CMG Strategy Co. LLC. and its subsidiaries and affiliates (collectively, “Chipotle” the “Company” “us” “our” or “we”) provide this California Privacy Notice (“Notice”) to describe our privacy practices with respect to our collection of Personal Information as required under the California Consumer Privacy Act (“CPPA”). This Notice applies only to Independent Contractors who are residents of the State of California (“Consumers”) and from whom we collect “Personal Information” as defined in the CCPA. We provide you (“you” or “your”) this Notice because under the CCPA, California residents who are Independent Contractors qualify as Consumers. For purposes of this Notice, when we refer to Consumers, we mean you only to the extent you are an Independent Contractor of Chipotle who resides in California. TO VIEW THIS NOTICE IN SPANISH, CLICK HERE.

Personal Information” is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include:


•       Publicly available information from government records.

•       Information that Chipotle has a reasonable basis to believe is lawfully made available to the general public by the you or from widely distributed media (e.g. information you post on social media).

•       Information made available by a person to whom you disclosed the information if you did not restrict the information to a specific audience.

•       De-identified or aggregated information


Chipotle Systems” or “Systems” are any digital environment, application, platform, infrastructure or communication system used by Chipotle.  This term is intended to include any new technology, form of communication, or use that may be developed or acquired in the future for processing of Chipotle Data.  This includes, but is not limited to, the following:

§  Chipotle-owned or leased computers, mobile, tablets, or other devices;

§  Infrastructure, owned, leased, or licensed by Chipotle, whether on premise or cloud based, such as networks, servers, routers and data storage devices and media;

§  Communication systems (including those owned, leased, or licensed by Chipotle or personal devices when the personal device is used to process Chipotle Data) that use software managed by Chipotle; and

§  Any environment, application and / or infrastructure, whether on premise or cloud based, authorized or provided by Chipotle for any purpose, including development, production, quality assurance, monitoring, or testing.


"Chipotle Data" shall mean all information and material regarding Chipotle, its customers, employees, contractors or any of the entities or persons with whom Chipotle does business, including, but not limited to: (i) Personal Information which means personal information provided by or at the direction of Chipotle, or to which access was provided in the course of you providing services to Chipotle that identifies an individual or that can be used to authenticate, identify, or make identifiable an individual; (ii) Chipotle confidential and proprietary information (including trade secrets); (iii) other information Chipotle makes available to you for you to provide the Services; and (iv) all data, communications, and information processed, collected, sent, received, or stored on Chipotle Systems.


1.     Information We May Collect From or About Independent Contractors

We may collect Personal Information from or about you in a variety of different situations and using a variety of different methods, including, but not limited to, on our website, your mobile device, through email, in physical locations, through the mail, and/or over the telephone. Generally, we may at various times in the course of you providing services to Chipotle collect, receive, maintain, and use the following categories of Personal Information for any of the purposes listed below in this Notice and to the extent permitted under applicable law:



Personal Identifiers and Account Information

Name, alias, social security number, date of birth, driver’s license or state identification card number, passport number, Chipotle ID number, username and password for Chipotle accounts and systems, and any required security or access code, password, or credentials allowing access to your Chipotle accounts.

Contact Information

Home, postal or mailing address, email address, home phone number, cell phone number.

Professional Related Information

Information contained in tax forms/1099 forms, safety records, licensing and certification records, and performance records, and information related to services provided by Independent Contractors, including information in statements of work.

Financial Information

Information contained in invoices billed to Chipotle and in records of payments made to you by Chipotle, or other financial account information.

Pre-Contract Information

Information you provided in your portfolio or proposal for services, information gathered as part of vendor evaluation and reference checks and other assessments of your qualifications to provide services to Chipotle, information in work product samples you provided, and voluntary disclosures you provided to Chipotle.

Professional History and Education Information

Information regarding prior experience, positions held, and names of prior clients to which you provided services. Information regarding educational history and records of degrees and vocational certifications obtained.

Internet, Network, and Computer Activity

Internet or other electronic network activity information related to usage of Chipotle networks, servers, intranet, shared drives, or Chipotle-owned computers and electronic devices, including system and file access logs, security clearance level, browsing history, search history, and usage history.

Mobile Device Security Information

Data identifying independent contractor devices accessing Chipotle networks and systems, including cell phone make, model, and serial number, cell phone number, and cell phone provider.

Online Portal and Mobile App Access and Usage Information

Username and password, account history, usage history, file access logs, and security clearance level.

Visual, Audio or Video Recordings in the Workplace

Your image when recorded or captured in surveillance camera footage or pictures of independent contractors taken at a Chipotle facility, function or event, or in pictures or video of independent contractors posted on social media to which Chipotle has access or that are submitted to Chipotle by a third party.

Facility & Systems Access Records

Information identifying which independent contractors accessed secure Chipotle facilities, systems, networks, computers, and equipment and at what times using their keys, badges, login credentials, or other security access method.


Based on analysis of the personal information collected, we may develop inferences regarding behavior, abilities, and aptitudes for the purpose of determining whether or not to retain your services or extend your services.[JV2]

Medical and Health Information

Information related to infection disease or pandemic symptoms, exposure, contact tracing, diagnosis, testing, or vaccination.

Contents of Personal Communications where Chipotle is not the intended recipient

If you use Chipotle Systems for personal communications where Chipotle is not the intended recipient of the communication (“Personal Communications”), Chipotle retains these communications in the ordinary course of managing its communication and computer systems. Independent Contractors should refrain from using Chipotle Systems to send personal communications or conduct personal business as information, data, and messages that are accessed, processed, shared, retrieved and stored in Chipotle Systems are subject to monitoring. Chipotle may monitor, access, review and use all such communications and data for lawful business purposes detailed below, including to manage and evaluate your performance. Communications sent, received, or stored on Chipotle Systems are not generally private communications.  Unless applicable law provides otherwise, you do not have an expectation of privacy when using Chipotle Systems.


Of the above categories of Personal Information, the following are categories of Sensitive Personal Information Chipotle may collect:


1.     Personal Identifiers and Account Information (social security number, driver’s license or state identification card number, passport number; and your Chipotle account log-in, in combination with any required security or access code, password, or credentials allowing access to the account)

2.     Medical and Health Information


We will retain each category of personal information in accordance with our established data retention schedule. In deciding how long to retain each category of personal information that we collect, we consider many criteria, including, but not limited to: the business purposes for which the Personal Information was collected; relevant federal, state and local recordkeeping laws; applicable statutes of limitations for claims to which the information may be relevant; and legal preservation of evidence obligations.

We apply our data retention procedures on an annual basis to determine if the business purposes for collecting the personal information, and legal reasons for retaining the personal information, have both expired. If so, we will purge the information in a secure manner.

2.     How We Use Personal Information and Sensitive Personal Information

The Personal Information and Sensitive Personal Information we collect, and our use of Personal Information and Sensitive Personal Information, may vary depending on the circumstances. This Notice is intended to provide an overall description of our collection and use of Personal Information and Sensitive Personal Information. Generally, we may use or disclose Personal Information and Sensitive Personal Information we collect from you or about you for one or more of the following purposes:

1.              To fulfill or meet the purpose for which you provided the information.

2.              To comply with local, state, and federal law and regulations requiring businesses to maintain certain records (such as accident or safety records, and tax records/1099 forms), as well as local, state, and federal law, regulations, ordinances, guidelines, and orders relating to infectious disease, pandemics, or other public health emergencies.

3.              To engage the services of Independent Contractors and compensate them for services.

4.              To evaluate, make, and communicate decisions regarding an Independent Contractor, including decisions to enter into, renew, and/or terminate the contract.

5.              To grant contractors, including Independent Contractors, access to secure Chipotle facilities, systems, networks, computers, and equipment, and maintain information on who accessed such facilities, systems, networks, computers, and equipment, and what they did therein or thereon.

6.              Engaging in lawful monitoring of contractor, including independent contractors, activities and communications when they are on Chipotle premises, or utilizing Chipotle Systems, internet and WiFi connections.

7.              To implement, monitor, and manage electronic security measures on Independent Contractor devices that are used to access Chipotle networks and systems.

8.              To engage in corporate transactions requiring review of independent contractor relationships, services, and contracts, such as for evaluating potential mergers and acquisitions of Chipotle.

9.              To maintain commercial insurance policies and coverages.

10.           To evaluate, assess, and manage Chipotle’s business relationship with vendors, service providers, and contractors that provide services to Chipotle.

11.           To improve user experience on Chipotle computers, networks, devices, software applications or systems, and to debug, identify, and repair errors that impair existing intended functionality of our systems.

12.           To detect security incidents involving potentially unauthorized access to and/or disclosure of Personal Information or other confidential information, including proprietary or trade secret information and third-party information that Chipotle receives under conditions of confidentiality or subject to privacy rights.

13.           To protect against malicious or illegal activity and prosecute those responsible.

14.           To prevent identity theft. As necessary to engage in an audit, exercise its legal rights, including as necessary to defend itself against claims (e.g. pre-litigation and litigation).

15.           To verify and respond to consumer requests under applicable consumer privacy laws.

16.           Public Health Emergency, including infectious diseases, pandemics, or like for specific purposes.

a.     To reduce the risk of spreading the disease in or through the workplace.

b.     To protect employees, contractors, and customers from exposure to infectious disease or a pandemic related illness.

c.      To comply with local, state, and federal law, regulations, ordinances, guidelines, and orders relating to public health emergency, including an infectious disease or a pandemic, including applicable reporting requirements.

d.     To facilitate and coordinate an infectious disease or pandemic-related initiative and activities (whether Chipotle-sponsored or through the U.S. Center for Disease Control and Prevention, other federal, state and local governmental authorities, and/or public and private entities or establishments, including vaccination initiatives).

e.     To identify potential symptoms linked to an infectious disease or pandemic (including through temperature checks, antibody testing, or questionnaires).

f.      To permit contact tracing relating to any potential exposure.

g.     To communicate with employees, contractors, and customers regarding potential exposure to an infectious disease or pandemic related illness and properly warn others who have had close contact with an infected or symptomatic individual so that they may take precautionary measures, help prevent further spread of the virus, and obtain treatment, if necessary.


3.     Sale/Sharing of Information to Third Parties

We do not “sell” or “share” the Personal Information or Sensitive Personal Information of our Independent Contractors.

4.     Access to Privacy Policy

For more information, please review the Chipotle’s US Privacy Policy at