U.S. State Privacy Notice
Last Updated: February 24, 2025
This U.S. State Privacy Notice (the “Notice”) applies to “Consumers” as defined under the California Consumer Privacy Act (the “CCPA”), the Colorado Privacy Act (the “CPA”), Connecticut’s Act Concerning Personal Data Privacy, and Online Monitoring, the Delaware Personal Data Privacy Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Kentucky Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Data Protection Act (the “NJDPA”), the Maryland Online Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Montana Consumer Data Privacy Act, Chapter 603A of the Nevada Revised Statutes, the Oregon Consumer Privacy Act (“OCPA”), the Texas Data Privacy and Security Act (“TDPSA”), the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, and all laws implementing, supplementing or amending the foregoing, including regulations promulgated thereunder (collectively, “U.S. Privacy Laws”), and forms part of Vimeo’s Privacy Policy. In the event of a conflict between any other Vimeo policy, statement, or notice and this Notice, this Notice will prevail as to Consumers and their rights under the applicable state privacy law. Capitalized terms used but not defined herein will have the meanings given to them in Vimeo’s Privacy Policy.
Section 1 of this Notice provides notice of our data practices, including our collection, use, and disclosure of Consumer personal information (which shall include reference to similar terms such as personal data, which we refer to herein as “PI”).
Section 2 of this Notice provides information regarding Consumer rights and how you may exercise them.
Section 3 of this Notice provides additional information for California residents.
Section 4 of this Notice provides additional information for Nevada residents.
Section 5 of this Notice provides our contact information.
This Notice does not apply to data that is not treated as personal information or personal data under U.S. Privacy Laws or to the extent the data is subject to an exemption under U.S. Privacy Laws. This Notice also does not apply to information collected by third-party content, websites, applications, platform, code (e.g., plug-ins, application programming interfaces, and software development kits), and certain cookies and other tracking technologies.
1. Description of Data Practices
The description of our data practices in this Notice covers the twelve (12) months prior to the “Last Updated” date and will be updated at least annually. This Notice also applies to our current data practices such that it is also meant to provide you with “notice at collection.” For any new or substantially different processing activities not described in this Notice, we will notify you as required by U.S. Privacy Laws, including by either providing additional information at the point of collection, or by updating this Notice.
A. PI Collection, Use, & Disclosures
In general, we collect, retain, use, and disclose your PI (including the categories of PI shown in the table below) in order to provide our services and operate our business, which include both the business purposes and commercial purposes described in Vimeo’s Privacy Policy, including in the “How We Use Your Data” section (collectively, “Processing Purposes”). This may include disclosing or otherwise making PI available to our vendors that perform services for us, such as those authorized vendors described in “With Whom We Share Your Data” (including “Service Providers” and “Processors” defined under U.S. Privacy Laws) (“Vendors”).
Our business purposes also include the disclosure of PI to certain recipients, such as:
Vendors in furtherance of the Processing Purposes.
You, or other parties at your direction or through your intentional action.
Assignees as part of a Business Transaction (defined below) where another party assumes control over all or part of our business.
The government or private parties to comply with law or legal process.
In addition, our Vendors and the other recipients listed in the below table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your PI for business purposes. For example, our Vendors and the other categories of recipients listed in the table below may engage subcontractors to enable them to perform services for us or process for our business purposes.
Some of the Processing Purposes, as we discuss below the table, implicate “Sale,” “Sharing,” and or “Targeted advertising.” For more details on the meaning of Sale, Sharing, and Targeted Advertising, and how to opt out of them, please visit the Do Not Sell/Share/Target section below.
The table below outlines the categories of PI (including examples) and categories of recipients also corresponding to each category of PI. The right column states the categories of recipients that receive those specific categories of PI and Sensitive PI as part of disclosures for business purposes, as well as disclosures which may be considered a Sale or Sharing under certain U.S. Privacy Laws:
Category of PI
Categories of Recipients
Identifiers (such as account name, email address, IP address, cookie ID)
Disclosures for business purposes:
Software and other business Vendors (“Business Vendors”)
Marketing Vendors
Subsidiaries and affiliates (“Affiliates and Related Entities”)
Sale/Sharing: Third-Party Digital Businesses
Personal Records (such as address, contact information, payment card information)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Fraud prevention partners
Affiliates and related entities
Sale/Sharing: Third-Party Digital Businesses
Personal Characteristics or Traits (such as pronouns)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Fraud prevention partners
Affiliates and related entities
Sale/Sharing: N/A
Transaction / Commercial Information (such as products or services used, purchased, or considered; and other purchasing or consuming histories or tendencies)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: Third-Party Digital Businesses
Internet Usage Information (such as search, browsing history, and other interactions with the Service)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: Third-Party Digital Businesses
Location Data (such as where you enable location-based features on your device, or where we may infer your rough location (such as zip code) based on IP address as part of the Service)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: Third-Party Digital Businesses
Audiovisual and Similar Information (such as customer service and sales call recordings)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: N/A
Professional or Employment Information (such as your title and affiliated organization)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: N/A
Inferences from PI Collected (Inferences we make about you or your interests using PI we have collected)
Disclosures for business purposes:
Business Vendors
Marketing Vendors
Affiliates and Related Entities
Sale/Sharing: Third-Party Digital Businesses
Account Information and Password* (we store your account log-in in combination with a password in our systems)
Disclosures for business purposes:
Business Vendors
Affiliates and Related Entities
Sale/Sharing: N/A
Communication Content* (such as when you send a message to another Vimeo user on the platform)
Disclosures for business purposes:
Business Vendors
Affiliates and Related Entities
Sale/Sharing: N/A
*considered Sensitive PI or Sensitive Data under certain of the U.S. Privacy Laws, which we refer to in this Notice as “Sensitive PI”
We also reserve the right to disclose and transfer all such information in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, and during the course of any due diligence process (collectively, “Business Transactions”).
As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI, and we may elect not to treat publicly available information as PI.
Processing Purposes Implicating Sale, Sharing, Targeted Advertising, and Profiling
When you provide us PI for the following Processing Purposes, we may use and disclose certain PI that you provide for such purposes in a way that may constitute Selling and/or Sharing, as well as Processing of your PI for purposes of Targeted Advertising.
Operating our services
Research, development, and analytics
For purposes disclosed at the time you provide your PI
For our legitimate business purposes that are compatible with the purpose of collecting your PI and that are not prohibited by law
Processing Purposes that may implicate Selling and/or Sharing, as well as Processing of your PI for Targeted Advertising include the following:
Customizing your experience
Marketing and advertising
For purposes disclosed at the time you provide your PI
For our legitimate business purposes that are compatible with the purpose of collecting your PI and that are not prohibited by law
B. Sources
We collect PI directly from you or your device, Vendors, Third-Party Digital Businesses, our Affiliates and Related Entities, other users (e.g. users who upload content you appear in), and other third parties.
C. Retention
Because there are so many different types of PI in each category, and various use cases for different types of data, we are unable to provide data retention ranges based on categories of PI in a way that would be meaningful and transparent to you. Actual retention periods depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law. For instance, we may maintain business records for so long as relevant to our business, and may have a legal obligation to hold PI for so long as potentially relevant to prospective or actual litigation or government investigation (see Vimeo’s Privacy Policy for additional information). We apply the same criteria for determining if we have a legitimate purpose for retaining your PI that you ask us to delete. If you make a deletion request, we will conduct a review of your PI to confirm if legitimate ongoing retention purposes exist, will limit the retention to such purposes for so long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your PI. For more information on deletion requests see the Right to Delete section.
2. Consumer Rights
We provide Consumers (users who are residents of certain states, as defined above) the privacy rights described in this section. For residents of states without Consumer privacy rights, we will consider requests but reserve the right to apply discretion in how we process such requests.
A. Making a Request and Scope of Requests
Any request you submit to us is subject to an identity verification process (“Verifiable Consumer Request”) as described in the Verifying Your Request section below.
To make a request, other than a Do Not Sell/Share/Target request, please submit your request to us by one of the methods below.
Email us at [email protected]
Visit our web form
For instructions on how to submit a Do Not Sell/Share/Target request, please go to the Do Not Sell/Share/Target section below.
Some information we maintain about Consumers that is technically considered PI may nonetheless not be sufficiently associated with information that you provide when making your request. For example, if you provide your name and email address when making a request, we may be unable to associate that information with certain data collection on the Service such as clickstream data tied only to a pseudonymous browser ID. Where we are unable to associate such information with the information you provide, we are therefore unable to associate such information with you and cannot include such information in response to those requests. If we cannot comply with a request, we will explain the reasons in our response.
We will make commercially reasonable efforts to identify PI that we collect, process, store, disclose, and otherwise use and to respond to your privacy requests. We will typically not charge a fee to fully respond to your requests; in some circumstances, the U.S. Privacy Laws permit us to, and we may, charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or if we decide to refuse it, we will give you notice explaining why we made that decision in our response to you. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.
B. Verifying Your Request
When you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to ensure that we maintain PI about you in our systems. As an initial matter, we ask that you provide us with, at a minimum, full name and email address. Depending on the nature of the request and whether we have the email address you have provided in our systems, we may request further information from you in order to verify that you are the Consumer making the request. We will review the information provided as part of your request, and may ask you to provide additional information via e-mail or other means to complete the verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer that is the subject of the request. The same verification process does not apply to opt-outs of Sale or Sharing, or limitation of Sensitive PI requests, but we may apply authentication measures if we suspect fraud (such as verifying access to the email provided when making the request).
The verification standards we are required to apply for each type of request vary. We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to PI that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose PI is the subject of the request.
If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by certain U.S. Privacy Laws. For example, if you are a California Consumer:
If we cannot verify your deletion request, we will refer you to this Notice for a general description of our data practices.
If we cannot verify your specific pieces request, we will treat it as a categories request.
C. Authorizing an Agent
You may designate an authorized agent to submit your Consumer request on your behalf. An authorized agent submitting a request on your behalf must have sufficient evidence that you have authorized that person to submit the request on your behalf, which may include, at a minimum, evidence of signed permission to submit the request and, as permitted under the U.S. Privacy Laws, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.
D. Your Consumer Privacy Rights
Under the applicable U.S. Privacy Laws, Consumers have the following rights, which can be exercised directly or, in certain cases, through an authorized agent:
i. Right to Limit Sensitive PI Processing
You may, depending on your state of residency, have the right to direct businesses to limit their use and disclosure of Sensitive PI if we use or disclose it beyond certain internal business purposes. Where applicable, we will treat such a request as a revocation of any consent that you may have provided to your processing of Sensitive PI.
ii. Right to Know
Categories: If you are a California resident, you have the right to request that we provide certain information to you about our collection, use, and disclosure of your PI over the 12-month period prior to the request date related to categories of PI. You can request that we confirm whether we are processing your personal information, and disclose to you: (1) the categories of PI we collected about you; (2) the categories of sources for the PI; (3) our business or commercial purpose for collecting or selling that PI; (4) a list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each category of PI, the categories of recipients; and (5) a list of the categories of PI sold or shared about you in the prior 12 months and, for each, the categories of recipients
Specific Pieces: You have the right to request a transportable copy of the specific pieces of PI we collected about you. In some states, such as California, this includes the right to PI collected in the 12-month period preceding your request. Please note that PI is retained by us for various time periods, so there may be certain information that we have collected about you that we do not retain for 12 months (and thus, it would not be able to be included in our response to you). Based on your state of residence, we may apply a limit on the number of “right to know” requests you make over a particular time period, as permitted under U.S. Privacy Laws.
iii. Right to Confirm
You have the right to confirm if we are processing your PI and to access your PI, as just stated in the two immediately prior paragraphs.
iv. Right to Delete
You have the right to request that we delete some or all of the PI that we have about you. Deleting all data will typically require the deletion of your account, along with all content, including your videos. After we confirm that your deletion request is a Verifiable Consumer Request, subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your PI on our existing systems with the exception of archived or back-up systems, (ii) de-identify your PI, or (iii) aggregate your PI with other information. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s) under U.S. Privacy Laws.
v. Right to Correct
You have the right to request that we correct inaccuracies that you find in your PI maintained by Vimeo.
vi. Do Not Sell/Share/Target
Under the various U.S. Privacy Laws, Consumers have the right to opt out of certain processing activities. California and certain other states have opt-outs specific to Targeted Advertising activities - which California’s law refers to as “cross-context behavioral advertising,” and others simply as Targeted Advertising - which involve the use of PI from different businesses or services to target advertisements to you. California provides Consumers the right to opt out of Sharing, which includes providing or making available PI to third parties for such Targeted Advertising activities, while other states provide Consumers the right to opt out from processing PI for Targeted Advertising more broadly. There are broad and differing concepts of the Sale of PI under the various U.S. State Privacy Laws, all of which, at a minimum, require providing or otherwise making available PI to a third party.
“Third-Party Digital Businesses” are third-party business partners, including social media platforms and other tech companies that offer digital advertising services, which may operate tracking technologies that collect PI about you on our Services (“cookie PI”), or otherwise collect and process PI that we make available about you, including digital activity information and traditional PI such as email address (“non-cookie PI”). We will treat PI collected by Third-Party Digital Businesses as implicating Sale, Sharing, and/or processing for Targeted Advertising where required, and accordingly apply opt-out requests that you make to such activities, as we describe in further detail below.
When you opt out pursuant to the instructions below, it will have the effect of opting you out of Sale, Sharing, and processing of your PI for Targeted Advertising, such that our opt-out process is intended to combine all of these state opt-outs into a single opt-out. Instructions for opting out are below. Please note that there are distinct instructions for opting out of cookie PI and non-cookie PI, which we explain further, below.
Opt-out for non-cookie PI: If you would like to submit a request to opt out of our processing of your non-cookie PI (e.g., your email address) for Targeted Advertising, or opt out of the Sale or Sharing of such data, make an opt-out request here.
Opt-out for cookie PI: If you would like to submit a request to opt out of our processing of your cookie-related PI for Targeted Advertising, or opt out of the sale/sharing of such PI, you can exercise an opt-out request. A tool is available on our website, which you can access via the “Your Privacy Choices” link in the footer to exercise your opt-out rights. You must exercise your preferences on each of our websites and apps you visit, from each browser you use, and on each device that you use. Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective and you will need to enable them again.
Some U.S. Privacy Laws require us to state that we do not knowingly Sell or Share the PI of Consumers under the age of 16.
Global Privacy Control or “GPC”
Some U.S. Privacy Laws require businesses to process GPC signals, which are referred to in some states as opt-out preference signals. GPC signals are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt out of Sale, Sharing, and/or Targeted Advertising or limit the use and disclosure of their Sensitive PI, such that the GPC signal effectively automatically communicates such requests. To use GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. To our knowledge, we have configured the settings of our consent management platform to receive and process GPC signals as required by the U.S. Privacy Laws on our websites. We will apply GPC signals as Do Not Sell/Share requests as to cookie PI. Due to technical limitations, we are unable to apply GPC signals to non-cookie PI; however, you can make a DNS/Share request as to non-cookie PI at our webform as described above. Notably, when you are visiting our website on a particular device and browser, we will apply the GPC signal and corresponding Do Not Sell/Share/Target as to cookie-PI only to that specific device and browser. You must re-enable GPC if you visit our website on a different device and/or browser.
We are required by certain U.S. Privacy Laws to state that we do not: (1) charge any additional fees for use of our websites if you have enabled GPC; (2) change your experience with our websites if you use GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to GPC (except that we may from time-to-time display on our website or consent management platform that you have enabled GPC).
Automated Decision Making and Profiling
You have the right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects.
We do not believe we carry out profiling or automated decision-making activities in a manner that requires us to provide opt-out rights. If we change our practices, we will change this policy and provide you with the right to opt out of such activities as required by the applicable U.S. Privacy Laws, subject to any applicable exceptions.
vii. Right to Non-Discrimination
You have the right not to receive discriminatory treatment, in a manner prohibited by U.S. Privacy Laws, for the exercise of your privacy rights.
viii. Right to Appeal
Residents of certain states have the right to appeal a decision regarding a privacy request. You can exercise this right by responding to the email we send containing our response to your request, and following the instructions in such email. As of the Last Updated date, residents of Colorado, Connecticut, and Virginia have this right.
3. Additional Notices for California Residents
A. Shine the Light Law
Under California’s “Shine the Light” law, California residents have the right to opt out of disclosing information to third parties for the purpose of allowing such third parties to directly market their products and services. At this time, we do not engage in this type of disclosure.
B. California Minors
Any California residents under the age of eighteen (18) who have registered to use our online services, and who posted content or information on the service, can request removal by contacting us at [email protected], detailing where the content or information is posted and attesting that you posted it. We will then make reasonably good faith efforts to remove the post from prospective public view or anonymize it, so the minor cannot be individually identified to the extent required by applicable law. This removal process cannot ensure complete or comprehensive removal. For instance, third parties may have republished or archived content by search engines and others that we do not control.
4. Additional Notices for Nevada Residents
Nevada residents have the right to opt out of the sale of certain "covered information" collected by operators of websites or online services. We currently do not sell covered information, as "sale" is defined by such law, and we don't have plans to sell this information. However, if you would like to opt out of the future sale of personal information covered by the Act, you can provide us with your name and email address here. You are responsible for updating any change in your email address by the same method and we are not obligated to cross-reference other emails you may have otherwise provided us for other purposes. We will maintain this information and contact you if our plans change. At that time, we will create a process for verifying your identity and providing an opportunity to verified consumers to complete their opt-out.
5. Contact Us
If you have any questions about Vimeo’s Privacy Policy, this Notice or practices described in it, you may contact us at:
Vimeo.com, Inc. Attention: Data Protection Officer 330 West 34th Street, 10th Floor New York, New York 10001 [email protected]