Scope and Governing Framework
This data policy covers data collected, stored and processed by the Verizon Business reference at verizonbusiness.uk.net, including the tile-dashboard landing, the product sub-pages, the sign-in cluster, the My Verizon admin portal surfaces described on the reference, and the billing portal mechanics. The policy is aligned with the FTC privacy-security framework for business-to-business service providers and with the customer proprietary network information rules administered by the FCC under Title II of the Communications Act. Sector-specific regulations — HIPAA for healthcare, PCI-DSS for retail, FedRAMP moderate for government — layer additional controls onto the base policy where applicable to a customer's master account.
Zero-click snapshot: Data policy governs CPNI, account data, cookies, cross-border transfer and deletion. FTC-aligned, FCC CPNI-compliant.
Policy scope excludes data held exclusively at a customer's own infrastructure. A customer who operates their own SIEM, ERP or mobile-device-management platform controls their side of the integration under their own privacy framework; Verizon Business honours integration contracts without extending its own policy into the customer's domain. Cross-reference to the security reference describes the technical controls — encryption at rest, encryption in transit, SOC 2 Type II audit posture — that implement this policy day-to-day.
Data Categories and Their Purposes
The reference at verizonbusiness.uk.net handles six primary data categories. Each category exists for a specific operational purpose, carries a defined retention window and is protected by controls scaled to its sensitivity. The category list below is not marketing; it is the operational truth of what the platform does and does not hold. Transparency about the list itself is part of the FTC-aligned framework.
Zero-click snapshot: Six data categories — CPNI, account, device identifiers, session, billing, support — each with defined purpose and retention.
| Data Category | Purpose | Retention |
|---|---|---|
| CPNI (customer proprietary network information) | Line service, priority access, congestion handling | As long as service active + 2 years |
| Account data (admin identities, EIN, master settings) | Contract administration, delegation, audit | 7 years after master closes |
| Device identifiers (ICCID, IMEI, ESN) | Provisioning, swap, port, fraud detection | Life of device + 2 years |
| Session data (sign-in events, MFA, IP) | Audit trail, fraud detection, SIEM streaming | 7 years default |
| Billing data (invoices, payment methods, disputes) | Commercial obligations, tax reporting | 7 years (10 years for federal) |
| Support data (tickets, escalations, transcripts) | Case resolution, SLA accounting, training | 3 years after ticket close |
Privacy Tile Reference
- Framework: FTC-aligned + FCC CPNI compliant
- California: CCPA + CPRA rights honoured
- EU visitors: GDPR notes below; no adequacy-decision data export
- Third-party sharing: no marketing resellers, no ad-network pixels
- Cookies: session, preference, audit — no advertising pixels
- Deletion: 45-day verified request workflow through help desk
Cookies and Browser-Local Storage
This reference uses three categories of cookie, all of them first-party and all of them necessary or strictly-functional. Session cookies hold an authenticated admin's session token between page navigations on the admin-portal surfaces; they expire on session close or on the configured idle timeout. Preference cookies remember layout choices — mobile-nav open state, last-visited tile — so a returning visitor does not re-set preferences on every page. Audit cookies carry a short-lived correlation identifier used to tie the page view to the server-side audit log.
Advertising pixels, social-network embeds, cross-domain tracking cookies and behavioural-analytics beacons are not used on this reference. No third-party ad-network cookie is served. No third-party pixel-tag is embedded. The absence is deliberate: the reference is informational and does not monetise attention. Standard browser controls to clear or block first-party cookies remain effective; clearing them signs the admin out of any active My Verizon session and resets layout preferences.
Third-Party Sharing and Service Providers
Data held on this reference is not sold to marketing resellers under any tier or any circumstance. The reference does not appear in any data broker's catalogue. The reference does not share admin identities or CPNI with advertising networks. Customer data moves to a third party only when the customer has signed a service integration — for example enabling SAML federation with Okta, Azure AD, Ping or Auth0, or enabling SIEM streaming to a customer-specified webhook endpoint. Each integration is consented to by the primary admin in the master-settings module before any data crosses.
Service providers who process data on behalf of Verizon Business are contractually bound to the same standard of care. These providers include cloud-infrastructure vendors, fraud-detection analytics partners and the USAC universal-service-fund administrator for remittance reporting. The Universal Service Administrative Company receives only the minimal remittance data required under regulatory reporting; it does not receive CPNI or admin identities. Cross-references to CTIA industry conventions align line-identifier handling with the broader wireless-carrier ecosystem's standards.
California Residents: CCPA and CPRA Rights
California residents whose personal information is held under a master account administered by a California-based business have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). These rights include the right to know which categories of personal information are held, the right to access a copy of personal information, the right to correct inaccurate personal information, the right to delete personal information subject to legal-retention carve-outs, the right to limit use and disclosure of sensitive personal information and the right to opt out of the sale or sharing of personal information.
Because the reference does not sell or share personal information with third parties for cross-context behavioural advertising, the opt-out right is satisfied by default — there is nothing to opt out of. Requests to exercise access, correction or deletion rights travel through the help desk intake, which routes the request to the privacy-response team for verified handling within the statutory 45-day window. CPRA-specific sensitive-personal-information controls apply where the master account holds driver's-license or social-security data for sole-proprietor enrolment; access to that data is gated on additional identity verification consistent with the right-to-limit framework.
EU-Visitor GDPR Notes
This reference is a United States-facing Verizon Business resource. It is not operated as a GDPR-governed service for European Economic Area residents. EU visitors who land on the reference through a general web search receive the same first-party functional cookies described above; no behavioural profiling cookie is served. Personal data is not knowingly collected from EU visitors beyond the minimum necessary to render the page (IP address for request routing, user-agent for browser compatibility). Cross-border transfer of personal data from the EEA to the United States is not performed by this reference because the reference does not collect personal data that would trigger such a transfer.
An EU resident who separately opens a master account with Verizon Business for a U.S. entity is bound by the U.S. master-service agreement and the U.S.-focused data policy described here, not by a separate GDPR-controller relationship with this reference. For adequacy-decision or standard-contractual-clause obligations under GDPR, EU residents should direct requests to the appropriate Verizon data-protection officer through the connect-team directory, which routes formal DPA requests to the correct legal channel rather than keeping them on this reference.
Deletion Procedure and Retention Carve-Outs
A data-subject deletion request follows a documented six-step workflow. Step one: the requester submits the request through the help desk intake with an identity attestation. Step two: the privacy-response team verifies identity, which may require a government-issued ID for high-sensitivity records. Step three: the team scopes the request against the retention grid in the data-categories table above to identify which records may be deleted and which are legal-retention carve-outs (active-service CPNI, regulated-tax-reporting billing records, pending support cases, pending disputes).
Step four: the team queues the deletion across the primary store and every downstream processor. Step five: the deletion propagates into backups on the next tape-rotation cycle, which typically completes within 90 days of the initial deletion. Step six: the team sends a completion notification to the requester with a case number. The 45-day statutory response window under CCPA is the outer bound for step-three confirmation; the physical deletion may continue after step-three confirmation for the backup-rotation reasons described. Federal-account retention under the General Services Administration contract vehicle overrides deletion for records that regulatory law requires to be kept.
Security Controls That Implement This Policy
Technical controls that operationalise this policy are documented on the security reference. The summary: data in transit is protected by TLS 1.3 with modern cipher suites. Data at rest is protected by AES-256 encryption with key management through a FIPS-140-2 Level 3 hardware security module. Access to stored data is gated by MFA-authenticated admin sessions with the role-scoping described in account management. The annual SOC 2 Type II audit verifies that these controls operate as designed. Sector-specific obligations — HIPAA, PCI-DSS, FedRAMP moderate — layer specific additional controls.
Incident response follows a documented protocol under the National Telecommunications and Information Administration cybersecurity framework. A breach that affects CPNI triggers FCC notification within the statutory window; a breach that affects personal information of California residents triggers CCPA notification; a breach that affects healthcare data under HIPAA triggers HHS notification. The incident-response team coordinates with the customer's security team, the relevant regulator and law enforcement where appropriate. Historical incident records are retained for the seven-year audit window alongside routine audit logs.
Changes to This Policy and How to Reach Us
This policy version is dated 19 April 2026. Material changes to the policy — changes that expand data collection, change third-party sharing or shorten retention in a way that affects existing data subjects — publish with a 30-day notice window before they take effect. Non-material changes — clarifying wording, fixing broken links, updating regulatory citations — publish immediately with a dateModified bump on the schema. The footer on every page carries a stable link to this policy so a visitor can verify the current version from any surface.
Questions about this policy reach the privacy-response team through the help desk intake (best for routine questions) or through the connect-team directory (best for formal DPA or regulatory requests). The 24/7 business line at 1-877-333-7117 remains available for urgent matters that cannot wait for intake routing. The background page documents the editorial governance of the reference so a visitor can trace who owns each policy change.