.   Information provided to make a request will only be used in connection with the request.  We may ask You to provide additional information so that We can properly identify You.  If You choose not to provide this information, We may only be able to process Your request to the extent We are able to identify You in Our systems.  We will endeavor to respond to a verified request within 45 days.  If We require more time, We will inform You of the reason and extension in writing (including by email).  We do not charge a fee to process or respond to a verified consumer request unless it is excessive, repetitive, or manifestly unfounded.  If We determine the request warrants a fee, We will provide an explanation and a cost estimate prior to completion of the request.  You may only make a request twice within a 12-month period.

 

Each right may be subject to certain exceptions. You can request to exercise such rights using the various tools and mechanisms described in the “Privacy Rights Under State Law” section of the Privacy Notice, using our web form, or cotact us. To exercise the right to revoke consent or withdraw an authorization, you may also use one of the following:

  • Visiting Your Privacy Choices link on the footer of our site and submit a request regarding offline (non-browsing consumer health data). You may also refer the web form referenced above or using the methods in our contact us page.
  • Click on “cookie settings” or “online preferences” on the footer of a brand site and change the setting regarding online (browsing) personal information.