State Farm can strip identifying details from your personal information and then share or sell that processed data with outside companies for business and commercial analysis purposes.
This analysis describes what State Farm's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
The standard applied to de-identification is described only as 'reasonable efforts,' which may not meet the specific technical thresholds required under some state privacy laws; data shared with unaffiliated entities under this provision falls outside the policy's stated non-sale commitment.
Interpretive note: The 'reasonable efforts' de-identification standard is not defined in the document, and whether it satisfies applicable state privacy law thresholds depends on jurisdiction-specific technical requirements and enforcement interpretation.
Your personal information may be converted into a form State Farm considers de-identified and then shared broadly with third parties for commercial purposes, with the specific de-identification standard and downstream use controls not detailed in this document.
How other platforms handle this
We may share your information with third-party advertising partners to provide you with targeted advertising. We also work with third-party analytics providers who help us understand how users interact with our Services. These third parties may use cookies, web beacons, and similar tracking technolo...
We process personal data you provide to Oura to enable third party integrations, services, features, and offerings. For example, with your permission, our Services may integrate with third-party services like Google Health Connect and Apple HealthKit, or those of our partners. Oura takes measures to...
We may share your personal data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. We may also share your personal data with advertising partners to display relevant advertising to y...
Monitoring
State Farm has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"develop either anonymized data or de-identified data by making reasonable efforts to remove personally identifiable information so the information is no longer customer information. We develop this data for certain purposes, such as analysis to understand more about our customers and our industry, or for other commercial purposes as permitted by law. We share and use this data within our State Farm family of companies, with third party service providers, or with other unaffiliated entities.— Excerpt from State Farm's State Farm Privacy Policy
REGULATORY LANDSCAPE: This provision engages the CPRA, which defines de-identified data with specificity and imposes technical and organizational requirements; the policy's 'reasonable efforts' standard may not satisfy CPRA's de-identification criteria. The FTC Act's prohibition on unfair or deceptive practices is also relevant if consumers understand the non-sale commitment to cover de-identified data. State-level privacy laws in Washington, Virginia, Colorado, and Connecticut similarly condition de-identification exemptions on defined technical standards. GOVERNANCE EXPOSURE: High. The use of 'reasonable efforts' rather than a defined technical standard (such as NIST or ISO anonymization frameworks) creates regulatory exposure across multiple jurisdictions. If de-identified data is later re-identified by a recipient, liability questions arise regarding State Farm's adequacy of the de-identification process. JURISDICTION FLAGS: California creates the highest exposure given CPRA's explicit de-identification standards. Washington's My Health Data Act may apply if any de-identified data derives from health-related insurance information. Illinois and New York state privacy frameworks may also engage depending on data types involved. CONTRACT AND VENDOR IMPLICATIONS: Contracts with unaffiliated entities receiving de-identified data should be reviewed to confirm they include re-identification prohibitions and downstream use restrictions. The policy does not assert audit rights over recipient entities, which is a gap relative to some industry practices. COMPLIANCE CONSIDERATIONS: Compliance teams should document the specific de-identification methodology applied to confirm it meets the most stringent applicable state standard. Data mapping should track which customer data flows into de-identification pipelines and which third parties receive the output. Regular review of recipient contracts is advisable.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.
Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
The standard applied to de-identification is described only as 'reasonable efforts,' which may not meet the specific technical thresholds required under some state privacy laws; data shared with unaffiliated entities under this provision falls outside the policy's stated non-sale commitment.
Your personal information may be converted into a form State Farm considers de-identified and then shared broadly with third parties for commercial purposes, with the specific de-identification standard and downstream use controls not detailed in this document.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by State Farm.