Craigslist Privacy Policy

This is Craigslist's privacy policy explaining how the platform collects and uses your personal data — including your name, email, phone number, IP address, location, device info, and credit card details — when you use its classifieds service. The most important thing to know is that Craigslist explicitly states it does not sell your data or share it for marketing, but if you're outside the U.S., your data will be transferred to and stored on American servers regardless of your local privacy laws. If you're a California resident, you can request to see or delete your data by visiting craigslist.org/about/ccpa or emailing ccpa@craigslist.org.

This document is Craigslist's privacy policy (last updated May 29, 2024) governing data collection, use, storage, and disclosure across its web and mobile platforms, with legal basis rooted in user consent and legitimate business interests including fraud prevention and transaction facilitation. The policy's most significant obligations include Craigslist's explicit commitments not to sell user data to third parties, not to share data for marketing purposes, and not to employ tracking devices for marketing — while disclosing twelve categories of personal data collected, with third-party disclosure limited primarily to payment processors and fraud-prevention service providers. Notable deviations from industry standard include the explicit non-response to Do Not Track signals, the requirement that international users consent to data transfer to U.S. servers as a condition of platform access, and the absence of a dedicated Data Protection Officer or EU-specific legal basis articulation despite serving international users. The policy engages California's CCPA (Cal. Civ. Code §1798.100 et seq.) by enumerating rights to know, delete, and non-discrimination, and nominally acknowledges international data transfers implicating GDPR Chapter V cross-border transfer requirements, though no Standard Contractual Clauses, adequacy decisions, or EU representative are identified. Material compliance considerations include the lack of GDPR Art. 13/14 notice specificity for EU users, absence of a consent withdrawal mechanism, and an identity verification process for CCPA requests that may impose disproportionate burden via government ID requirements.