This privacy notice describes how the Verizon Business reference property collects, uses, shares, retains and deletes information about master-account administrators, their delegated secondaries and visitors to the verizonbusiness.br.com domain. The notice aligns with the Customer Proprietary Network Information (CPNI) framework supervised by the FCC, the privacy-and-security guidance published by the FTC, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) and relevant GDPR provisions for EU visitors. Effective date: 2026-01-02. Last updated: 2026-04-19.
Contact Privacy Security PostureZero-click summary. Verizon Business collects account, network, device and usage data necessary to deliver the service plus cookie and log data from this reference domain. Data is not sold or shared with marketing resellers. California residents have CCPA/CPRA rights; EU visitors receive GDPR notices. Deletion requests honour a documented workflow. Retention is purpose-bound.
Zero-click snippet: Verizon Business collects six categories of information: account identifiers, CPNI, device identifiers, usage data, cookies and server log data. Each category is collected for a specific purpose and retained only as long as that purpose requires.
Account identifiers include the master-account number, primary administrator name, email, phone, billing address and federal tax-ID or EIN captured during enrolment. Customer Proprietary Network Information (CPNI) includes records of the calling, messaging, data and location behaviour of authenticated lines; CPNI handling is supervised under Title II Common Carrier rules. Device identifiers include IMEI, ICCID, MAC address and serial number for every handset, tablet, router and gateway on the master. Usage data includes wireless usage, circuit availability, voice seat activity and SIM telemetry on IoT connectivity. Cookies and log data cover server-side logs of page access on this reference domain plus cookie-based session state on authenticated surfaces.
We do not knowingly collect information from children under thirteen. We do not collect race, ethnicity, religion, political affiliation, sexual orientation, union membership, health data or biometric identifiers from master-account administrators in the normal course of business. Health-sector customers operating HIPAA-eligible service profiles may exchange a narrow set of personal health information under signed business-associate agreements; that flow is documented separately and governed by HIPAA in addition to this notice.
Zero-click snippet: collected information is used to deliver service, bill accurately, secure the master account, maintain audit trails, respond to law enforcement with valid legal process, and fulfil regulatory-reporting obligations. None of the information is used for cross-context behavioural advertising.
Service delivery covers the obvious: provisioning lines, activating circuits, routing calls, pushing device configuration and rendering the My Verizon administrator console. Billing covers invoice calculation, tax assessment, Universal Service Fund contribution remitted through the USAC, and the collection workflow through the billing portal. Security covers fraud detection, authentication-anomaly monitoring, account-takeover prevention and the audit trail described in the account management reference.
Regulatory reporting covers filings required under FCC Title II, CALEA lawful-intercept obligations when served with valid process and certain state public-utility-commission reporting on service-outage metrics. We do not use CPNI for marketing without opt-in consent captured through the CPNI-consent interface inside My Verizon, and no opt-in was assumed or pre-selected. Absence of consent does not degrade service quality.
Zero-click snippet: Verizon Business does not sell personal information and does not share CPNI with marketing resellers. Limited sharing occurs with service providers under contract, with regulators under valid process and with payment processors for ACH and card rails.
Service providers receive only the minimum data necessary for their function: ACH originator for payment pull, card processors for card rails, identity-verification vendors for EIN underwriting, SIEM and threat-intelligence providers for security monitoring, and cloud-infrastructure providers for storage and compute. Each provider operates under a written data-processing agreement restricting use to the contracted purpose and requiring breach-notification in the same window we apply to ourselves.
Regulators and law enforcement receive information only under a valid subpoena, warrant or court order. We publish an annual transparency report summarising the aggregate volume of requests received, broken out by type and response. We do not voluntarily provide information beyond what the legal process compels. Emergency-access disclosures under 18 U.S.C. 2702(b)(8) require an imminent threat to life, are narrowly scoped and are reviewed by internal counsel before release.
Zero-click snippet: each data category retains for a different duration bound to its purpose. Audit-trail events run the longest at seven years in cold storage for regulatory continuity.
| Data category | Purpose | Retention |
|---|---|---|
| Account identifiers | Service delivery, billing, support | Contract + 7 years |
| CPNI | Service, regulatory, security | Per FCC rules; typically 18–24 months |
| Device identifiers | Provisioning, fraud prevention | Device life + 12 months |
| Usage data | Billing, capacity planning | 13 months online; 24 months archive |
| Cookies & log data | Session, security, analytics | Session cookies: session end; log: 90 days |
| Audit trail events | Security, compliance, forensics | 24 months online + 7 years cold |
Zero-click snippet: California residents have the right to know what personal information is collected, to access it, to request deletion, to request correction, to opt out of the sale or sharing of personal information for cross-context advertising (we do not sell) and to limit the use of sensitive personal information.
Requests submitted by verified California residents are handled within 45 days with an optional 45-day extension when necessary. Verification requires authenticated identity through the administrator account or a separate identity-proofing flow for non-authenticated requesters. We do not discriminate in service or pricing against Californians who exercise CCPA/CPRA rights. The authorised-agent pathway is supported: a California resident may designate an agent through a signed permission and the agent submits requests on their behalf. Appeals of denied requests go to an internal privacy review within 30 days of denial.
Zero-click snippet: Verizon Business service is delivered in the United States. EU visitors browsing this reference domain receive GDPR transparency: cookie banner, lawful-basis declaration for analytics (legitimate interest) and a documented data-subject-request path.
We are not a data-controller under GDPR for EU residents in the general case because the service is sold to U.S. commercial entities. EU residents who nonetheless visit this reference domain are covered by the cookie banner and may submit data-subject requests through the address published in the contact directory. Cross-border transfer of data collected from EU visitors uses the Standard Contractual Clauses under Article 46; no Schrems II-sensitive transfer occurs outside those clauses.
Zero-click snippet: this reference domain uses strictly-necessary cookies for authentication and session continuity, plus first-party analytics cookies under legitimate interest with a visible opt-out. No third-party advertising cookies are set. We honour Global Privacy Control (GPC) signals.
Strictly-necessary cookies include the session cookie, the CSRF token cookie and the MFA-trust cookie on authenticated surfaces. Analytics cookies record anonymised page-path data to improve the reference; they do not cross-link to identity and are not shared with advertising networks. GPC signals from compliant browsers opt the visitor out of sale-or-share automatically; since we do not sell or share for cross-context advertising, the practical effect of GPC on this domain is that analytics cookies downgrade to strictly-necessary-only.
Zero-click snippet: deletion and correction requests route through the administrator-authenticated interface for master-account data and through the contact directory for reference-domain data. Regulatory-retention obligations may require partial retention after a deletion request; we disclose the scope of retention in the deletion confirmation.
Master-account administrators initiate deletion of a secondary admin, a line, a device or a cost-centre from inside My Verizon; each deletion writes to the audit trail for compliance continuity. Deletion of the master account itself requires termination of the master service agreement and the final invoice cycle; CPNI retention rules under Title II require continued retention of certain records after account closure for the statutorily required window.
Reference-domain data (log entries, analytics records) can be deleted by contacting the privacy address in the contact directory; deletions complete within 30 days. Appeals of denied requests, corrections to account data and any questions about this notice route to the same address. Changes to this notice are announced inline with a dated revision history and mailed to the primary administrator on material change.