State Privacy Notice

Effective Date: January 1, 2024

This State Privacy Notice ( “Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act, including as amended by the California Privacy Rights Act (together, the “CCPA”), the Colorado Privacy Act, Chapter 603A of the Nevada Revised Statutes, and The Texas Data privacy and Security Act and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”). Capitalized terms used but not defined in this Notice shall have the meanings given to them under U.S. Privacy Laws.

This Notice is designed to meet our obligations under U.S. Privacy Laws and supplements the general privacy policies of Equity Residential and its affiliates ( “Company,” “us,” “we,” or “our”) including, without limitation, our Website Privacy Policy. In the event of a conflict between any other Company policy, notice, or statement and this Notice, this Notice will prevail as to Consumers unless stated otherwise.

Applicability:

  • Section 1 of this Notice provides notice of our data practices, including our collection, use, disclosure, and sale of Consumers’ Personal Information or Personal Data (collectively, “PI”). It does not apply to our job applicants, current employees, former employees, or independent contractors ( “Personnel”). Our California Personnel can learn about our data practices as relates to them in our California Human Resources Privacy Notice.
  • Sections 2-5 of this Notice provide information regarding Consumer rights and how you may exercise them. Section 2 also provides information regarding rights of our California Personnel.
  • Section 6 of this Notice provides additional information for California residents, other than our Personnel.

For California residents the term “Consumer” is not limited to data subjects acting as individuals regarding household goods and services and includes data subjects in a business-to-business context. This is not the case in the other states.

TABLE OF CONTENTS

1. Notice of Data Practices
   (a) PI Collection, Disclosure, and Retention - By Category of PI
   (b) PI Use and Disclosure - By Processing Purpose
2. Your Consumer Rights and How to Exercise Them
   (a) Right to Limit Sensitive PI Processing
   (b) Right to Know/Access
       (1) Categories (available for California Residents Only)
       (2) Specific Pieces
   (c) Do Not Sell / Share / Target
   (d) Right to Delete
   (e) Correct Your PI
   (f) Automated Processing
   (g) How to Exercise Your Consumer Privacy Rights
       (1) Your Request Must be a Verifiable Consumer Request
       (2) Agent Requests
       (3) Appeals
   (h) Our Responses
3. Non-Discrimination/non-retaliation
4. Notice of Financial Incentive Programs
5. Our Rights and the Rights of Others
6. Additional Notice for California Residents
   (a) California Minors
   (b) Shine the Light
7. Contact Us

1. Notice of Data Practices

The description of our data practices in this Notice covers the twelve (12) months prior to the Effective Date and will be updated at least annually. Our data practices may differ between updates, however, if materially different from this Notice, we will provide supplemental pre-collection notice of the current practices, which may include references to other privacy policies, notices, or statements. Otherwise, this Notice serves as our notice at collection.

We may collect your PI directly from you (e.g., when you register for an account or when you otherwise provide us information online); from your devices such as when you connect with a wi-fi system at one of our communities (it is not our practice to associate a device ID to a particular person); over the phone; through paper documents such as lease applications; from guest cards when you tour a community; from video security systems at our properties; from credit reporting agencies when you apply to live in one of our communities; from our websites with which you interact; in our notes and records we create about you; from our affiliates; from our service providers; from public sources of data such as government databases; or from other businesses or individuals.

Generally, we Process your PI to provide you services and as otherwise related to the operation of our business, including for one or more of the following Business Purposes:

  • Performing Services (such as qualifying you to enter into a lease at one of our communities; service calls to your apartment home; ensuring that you comply with the lease terms);
  • Managing Interactions and Transactions (such as following up with you about a request to tour one of our communities);
  • Security (such as monitoring our website for malicious or criminal activity; site security at our properties; and guest check in and identification at our properties);
  • Debugging (or troubleshooting errors that may occur on our websites or mobile applications);
  • Advertising & Marketing (such as to customize your experience on our websites or to serve you specific content customized for you);
  • Quality Assurance (such as reviewing your interactions with our leasing consultants to better our training; and confirming that services were performed in a way that met your needs);
  • Processing Interactions and Transactions (such as your payment of rent and fees); and
  • Research and Development (such as studying your use of community amenities to understand what you value; determining what pages on our website are visited and how frequently visitors to our website ultimately sign leases with us; improve the operation of our web sites and online services; and better market and advertise our services and offerings).

We may also use PI for other Business Purposes in a context that is not a Sale or Share under U.S. Privacy Laws, such as disclosing it to our Service Providers, Contractors, or Processors that perform services for us ( “Vendors”), to the Consumer or to other parties at the Consumer’s direction or through the Consumer’s action; for additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties to comply with law or legal process; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business ( “Corporate Transaction”) ( “Additional Business Purposes”). Subject to restrictions and obligations under U.S. Privacy Laws, our Vendors may also use your PI for Business Purposes and Additional Business Purposes, and may engage their own vendors to enable them to perform services for us.

We may also use and disclose your PI under this Notice for Commercial Purposes, which may be considered a “Sale” or “Share” under applicable U.S. Privacy Laws, such as when Third-Party Digital Businesses (defined below) collect your PI via third-party cookies, and when we Process PI for certain advertising purposes. In addition, we may disclose your PI to Third-Parties for their own use (e.g., in instances where we believe you may be interested in services provided by such Third-Parties).

We provide more detail on our data practices in the two charts that follow.

    (a) PI Collection, Disclosure, and Retention - By Category of PI

We collect, disclose, and retain PI as follows:

Category of PI Examples of PI Collected and Retained Categories of Recipients Retention
1. Identifiers Real name, alias, postal address, unique personal identifiers, online identifier, Internet Protocol address, e-mail address, account name, or other similar identifiers. Disclosures for Business Purposes:
  • Vendors (e.g., Service Providers that help verify your identity for security and fraud prevention purposes; Service Providers we engage to help manage our response to resident service calls; Service Providers that assist with processing rent payments; Service Providers that assist with marketing; analytics providers);
  • Collection agencies in the event of non-payment by a resident;
  • Governmental entities (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.
Sale/Share: Third-Party Digital Businesses; Third-Party credit card and/or rewards program providers.
Anywhere between 45 days or less and up to 7 years following move out or sale of applicable property, or as otherwise stated below.
2. Personal Records Name, signature, physical characteristics or description, address, telephone number, education, employment, employment history, insurance policy number, and financial information (e.g., bank account or credit card number). Some PI included in this category may overlap with other categories. Disclosures for Business Purposes:
  • Vendors (e.g., Service Providers that help verify your identity for security purposes if you take a self-guided tour of one of our properties; Service Providers we engage to help manage our response to resident service calls; Service Providers we consult with to conduct research on our business which may involve review of this PI to better our communities and services; Service Providers that assist with processing rent payments; fraud prevention Service Providers to protect against unauthorized payments);
  • Governmental entities (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: Third-Party credit card and/or rewards program providers.

3. Personal Characteristics or Traits In some circumstances, we may collect PI that is considered protected under U.S. law, such as sex, marital status, veteran status, familial status, disability, age, gender identity, or creed, but only when that information is relevant for our Business Purposes. We abide by the legal requirements imposed under applicable law in regards to such information. Disclosures for Business Purposes:
  • Vendors (e.g., Service Providers we may engage with expertise in a particular local government sponsored program in order to help us manager our participation in that program); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None.

4. Customer Account Details/Commercial Information Records of services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Disclosures for Business Purposes:
  • Vendors (e.g. Service Providers that assist with processing rent payments; fraud prevention Service Providers to protect against unauthorized payments); Collection agencies in the event of non-payment by a resident; and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: Third-Party credit card and/or rewards program providers.

5. Internet Usage Information When you browse our sites or otherwise interact with us online, we may collect browsing history, search history, and other information regarding your interaction with our sites, applications, or advertisements. Disclosures for Business Purposes:
  • Vendors (e.g., data analytics providers to measure and analyze traffic on our website); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: Third-Party Digital Businesses.

6. Geolocation Data If you use our systems or interact with us online we may gain access to the approximate, and sometimes precise, location of the device or equipment you are using or the location from which you are accessing our systems or facilities using Company-issued access devices. Disclosures for Business Purposes:
  • Internet service providers (e.g. a vendor providing wi-fi access at our properties).

Sale/Share: None.

7. Sensory Data We may collect audio recordings of customer support calls, video security footage, photographs, and other electronic, visual, thermal, olfactory, or similar information. Disclosures for Business Purposes:
  • Vendors (e.g., customer support providers to provide customer service to residents and potential residents; security providers to ensure the physical safety of our communities); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None.

8. Professional or Employment Information Professional, educational, or employment-related information. Disclosures for Business Purposes:
  • Vendors (e.g., if a government sponsored local program requires that Professional or Employment Information is submitted as a part of participation in the program, we may engage a Service Provider to help us manage that program and in the course of that work may share this PI with the Service Provider); and/or
  • Other parties (within the limits of Additional Business Purposes.

Sale/Share: None.

9. Non-public Education Records Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, schedules, student identification codes, student financial information, or student disciplinary records. Disclosures for Business Purposes:
  • Vendors (e.g., if a government sponsored local program requires Non-Public Education Records to be submitted as part of participation in that program, we may engage a Service Provider to help us manage that program and in the course of that work may share this PI with the Service Provider); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None.

10. Sensitive PI Government Issued Identification Numbers (e.g., social security, driver’s license, state identification card, or passport number) Disclosures for Business Purposes:
  • Vendors (e.g., Service Providers that help verify your identity for security and fraud prevention purposes; Service Providers that assist with processing rent payments);
  • Collection agencies in the event of non-payment by a resident;
  • Governmental entities (making requests pursuant to legal or regulatory process); and/or
  • Other parties within the limits of Additional Business Purposes

Sale/Share: None.

Generally between 135 days and up to 7 years following move out or sale of applicable property, or as otherwise stated below.
Financial Data (e.g., a credit card number in combination with any required security code) Disclosures for Business Purposes:
  • Vendors (e.g., payment processors and security and fraud prevention providers)

Sale/Share: None.

Not retained beyond processing an immediate payment transaction.
Precise Geolocation (any data that is derived from a device and that is used or intended to be used to locate an individual w/in a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet), such as when you use a Company-issued access device to access our facilities. Disclosures for Business Purposes:
  • General IT, software, and other business vendors

Sale/Share: None.

Facility entry system data is generally retained between 60 days and 1 year, depending on the particular system. In use.
Health Information (PI collected and analyzed concerning a consumer’s health, medical history, mental or physical health, diagnosis/condition, and medical treatment) Disclosures for Business Purposes:
  • Vendors (e.g., Service Providers we may engage with to help us manage our compliance with Fair Housing and other applicable laws); and/or
  • Other parties within the limits of Additional Business Purposes.

Sale/Share: None.

Generally up to 7 years following move out or sale of applicable property, or as otherwise stated below.

There may be additional information we collect that meets the definition of PI under applicable U.S. Privacy Laws but is not reflected by a category above, in which case we will treat it as PI as required, but will not include it when we describe our practices by PI category.

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information, and may elect not to treat publicly available information as PI. We will not attempt to reidentify data that we maintain as deidentified.

As required by California law, we note our general PI retention rules by category of PI in the chart above. However, because there are numerous types of PI in each category, and various uses for each PI type, actual retention periods vary. We retain specific PI pieces based on how long we have a legitimate purpose for the retention.

    (b) PI Use and Disclosure – By Processing Purpose

We use and disclose PI for the processing purposes described below:

Examples(s) of Processing Purpose Examples of PI Collected and Retained Categories of PI Implicated Categories of Recipients
1. Performing Services

Provide our services/communicate about our services: to provide you with info or services, to send you electronic newsletters and push notifications (if you have elected to receive such), qualify you to enter into a lease at one of our communities; service calls to your apartment home; ensure that you comply with lease terms

Enable additional features of our sites: to enable you to participate in a variety of our site’s features, such as user profiles and content postings

Contact You: to contact you about your use of our services and, in our discretion, changes to our services or our service’s policies

Account management: to process your registration with our services, verify your info is active and valid, and manage your account

Resident Service: to respond to any questions, comments, or requests you have for us or for other resident service purposes

Payment: to facilitate rent payment

Identifiers, Personal Records, Personal Characteristics or Traits, Customer Account Details/Commercial Information, Sensory Data, Professional, Educational, or Employment-Related Information, Some types of Sensitive PI such as Government Issued Identification Numbers, and Sensitive Personal Characteristics. Vendors, collection agencies, governmental entities, Third-Party Digital Businesses, Third-Party credit card and/or rewards program providers.
2. Managing Interactions and Transactions Auditing: related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with user interaction or transaction specifications and standards (e.g., ecommerce activities) Identifiers, Internet Usage Information. Vendors (e.g., analytics providers).
3. Security Security/fraud prevention: to protect the security of Company, our services, or its users and to prevent and address fraud Identifiers, Personal Records, Customer Account Details/Commercial Information, Government Issued Identification Numbers. Vendors (e.g., fraud prevention and security providers).
4. Debugging Repairs: identify and repair errors that impair existing intended functionality of our services Identifiers. Vendors (e.g., Service Providers that help identify and repair errors on our services).
5. Advertising & Marketing (excluding Cross-Context Behavioral Advertising and Targeted Advertising)

Content and offers customization: to customize your experience on our websites apps, or other services, or to serve you specific content and offers that are relevant to/customized for you

Advertising, marketing, and promotions: to assist us in determining relevant advertising and the success of our advertising campaigns; to help us determine where to place our ads, including on other websites; for promotional activities such as running sweepstakes, contests, and other promotions.

Identifiers, Personal Records, Personal Characteristics or Traits, Customer Account Details/Commercial Information, Internet Usage Information, Inferences from PI Collected. Vendors (e.g., Service Providers that assist with marketing).
6. Quality Assurance Quality and Safety of Service: undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services Identifiers, Internet Usage Information, Sensory Data. Vendors (e.g., Service Providers that help improve the quality of our services).
7. Processing Interactions and Transactions Short-term, transient use: including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with Company and use of our services’ features and functionality (e.g., e-commerce transactions) Identifiers, Personal Records. Vendors (e.g., Service Providers that assist with marketing).
8. Research and Development

Research and analytics: to better understand how users access and use our services, both on an aggregated and individualized basis, to improve our services and respond to user preferences, and for other research and analytical purposes

Market research and satisfaction surveys: to administer surveys and questionnaires, such as for market research or resident satisfaction purposes

Identifiers, Personal Records. Vendors (e.g., Service Providers we consult with to conduct research on our business which may involve review of PI to better our communities and services).
9. Additional Business Purposes

Compliance with legal obligations: to comply with legal obligations, as part of our general business operations, and for other business administration purposes

Prevention of illegal activities, fraud, injury to others, or violation of our terms and policies: to investigate, prevent or take action if someone may be using info for illegal activities, fraud, or in ways that may threaten someone’s safety or violate of our terms or this Notice

Purposes disclosed at PI collection: We may provide additional disclosures at the time of PI collection

Related or compatible purposes: for purposes that are related to and/or compatible with any of the foregoing purposes

Identifiers, Personal Records; Personal Characteristics or Traits, Customer Account Details/Commercial Information, Internet Usage Information, Sensory Data, Professional or Employment Information, Non-public Education Records, Inferences from PI Collected, Government Issued Identification Numbers, Financial Data, Sensitive Personal Characteristics, Health Information. Vendors, collection agencies, governmental entities.
10. Commercial Purposes

Cross-context Behavioral Advertising

Targeted Advertising

Strategic partnerships, such as credit card providers

Identifiers, Personal Records, Customer Account Details/Commercial Information, Internet Usage Information. Vendors, Third Party Digital Businesses; Third-Party credit card and/or rewards program providers.

Return to Table of Contents

2. Your Consumer Rights and How to Exercise Them

As described more below, subject to meeting the requirements for a Verifiable Consumer Request (defined below), Company provides Consumers and our California Personnel the privacy rights accorded to you under your applicable state law. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion with respect to if and how we process such requests. We will also consider applying state law rights prior to the effective date of such laws, but will do so in our discretion.

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent:

If you are disabled and need special accommodation, please let us know by contacting us over the phone toll free at (866) 869-5413, via email at consumerprivacy@eqr.com, or by mail at Two North Riverside Plaza, Suite 400, Chicago IL 60606 Attention: Privacy Compliance. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.). More details on the request and verification process is in Section 2(g). The Consumer rights we accommodate are as follows:

   (a) Right to Limit Sensitive PI Processing (California, Colorado, and Texas)

We only Process Sensitive PI for purposes that are exempt from Consumer choice under U.S. Privacy Laws, with the exception of certain diversity program purposes for California Personnel. California Personnel can limit such Processing by making a request.

   (b) Right to Know/Access (California, Colorado, and Texas)

Residents of California and Colorado are entitled to access PI up to twice in a 12-month period.

      (1) Categories (California Only)

California residents have a right to submit a request for any of the following for the period that is 12-months prior to the request date:

  • The categories of PI we have collected about you.
  • The categories of sources from which we collected your PI.
  • The Business Purposes or Commercial Purposes for our collecting or Selling your PI.
  • The categories of third parties to whom we have shared your PI.
  • A list of the categories of PI disclosed for a Business Purpose and, for each, the categories of recipients, or that no disclosure occurred.
  • A list of the categories of PI sold about you and, for each, the categories of recipients, or that no sale occurred.

      (2) Specific Pieces (California, Colorado, and Texas)

You may request to confirm if we are Processing your PI and, if we are, to obtain a transportable copy, subject to applicable request limits, of your PI that we have collected and are maintaining. For your specific pieces of PI, as required by applicable U.S. Privacy Laws, we will apply the heightened verification standards as described below. We have no obligation to re-identify information or to keep PI longer than we need it or are required to by applicable law to comply with access requests.

   (c) Do Not Sell / Share / Target (California, Colorado, Nevada, and Texas)

Under the various U.S. Privacy Laws there are broad and differing concepts of “Selling” PI for which an opt-out is required. California also has an opt-out from “Sharing” for Cross-Context Behavioral Advertising (use of PI from different businesses or services to target advertisements). Other states have an opt-out of “Targeted Advertising” (defined differently but also addressing tracking, profiling, and targeting of advertisements). We may Sell or Share your PI and/or use your PI for Targeted Advertising, as these terms apply under U.S. Privacy Laws. However, we provide residents of California, Colorado, Nevada, and Texas an opt out of Sale/Sharing/Targeting that is intended to combine all of these state opt-outs into a single opt-out available regardless of state of residency.

Third-Party digital businesses (“Third-Party Digital Businesses”) may associate cookies and other tracking technologies that collect PI about you on our services, or otherwise Collect and Process PI that we make available about you, including digital activity information. We understand that giving access to PI on our services, or otherwise, to Third-Party Digital Businesses could be deemed a Sale and/or Share under some state laws and thus we will treat such PI (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) collected by Third-Party Digital Businesses, where not limited to acting as our Service Provider (or Contractor or Processor), as a Sale and/or Share and subject to a Do Not Sell/Share/Target opt-out request. We will not Sell your PI, Share your PI for Cross-Context Behavioral Advertising, or Process your PI for Targeted Advertising if you make a Do Not Sell/Share/Target opt-out request.

Opt-out for non-cookie PI: If you want to limit our Processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt-out of the Sale/Sharing of such data, make an opt-out request here.

Opt-out for cookie PI: If you want to limit our Processing of your cookie-related PI for Targeted Advertising, or opt-out of the Sale/Sharing of such PI, you need to exercise a separate opt-out request on our cookie management tool. This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again via our cookie management tool. Beware that if you use ad blocking software, our cookie banner may not appear when you visit our services and you may have to use the link above to access the tool.

Opt-out preference signals (also known as global privacy control or GPC): Some of the U.S. Privacy Laws require businesses to process GPC signals, which is referred to in California as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the Sale and Sharing of PI. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our consent management platform to receive and process GPC signals on our website, which is explained by our consent management platform here. We process OOPS/GPC with respect to Sales and Sharing that may occur in the context of Collection of cookie PI by tracking technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We currently do not, due to technical limitations, process OOPS/GPC for opt-outs of Sales and Sharing in other contexts (e.g., non-cookie PI). We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC.

We do not knowingly Sell or Share the PI of Consumers under 16, unless we receive affirmative authorization (“opt-in”) from either the Consumer who is between 13 and 16 years old, or the parent or guardian of a Consumer who is less than 13 years old. If you think we may have unknowingly collected PI of a Consumer under 16 years old, please Contact Us.

We may disclose your PI for the following purposes, which are not a Sale or Share: (i) if you direct us to disclose PI; (ii) to comply with a Consumer rights request you submit to us; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a Corporate Transaction; and (iv) as otherwise required or permitted by applicable law.

   (d) Right to Delete (California, Colorado, and Texas)

Except to the extent we have a basis for retention under applicable law, you may request that we delete your PI. Our retention rights include, without limitation:

  • to complete transactions and services you have requested;
  • for security purposes;
  • for legitimate internal Business Purposes (e.g., maintaining business records);
  • to comply with law and to cooperate with law enforcement; and
  • to exercise or defend legal claims.

Please also be aware that making a deletion request does not ensure complete or comprehensive removal or deletion of PI or content you may have posted.

Note also that, depending on where you reside (e.g., California), we may not be required to delete your PI that we did not collect directly from you.

   (e) Correct Your PI (California, Colorado, and Texas)

Consumers may bring inaccuracies they find in their PI that we maintain to our attention and we will act upon such a complaint as required by applicable law. You can also make certain changes to your online account on our Resident Portal or other account-based platform we may offer. That may not, however, change your information that exists in other places.

   (f) Automated Processing

Equity does not use automated processing or conduct profiling to make any decision that produces legal or similarly significant effects. While Equity does utilize software to evaluate and analyze aspects of its business with you, a human reviews and participates in these decisions. For example, we utilize proprietary software tools to assist us in determining an appropriate rental rate to offer you if you decide to renew your apartment lease with us.

   (g) How to Exercise Your Consumer Privacy Rights

To submit a request to exercise your Consumer privacy rights, or to submit a request as an authorized agent:

If you are disabled and need special accommodation, please let us know by contacting us over the phone toll free at (866) 869-5413, via email at consumerprivacy@eqr.com, or by mail at Two North Riverside Plaza, Suite 400, Chicago IL 60606 Attention: Privacy Compliance. Please be aware that we do not accept or process requests through other means (e.g., via fax, chats, social media etc.).

      (1) Your Request Must be a Verifiable Consumer Request

As permitted or required by applicable U.S. Privacy Laws, any request you submit to us must be a Verifiable Consumer Request, meaning when you make a request, we may ask you to provide verifying information, such as your name, e-mail, phone number and/or account information. We will review the information provided and may request additional information (e.g., transaction history) via e-mail or other means to ensure we are interacting with the correct individual. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI. We do not verify opt-outs of Sell/Share/Target or Limitation of Sensitive PI requests unless we suspect fraud.

We verify each request as follows:

  • Right to Know (Categories): We verify your Request to Know Categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. If we cannot do so, we will refer you to this Notice for a general description of our data practices.
  • Right to Know (Specific Pieces): We verify your Request To Know Specific Pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you together with a signed declaration under penalty of perjury that you are the Consumer whose PI is the subject of the request. If you fail to provide requested information, we will be unable to verify you sufficiently to honor your request, but we will then treat it as a Right to Know Categories Request if you are a California resident.
  • Do Not Sell/Share/Target & Limit SPI: No specific verification required unless we suspect fraud.
  • Right to Delete: We verify your Request to Delete to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized deletion. If we cannot verify you sufficiently to honor a deletion request, you can still make a Do Not Sell/Share/Target and/or Limit SPI request.
  • Correction: We verify your Request to Correct PI to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by you with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the Consumer posed by unauthorized correction.

To protect Consumers, if we are unable to verify you sufficiently we will be unable to honor your request. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

      (2) Agent Requests

You may use an authorized agent to make a request for you, subject to our verification of the agent, the agent’s authority to submit requests on your behalf, and of you. You can learn how to do this by visiting the agent section of our Consumer Rights Request Form or our Equity Residential HR and B2B Privacy Rights Request Form, as applicable. Once your agent’s authority is confirmed, they may exercise rights on your behalf subject to the agency requirements of applicable U.S. Privacy Laws.

      (3) Appeals (Colorado and Texas)

Residents of Colorado may appeal Company’s decision regarding a request by following the instructions in our response to you.

   (h) Our Responses

Some PI that we maintain is insufficiently specific for us to be able to associate it with a Consumer (e.g., clickstream data tied only to a pseudonymous browser ID). We do not include that PI in response to those requests. If we deny a request, in whole or in part, we will explain the reasons in our response.

We will make commercially reasonable efforts to identify Consumer PI that we Process to respond to your Consumer request(s). In some cases, particularly with voluminous and/or typically irrelevant data, we may suggest you receive the most recent or a summary of your PI and give you the opportunity to elect whether you want the rest. We reserve the right to direct you to where you may access and copy responsive PI yourself. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with applicable U.S. Privacy Laws and our interest in the security of your PI, we will not deliver to you your Social Security number, driver’s license number, or other government-issued ID number, financial account number, an account password, security questions or answers, in response to a Consumer privacy rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.

Return to Table of Contents

3. Non-Discrimination/non-retaliation

We will not discriminate or retaliate against you in a manner prohibited by applicable U.S. Privacy Laws for your exercise of your Consumer privacy rights. We may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.

Return to Table of Contents

4. Notice of Financial Incentive Programs

We will not discriminate against you in a manner prohibited by U.S. Privacy Laws because you exercise your Consumer rights. As of the Effective Date of this Notice we did not offer programs requiring you to limit any of your Consumer rights, or otherwise require you to limit your Consumer rights in connection with charging a different price or rate, or offering a different level or quality of good or service. If we do so, U.S. Privacy Laws require certain program terms and notices and an explanation of the material aspects of any such program, and the rights of Consumers, in its program terms. We may add or change programs and/or their terms by posting notice on the program descriptions so check them regularly. California Personnel should see the Notice of Financial Incentive Programs in our California Human Resources Privacy Notice.

Return to Table of Contents

5. Our Rights and the Rights of Others

Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your rights under U.S. Privacy Laws. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another person’s or party’s rights or conflict with applicable law.

Return to Table of Contents

6. Additional Notice for California Residents

In addition to the CCPA, certain Californians are entitled to certain other notices, as follows:

This Notice provides information on our online practices and your California rights specific to our online services. Without limitation, Californians that visit our online services and seek to acquire goods, services, money or credit for personal, family or household purposes are entitled to the following notices of their rights:

   (a) California Minors

Although our services are intended for an audience over the age of majority, any California residents under the age of eighteen (18) who have registered to use our services, and posted content on the service, can request removal by contacting us, detailing where the content is posted and attesting you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines we do not control.

   (b) Shine the Light

We may disclose “personal information” of California residents as defined by California’s “Shine the Light” law to our affiliates, for their own direct marketing purposes. We also may disclose Personal Information collected under this Notice to third parties for such third parties’ marketing purposes. However, we provide California residents the opportunity to opt-out of such disclosure to third parties (other than with our affiliates) by exercising a “Do Not Sell” opt-out here. California residents may also request information about our compliance with the Shine the Light law, and obtain a disclosure of third parties we have disclosed information to in accordance with the law for their direct marketing purposes absent your choice (i.e., Company affiliates) and the categories of information disclosed, by contacting us consumerprivacy@eqr.com or by sending a letter to us at Two North Riverside Plaza, Suite 400, Chicago, IL 60606, (Attention: Legal Counsel). Requests must include “California Privacy Rights Request” in the first line of the description and include your name, street address, city, state, and ZIP code. Please note that we are only required to respond to one request per customer each year, and we are not required to respond to requests made by means other than through the provided e-mail address or mail address.

As these rights and your CCPA rights are not the same and exist under different laws, you must exercise your rights under each law separately.

Return to Table of Contents

7. Contact Us

For more information on your privacy rights, or for disability access assistance, contact us at (866) 869-5413, email us at consumerprivacy@eqr.com, or write to us at Two North Riverside Plaza, Suite 400, Chicago, IL 60606 Attention: Privacy Compliance. Please note that e-mail communications will not necessarily be secure; accordingly, you should not include sensitive information in your e-mail correspondence with us.

Return to Table of Contents

6246753.1

© Equity Residential. All Rights Reserved.