Opt-Out Easy: Privacy Notice

Effective Date: August 28, 2020

Carnegie Mellon University (“CMU,” “we,” “us,” or “our”) is committed to privacy and data protection. This Privacy Notice applies to all personal data CMU collects from you through the Services described in the Opt-Out Easy Terms of Use as well as how we use and protect your personal data. You may download a copy of this Privacy Notice here.

This Privacy Notice does not apply to any third-party applications or software that integrate with the Services, or any other third-party products, services or businesses (collectively, “Third Party Services”). Third Party Services are governed by their own privacy policies. We recommend you review the Privacy Notice governing any Third Party Services before using them.

This Privacy Notice is incorporated into and made a part of the Opt-Out Easy Terms of Use. If you have not done so already, please also review the Opt-Out Easy Terms of Use.

CMU is the controller of the personal data collected through the Services. Any questions or concerns regarding CMU’s privacy and data protection practices can be directed to our Data Protection Officer, Melanie Lucht, Associate Vice President and Chief Risk Officer at GDPR-info@andrew.cmu.edu.


The Opt-Out Easy browser extension (“the Services”) is a system designed to help users identify privacy opt-out choices made available to them by websites in the text of their privacy policies. Opt-Out Easy has been developed as part of the Usable Privacy Policy Project, a NSF-funded research project led by Prof. Norman Sadeh at Carnegie Mellon University and involving other researchers from Carnegie Mellon University, Fordham University, the University of Michigan and Penn State University.

Opt-Out Easy consists of a browser extension that runs locally in the browser of the user’s device and communicates with a back-end infrastructure maintained by personnel at Carnegie Mellon University. The back-end infrastructure regularly analyzes the text of privacy policies of several thousand of the most popular websites as well as additional websites for which analysis has been requested by users – with these requests being submitted anonymously. Results of this analysis, which consist of collections of opt-out links automatically identified in the text of privacy policies, are regularly sent to the browser extensions, where they are cached for faster processing.

Personal Data We Collect

CMU collects data to provide the Services you request, to address security issues and potential abuse, and to improve your experience using the Services. Some of the information is collected through your interactions with the Services and some from usage data collected when you interact with the Services running on your device.

The data we collect depends on the features of the Services that you use, and includes the following:

We may also collect the following information in an anonymized or de-identified form:

How We Use Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data for the following lawful purposes:

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where it is required or permitted by law.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the above legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Purpose/ActivityType of dataLawful basis for processing
To remind you of websites you already visited while using the ServicesPreviously visited websitesPerformance of an applicable contract
To remind you of opt-out links you already visited while using the ServicesPreviously visited opt-out linksPerformance of an applicable contract
To keep track of your specific opt-out privacy decisions as reported by you, whether these opt-out actions were communicated directly to individual websites or to third party privacy options management functionality responsible for capturing and implementing your personal privacy decisions for individual websitesSelf-reported opt-out ActionsPerformance of an applicable contract
To enable our servers to communicate with the Services running in your browserInternet Protocol addressesPerformance of an applicable contract
Conduct research surveys or studiesData collected as part of research surveys or studies we may conductData collected subject to your consent

How We Share Personal Data

It is the practice of CMU to protect users’ information. Access to our users’ information is restricted to only those employees or agents, contractors or subcontractors of CMU who have valid reasons to access this information to perform any service you have requested or authorized, or for any other purpose described in this Privacy Notice. The information you provide will not be sold or rented to third parties.

We may provide your personal data to:

Please note that, if you share your browser with other users, they will be able to see the websites you have visited, the opt-out links you have visited, and opt-out decisions you reported taking.

In order for the Services to function, we rely on the following third party service providers:

We will access, disclose and preserve personal data, when we have a good faith belief that doing so is necessary to:

Please note that some of the Services may direct you to services of third parties whose privacy practices differ from CMU’s. If you provide personal data to any of those services, your data is governed by their privacy statements or policies. Carnegie Mellon University is not responsible for the privacy practices of these other websites. Please review the privacy policies for these websites to understand how they process your information.

How You May Share Personal Data

Certain features of the Services may allow you to share information with others. Please do not share your personal data or the personal data of others through the sharing features. You are the controller of personal information you share through the sharing features of the Services. These features include the Service’s “feedback” feature.

In particular, please note that, if you share your browser with other users, they will be able to see the websites you have visited, the opt-out links you have visited, and opt-out decisions you reported taking.

Handling of Personal Data

Security of Personal Data

CMU is committed to protecting the security of your personal data. Depending on the circumstances, we may hold your information in hard copy and/or electronic form. For each medium, we use technologies and procedures to protect personal data. We review our strategies and update as necessary to meet our business needs, changes in technology, and regulatory requirements.

These measures include, but are not limited to, technical and organizational security policies and procedures, security controls and employee training.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security, abuse, or illegal or questionable activity. If you believe that information you provided to us is no longer secure, please notify us immediately using the contact information provided below.

If we become aware of a breach that affects the security of your personal data, where possible we will provide you with notice as required by applicable law. To the extent permitted by applicable law, CMU will provide any such notice that CMU must provide to you at your account’s email address. By using the Services, you agree to accept notice electronically.

Storage and Transfer of Personal Data

Personal data processed by CMU may be processed in your region, in the United States or in any other country where CMU, its affiliates or contractors maintain facilities, including outside the EU. We take steps to ensure that the data we collect under this Privacy Notice is processed pursuant to the terms thereof and the requirements of applicable law wherever the data is located.

If you would like to know more about our data transfer practices, please contact our Data Protection Officer at GDPR-info@andrew.cmu.edu.

Retention of Personal Data

All personal data is retained within your browser. CMU does not retain your personal data.

Your Rights Regarding Your Personal Data

CMU respects your right to access and control your personal data. You have choices about the data we collect. When you are asked to provide personal data that is not necessary for the purposes of providing you with the Services, you may decline. However, if you choose not to provide data that is necessary to provide the Services, you may not have access to certain features of the Services.

Access to personal data. In some jurisdictions, you have the right to request access to your personal data. In these cases, we will comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data. We may also charge you a fee for providing you with a copy of your data (except where this is not permissible under local law).

Correction and deletion. In some jurisdictions, you have the right to correct or amend your personal data if it is inaccurate or requires updating. You may also have the right to request deletion of your personal data. Please note that such a request could be refused because your personal data is required to provide you with the Services you requested, e.g., to send an invoice to your email address, or that it is required by the applicable law.

Children's Privacy


The Services are intended to be used by individuals who are at least 18 years old. Consistent with the requirements of the U.S. Children’s Online Privacy Protection Act, if we learn that we received any information directly from a child under age 13 without his or her parent’s verified consent, we will use that information only to inform the child (or his or her parent or legal guardian) that he or she cannot use the Services.

California Minors: If you are a California resident who is under age 18 and you are unable to remove publicly-available content that you have submitted to us, you may request removal by contacting us at: GDPR-info@andrew.cmu.edu. When requesting removal, you must be specific about the information you want removed and provide us with specific information, such as the URL for each page where the information was entered, so that we can find it. We are not required to remove any content or information that: (1) federal or state law requires us or a third party to maintain; (2) was not posted by you; (3) is anonymized so that you cannot be identified; (4) you don’t follow our instructions for removing or requesting removal; or (5) you received compensation or other consideration for providing the content or information. Removal of your content or information from the Services does not ensure complete or comprehensive removal of that content or information from our systems or the systems of our service providers. We are not required to delete the content or information posted by you; our obligations under California law are satisfied so long as we anonymize the content or information or render it invisible to other users and the public.

The General Data Protection Regulation ("GDPR")

If you reside within the EU you may be entitled to other rights under the GDPR. These rights include the right to request access, rectify, erase, restrict the processing of, object to processing of, and port your personal data. If you are entitled to these rights, you may exercise these rights with respect to your personal data that we collect and store. Our ability to respond to your request to exercise your rights is limited to the extent we store your personal information on our systems or otherwise process your personal information.

You may exercise these rights free of charge. These rights will be exercisable subject to limitations as provided for by the GDPR. Any requests to exercise the above-listed rights may be made to: GDPR-info@andrew.cmu.edu.

If you reside within the EU, you have the right to lodge a complaint with a Data Protection Authority about how we process your personal data at the following website: https://edpb.europa.eu/about-edpb/board/members_en.

Processing EU Personal Data

In the event that your personal data is subject to the GDPR, we will only use your personal data for the original purpose for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your EU personal data for an unrelated purpose, we will notify you and we will explain the legal basis, which allows us to do so. We require third parties to only use your EU personal data for the specific purpose for which it was given to us and to protect the privacy of your personal data. If your personal data is no longer necessary for the legal or business purposes for which it is processed, we will generally destroy or anonymize that data.

International Transfers of Personal Data

Whenever we transfer your personal data out of the EU, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

For additional information on the mechanisms used to protect your personal data, please contact our Data Protection Officer at GDPR-info@andrew.cmu.edu.

Changes To This Privacy Notice

We may update this Privacy Notice based upon evolving Laws, regulations and industry standards, or as we may make changes to our business including the Services. We will post changes to our Privacy Notice on this page and encourage you to review our Privacy Notice when you use the Services to stay informed. If we make changes that materially alter your privacy rights, CMU will provide additional notice through the Services. If you disagree with the changes to this Privacy Notice, you should discontinue your use of the Services. You may also request access and control of your personal data as outlined in the Your Rights Regarding Personal Data section of this Privacy Notice.

Questions or Complaints Handling

We understand that you may have questions or concerns about this Privacy Notice or our privacy practices or may wish to file a complaint. In such case, please contact us in one of the following ways:


Carnegie Mellon University
Attention: Data Protection Officer
5000 Forbes Avenue
Pittsburgh, PA 15213

If you are not satisfied with our answer or how CMU manages your personal data, you may also have the right to make a complaint to a data protection regulator. If you reside within the EU, a list of National Data Protection Authorities can be found here.