Data privacy compliance (Storefront)
Instacart must comply with all applicable data privacy laws and regulations. This includes U.S. state privacy laws (“State Privacy Laws”) such as California’s CCPA and CPRA, Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, Utah’s UCPA, and a number of other state laws coming into effect in the near future.
Instacart has implemented the following compliance processes:
Data access requests
Under State Privacy Laws, customers in applicable states have the right to request a copy of the personal information (PI) that an organization has about them. Instacart will respond to access requests in a timely manner.
The workflow has the following steps:
- Customer requests data access. The instructions are in the Instacart Privacy Policy.
- Instacart receives the data privacy request and initiates a workflow to discover the relevant customer data in Instacart-owned systems.
- Instacart shares the data with the customer.
Data deletion requests
Under State Privacy Laws, customers in applicable states have the right to request that their personal information (PI) be deleted from an organization’s systems. Instacart will accept and respond to deletion requests in a timely manner by deleting or de-identifying the customer’s personal information from Instacart-owned systems (subject to the available regulatory exceptions).
The workflow has the following steps:
- Customer requests data deletion. Instacart Privacy Policy. On an iOS app, a customer can delete their account from the Account Settings menu in accordance with the App Store Review Guideline 5.1.1(v).
- Instacart receives the data privacy request and initiates a data deletion workflow to delete or de-identify data from Instacart-owned systems (subject to the available regulatory exceptions).
- Instacart informs the customer that their request is complete.
Opt-outs
Under State Privacy Laws, customers in applicable states must be given the right to opt out of the sale of their personal information (PI) or of the sharing of their PI for the purposes of cross-context behavioral advertising. Cross-context behavioral advertising are ads that are targeted to an individual based on personal information that is obtained from their activity across nonaffiliated and distinctly branded websites or apps.
In jurisdictions with data privacy laws and regulations, customers can set their opt-out preference when signing up for an account. In jurisdictions where State Privacy Laws are inapplicable, the opt-out option is turned off and doesn't appear on the sign-up page. On the privacy page, a message tells the customer that the opt-out option is not available in their jurisdiction.
Customers change their opt-out preference by following the instructions in the Instacart Privacy Policy. A privacy page opens where the customer can click a button to opt in or opt out.