Privacy Notice

San Francisco State University respects your privacy and is committed to protecting it to the extent possible, subject to applicable state and federal law, through our compliance with our privacy policies and this Privacy Notice. 

This Notice applies to the information that we collect when you visit the San Francisco State University main website www.sfsu.edu and other websites that we own or control, and on which we have linked or referred to this Notice (together, the “Sites”). This Notice describes how this information is collected, processed, maintained, protected, and disclosed. Unless otherwise indicated on a specific Site, the California State University is the data controller for all information collected under this Notice. Contact information for the CSU is listed at the end of this Notice. 

This Notice does not apply to information collected from or about current or former employees, contractors, volunteers, and other workers at San Francisco State University as part of their employment or working relationship with San Francisco State University.

Except as specifically described, our Sites are operated in accordance with the laws of the United States. Please read this Notice carefully to understand our policies and practices regarding your information and how we will treat it. This Notice reflects the University’s current practices and may change from time to time, so please check the Notice periodically for updates. This Notice was last updated on September 22, 2022.

In this Notice, “personal information” means any information that identifies or describes an individual user of the Sites, including, but not limited to, the user’s name, social security number, physical description, address, telephone number, education, financial matters, medical or employment history, password, email address, and information that reveals any network location or identity. If you are located in the European Economic Area (EEA), “personal information” includes all personal data as defined under EEA laws (including “sensitive personal information” which is provided enhanced protections under those laws).

We collect personal information about users only as allowed by law and limit the collection of personal information to what is relevant and necessary to accomplish a lawful purpose of the University. We collect personal information (and sensitive personal information) that you send to the CSU, or permit us to obtain from third parties, for purposes relevant to CSU operations in pursuit of our academic mission. Examples include information needed for student admission (including financial aid information), employment, housing and dining services, online educational programs, research, health services, donor relations, visa application processing, event registration, parking services, IT usage and support services, library usage, bookstore operations, and website account registrations. Our legal basis for processing most of this information is to perform a task in the public interest or in fulfillment of CSU official functions, including those set out in the California Education Code and/or Title V of the California Code of Regulations, or under applicable federal law. Other legal bases for processing information include processing necessary for contract (e.g., to process parking permit payments), for legitimate interests (e.g., to send requested information) or consent (e.g., to process certain sensitive personal information).

User-Provided Information: You may be required to provide personal information to access or use certain parts of our Sites, or features of our Sites or services, including without limitation, when you apply for or enroll at one of our campuses or programs, subscribe to a newsletter or email list, make a purchase or donation, fill out a form, participate in any of our programs, special events or promotions, contact us with a comment, question or complaint, etc. If you do not provide the requested personal information, you may not be able to access or use the features of our Sites or service where such information is requested.

Depending upon the nature of the transaction, the personal information that you may provide may include: contact information (name, home or mailing address, telephone number, social media username/handle, mobile phone and/or email address, etc.); academic area or interest; financial information (financial aid application history, payment history, social security number, passport number, credit card number, donation attribution and amount, etc.); health record information (medical record number), allergies, past medical history, family history, current medications, current medical conditions) demographic information (age, birthdate, marital status, income, etc.); and profile information (admissions date, graduation date, alumni status, student identification number, username, password, relationship to the University, etc.)

Emails and Social Media Sites: If you correspond with us by email, mail or via social media, we may retain the content of your communication or social media posting, the email or social media account address from which it is sent, and our response. We collect information automatically using technology when you visit our Sites or social media pages or when you open one of our emails as described in this Notice.

The specific personal information (and sensitive personal information) we collect, why we collect it, and our legal basis for processing it, is periodically reassessed in applicable data process flow assessments or Data Protection Impact Assessments, as relevant. 

It is the policy of the California State University to limit the collection and safeguard the privacy of personal information collected or maintained by the University. The University’s information management practices conform to the requirements of the Information Practices Act of 1977 (Civil Code Section 1798, et seq.), the Public Records Act (California Government Code Section 6250, et seq.), California Government Code Section 11015.5, the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), and other applicable laws pertaining to information privacy. In the event of a conflict between this Notice and the Public Records Act, the Information Practices Act, FERPA, or other law governing the disclosure of University records, the applicable law will control.

Any information acquired by the University through the Sites is subject to the limitations set forth in the Information Practices Act. The University will not distribute or share electronically collected personal information (as defined in subdivision (d) of California Government Code Section 11015.5) about users to any third party without the permission of the user, except in narrow circumstances set forth in this Notice. The University will not sell any electronically collected personal information to any third party. Such electronically-collected personal information is exempt from requests made pursuant to the California Public Records Act (Chapter 3.5 (commencing with Section 6250) of Division 7 of Title 1). 

We use information that we collect about you or that you provide to us, including any personal information:

  • To provide you with information that you request from us.
  • To process application, registration and enrollment requests when you apply, register or enroll for our campuses, events, programs or services, or otherwise administer your participation in our events, programs or services, including (without limitation) study abroad and distance learning, financial aid, housing and dining.
  • To collect and process donations, gifts and donor information.
  • To process service requests from students, staff, faculty, and other members of the campus community, including the facilitation of parking permit and identification card requests.
  • To process registration for sports, cultural, educational, and other university events.
  • To respond to your questions, requests, comments or complaints and determine your satisfaction with our events, programs and services.
  • To operate, maintain, and provide to you the features, services, and functionality of the Sites and its contents, and to monitor and improve our site and the user experience.
  • To provide information about our University and send you related information including brochures and other University materials, campus and CSU news, academic notices, updates, security alerts, special offers, confirmations, and support and administrative messages.
  • To notify you about changes to our Sites or any services we offer or provide through it.
  • To compare and review your personal information for errors, omissions and accuracy.
  • To prevent, detect or investigate any fraudulent, abusive or illegal act.
  • To allow you to participate in interactive features on our Sites.
  • In any other way we may describe when you provide the information.
  • For any other purpose with your consent.

We may also use your personal information for operational and other lawful purposes such as security, analytics, operations, fraud detection and prevention, reporting, making back-ups and legal compliance.

We use cookies, clear gifs, and log file information to: (a) remember information so that you will not have to re-enter it during your visit or the next time you visit the Sites; (b) monitor the effectiveness of our Sites and services; (c) monitor aggregate metrics such as the total number of visitors and traffic; (d) diagnose or fix technology problems reported by our users or engineers that are associated with the IP addresses controlled by a specific web company or ISP; and (e) help you efficiently access information.

At the time we collect personal information, we strive to tell users about the purpose for which the information is collected as well as the general or specific uses that we will make of that information.

International transfer of personal information: Personal information provided to us by users outside of the United States may be transferred to other countries such as the United States, where data protection laws may differ from those of your home country. By providing us with your information, you acknowledge that your personal information may be transferred to the United States and processed on servers within the United States. However, all reasonable steps will be taken to protect your privacy in accordance with applicable data protection laws.

User Content: Any personal information or content you voluntarily disclose for posting to the Sites (for instance, any content you post) (“User Content”) becomes available to the public via the Sites. User Content includes, but is not limited to, comments, photos, videos, etc. If you remove User Content, copies may remain viewable in cached and archived pages or if other users have copied or stored your User Content.

We reserve the right to monitor the User Content you post on the Sites and to remove any User Content for any reason or no reason including, without limitation, if in our sole opinion, such material violates, or may violate, any applicable law, or to protect or defend our rights or those of any third party. We also reserve the right to remove User Content upon the request of any third party.

Cookies Information: When you visit the Sites, we may send one or more cookies – a small text file containing a string of alphanumeric characters – to your computer that uniquely identifies your browser and lets us help you log in faster and enhance your navigation through the Sites. A cookie does not collect personal information about you. We use both session cookies and persistent cookies. A persistent cookie remains on your hard drive after you close your browser. Persistent cookies may be used by your browser on subsequent visits to the Sites. Persistent cookies can be removed by following your web browser’s directions. A session cookie is temporary and disappears after you close your browser. You can reset your web browser to refuse all cookies or to indicate when a cookie is being sent. However, some features of the Sites or services may not function properly if the ability to accept cookies is disabled.

Google Analytics: We use a tool called “Google Analytics,” a web analytics service provided by Google, Inc. to collect information about use of the Sites. Google Analytics collects information such as how often users visit our Sites, what pages are visited, and what other sites were visited prior to coming to our Sites. We use the information we get from Google Analytics only to improve the Sites. Google Analytics collects only the IP address assigned to you on the date you visit the Sites, rather than your name or other identifying information. Google Analytics will also collect contextual information, such as type of web browser, type of operating system, browser resolution, and network location, however we do not combine the information collected through the use of Google Analytics with personally identifiable information. Although Google Analytics plants a permanent cookie on your web browser to identify you as a unique user the next time you visit the Sites, the cookie cannot be used by anyone but Google. Google’ s ability to use and share information collected by Google Analytics about your visits to the Sites is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to the Sites by disabling cookies on your browser, however, please note that if you do this you may not be able to use the full functionality of the Sites.

Log File Information: Log file information is automatically reported by your browser each time you access a web page. When you register with or view our Sites, our servers automatically record certain information that your web browser sends whenever you visit any website. These server logs may include information such as your web request, Internet Protocol addresses or other device identifiers, browser information, Internet Service Provider, operating system, location, date/time stamp, clickstream data, referring/exit pages and URLs, domain names, landing pages, pages viewed, and other such information.

Clear Gifs Information: When you use the Sites, we may employ clear gifs (also known as web beacons) which are used to track the online usage patterns of our users anonymously. No personal information is collected using these clear gifs. In addition, we may also use clear gifs in HTML-based emails sent to our users to track which emails are opened by recipients.

California Do Not Track Disclosures: California Business & Professions Code Section 22575(b) (as amended effective January 1, 2014) provides that California residents are entitled to know how a website operator responds to “Do Not Track” (DNT) browser settings. DNT is a feature offered by some browsers which, when enabled, sends a signal to websites to request that your browsing is not tracked, such as by third party ad networks, social networks and analytic companies. We do not engage in the collection of personally identifiable information about users’ online activities over time and across third party websites when an individual uses our Sites and therefore do not respond to DNT signals.

We share your information internally at the CSU to facilitate and manage the purposes listed above, including with third parties whom the University engages to process your personal information on our behalf for the purposes stated above (such as vendors who help the University with our marketing, application processing, financial aid or payment processing, education management, and web hosting). The University may also share your personal data with government and law enforcement agencies or regulators (1) to comply with a legal process, subpoena, order or other legal or regulatory requirement applicable to us; (2) to enforce our terms of use or other policies; or (3) to pursue available legal remedies or defend against legal claims. We may also share your personal information with a third party as requested by you if permitted by this and other University policies and applicable laws and regulations. We will not distribute or share any electronically collected personal information (as defined in subdivision (d) of California Government Code section 11015.5) about users to any third party without prior written permission from the user except in narrow circumstances involving possible violations of Section 502 of the Penal Code or as authorized under law (including but not limited to the Information Practices Act), or to assist another state agency or public law enforcement organization in any case where the security of a network operated by a state agency has been, or is suspected of having been, breached.

We fully cooperate with law enforcement agencies in identifying those who use our Sites or services for illegal activities. We may report to law enforcement agencies any activities that we in good faith believe to be unlawful. Release of your personal information for security purposes, as described in this Notice to any person or entity, including, without limitation, in connection with any government investigation or litigation, shall be based on a determination made solely by us, as permitted by law or, for those not in the EEA, exercising our discretion for which you expressly grant permission to us in accordance with this Notice.

We take reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information against loss, unauthorized access, and illegal use or disclosure. Such personal information is stored by the University in secure locations and University staff is trained on procedures for the management of personal information, including limitations on the release of information. Access to personal information is limited to those members of the University’s staff whose work requires such access. Confidential information is destroyed according to the University’s records retention schedule. The University conducts periodic reviews to ensure that proper information management policies and procedures are understood and followed. The security of your personal information is important to us, but please remember that no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot ensure or warrant the absolute security of any information you transmit to the Sites, and you do so at your own risk. Once we receive your transmission of information, we make commercially reasonable efforts to ensure the security of our systems. However, please note that this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. While we strive to protect your personal information and privacy, we cannot guarantee the security of any information you disclose online.

We encourage all individuals to use appropriate safeguards to secure their computers and the information on those computers. For additional information on online privacy and security, please see the University’s policies and procedures related to Information Security; you may also consult with the California Attorney General’s Privacy Enforcement and Protection website.

In the event that personal information is compromised as a result of a breach of security, we will promptly investigate and notify those persons whose personal information has been compromised in accordance with the notification procedures set forth in the CSU Information Security Policy, or as otherwise required by applicable law.

Links to Other Websites

We are not responsible for the practices employed by websites linked to or from our Sites nor the information or content contained in them, and we make no warranty, either express or implied, concerning the content of any such site, including the accuracy, completeness, reliability, or suitability of them for any particular purpose, nor do we warrant that any such site or content is free from any claims of copyright, trademark, or other infringement of the rights of third parties, or that any such site or content is devoid of viruses or other contamination. We may provide links to other websites to you solely as a convenience, and the inclusion of linked sites does not imply endorsement by the University or CSU of any of the linked sites. Please remember that when you use a link to go from our Sites to another website, our Notice is no longer in effect. Your browsing and interaction on any other website, including those that have a link on our Sites, is subject to that website’s own rules and policies. Please read over those rules and policies before proceeding. We do not ensure the security of your personal information if you visit websites not belonging to CSU, nor are we the data controller for any information collected on those sites unless we specifically state so. We further reserve the right to terminate a link to a third party site at any time.

We comply with all applicable regulations regarding data retention and deletion of personal data and retain personal information only for as long as necessary to fulfill the purpose for which it was collected (including for college operations), for strategic planning, and to comply with applicable laws and retention requirements. You can ask to review, update or make changes to the personal information we maintain about you, or exercise your option of having your personal information discarded without reuse or distribution, by sending a written request to the postal or email address set out below. We may take a reasonable period of time to respond. If you request the deactivation or change of information on our system, such information may be retained in our backup systems for a period of time subject to technology restrictions, or as a precaution against systems failures. Some information may be retained for longer periods as required by law, contract or auditing requirements or as otherwise described in this Notice.

You have the option to decline providing information about yourself online and may use other methods, such as U.S. mail, to respond to requests for information or to communicate with us. You may use the contact information listed below to ask about additional alternatives to providing or obtaining information through use of our Sites.

By providing us your email address, you consent to our use of your email address to send you Site and service-related notices, including any notices required by law, in lieu of communication by postal mail. We may also use your email address to send you other messages, including, but not limited to, newsletters, information on campus activities, programs and events, legal updates, changes to features of our Sites or services, or other account information. Where required by law, we will obtain your consent before sending you specific types of email or other communications.

You can choose not to receive such emails from us by “unsubscribing” using the instructions in any email you receive from us, or by sending a written request to the postal or email address set out below. It may take up to thirty (30) business days for us to process your request. This will not stop us from sending emails about your account or your transactions with us, or any other service-related email. Opting out does not affect our communications with you via telephone or mail nor does it affect our use of your non-personally identifiable information as described in this Notice.

EEA Data Subject Rights

If you are an individual located in the EEA only, you have certain rights with regard to your personal data collected while you are in the EEA. These rights may include right of access, right of correction, right to be forgotten, right to restrict processing of your identifiable personal information, right to notice related to changes/deletion/processing limits, right to data portability, right to objection, right not to be subject to decisions based solely on automated processing, and right to withdraw consent. Some of these rights are restricted by law to information that was collected on the basis of explicit consent, or are restricted by other conditions (such as necessity for contract or to comply with the law). You have the right to contact us in connection with the exercise of your rights under applicable EEA law, which you can do through the contact information below, or by sending an email to privacy@calstate.edu.     We will respond to your written request without unreasonable delay and in accordance with any deadlines imposed by law. Unless we notify you at the time of your request, we will not charge you any fee in connection with the exercise of your rights. If you are not satisfied with our response, you have the right to complain to or seek advice from a supervisory authority and/or bring a claim against us in any court of competent jurisdiction. 

Changes to Our Privacy Notice

We reserve the right to modify this Notice at any time. It is our policy to provide notifications, whether such notifications are required by law or are for other operational purposes, to you via email notice, written or hard copy notice, or through conspicuous posting of such notice on our Sites page, as determined by the University in its sole discretion. We reserve the right to determine the form and means of providing notifications to you, provided that you may opt out of certain means of notification as described in this Notice. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Sites and this Notice to check for any changes.

For changes to our Privacy Notice, it is our policy to post any changes we make on this page. The date the Notice was last revised is identified at the top of the page. We will provide notice on the Sites prior to the effective date of any material change. Your continued use of the Sites after any change in this Notice will constitute your acceptance of such change.

Contact Us

If you have any questions about this Notice or the practices of our Sites, you may contact us using one of the following methods: