The policy identifies sensitive personal information categories collected by Walgreens, including health data, financial information, precise geolocation, and account credentials, and states that California residents may request limitation of use to service-necessary purposes.
This analysis describes what Walgreens's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
Under CPRA, sensitive personal information is subject to heightened use limitations and consumers have a statutory right to limit its use beyond service delivery. This provision establishes the right but the operational scope of what constitutes service-necessary use for health and pharmacy data in an integrated retail-pharmacy context requires evaluation.
Interpretive note: The operational scope of what Walgreens defines as service-necessary use for sensitive personal information in a combined retail-pharmacy context is not fully specified in the policy text.
The policy now emphasizes California residents' right to limit sensitive personal information use to necessary and proportionate purposes, and removes the mention of racial or ethnic origin data.
View full change record →This provision establishes that Walgreens collects sensitive personal information including health data, precise geolocation, and financial information. California residents are entitled to request that use of this data be limited to purposes necessary for providing requested services under CPRA.
How other platforms handle this
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Monitoring
Walgreens has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"We collect and use sensitive personal information, including health and financial data, precise geolocation, and account credentials. California residents may request that we limit the use of sensitive personal information to purposes reasonably necessary and proportionate to providing the services.— Excerpt from Walgreens's Walgreens Privacy Policy
1. REGULATORY LANDSCAPE: CPRA's sensitive personal information provisions, enforced by the California Privacy Protection Agency, require businesses to disclose sensitive personal information categories and offer consumers the right to limit use. Precise geolocation data may also engage separate state statutes. HIPAA governs health data within covered entity operations. 2. GOVERNANCE EXPOSURE: High. The combination of precise geolocation, health data, and financial information within a single policy framework creates multiple CPRA sensitive personal information obligations. The right to limit use must be operationally supported by a dedicated submission pathway and a technical mechanism to restrict downstream data processing. 3. JURISDICTION FLAGS: California residents have statutory rights under CPRA. Colorado, Virginia, and Connecticut privacy laws include analogous sensitive data provisions. Precise geolocation data creates additional exposure in jurisdictions with location-specific privacy statutes. 4. CONTRACT AND VENDOR IMPLICATIONS: Vendors receiving sensitive personal information must be contractually bound to use limitations consistent with CPRA service provider requirements. Advertising and analytics partners should not receive sensitive personal information categories unless the consumer has not exercised the right to limit. 5. COMPLIANCE CONSIDERATIONS: Compliance teams should verify that a functional 'Limit the Use of My Sensitive Personal Information' mechanism is available and accessible, that it covers all disclosed sensitive categories, and that downstream data processing agreements enforce corresponding limitations with third parties.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
Under CPRA, sensitive personal information is subject to heightened use limitations and consumers have a statutory right to limit its use beyond service delivery. This provision establishes the right but the operational scope of what constitutes service-necessary use for health and pharmacy data in an integrated retail-pharmacy context requires evaluation.
This provision establishes that Walgreens collects sensitive personal information including health data, precise geolocation, and financial information. California residents are entitled to request that use of this data be limited to purposes necessary for providing requested services under CPRA.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Walgreens.