With the rapid growth of technology in our lives, we are dedicated to safeguarding our customers’ personal information and prioritizing cybersecurity. This commitment is reflected in our governance structure; our data security policies and procedures; and our systems to measure, monitor, and respond to data breaches and cyberattacks. Our associates at Williams-Sonoma, Inc., as well as third parties who provide services on our behalf, are required by policy, practice, and contract, if applicable, to treat customer information with care. Our policies and standards are reinforced by training and engagement to ensure that the privacy and security of our customers is central.

Cybersecurity Governance and Strategy

Our commitment to protecting our customers’ privacy begins at the leadership level. Our Chief Technology Officer and Chief Information Security Officer are responsible for overseeing our cybersecurity strategy, including our data protection policy. Dedicated members of our legal team work directly with the Chief Information Security Officer and the rest of the information security team to assess and update our strategy, policy, and programs on an annual basis. These annual updates undergo full Board of Directors review. Once approved, updates are posted publicly as part of our Privacy Policy or published internally for associates and integrated into our training curriculum.

Data Protection

Our data protection policy governs all relevant businesses and subsidiaries, and is designed to limit the collection of personal information. To protect the information that we do collect and to maintain the integrity of our internal systems, we use a series of technologies and practices to prevent data security breaches and to detect and respond to potential data security issues. We perform internal testing and assessments monthly and undergo third-party assessments on a quarterly basis. We also utilize external independent audits, conducted at least once a year by a QSA (Qualified Security Assessor), for PCI compliance and third-party penetration tests.

Privacy Policy, Right to Access & Delete Data

Williams-Sonoma, Inc. complies with all data protection and privacy laws. Our brands support and adhere to the guidelines and practices adopted by the Direct Marketing Association’s Privacy Promise to American Consumers. We have agreed to:

  • Provide customers with notice of their ability to opt out of information rental, “sale”, or exchange with other marketers
  • Honor customers’ requests not to share their contact information with other marketers
  • Honor customers’ requests not to receive mail, telephone, or other solicitations from Williams-Sonoma, Inc. brands.

As a further commitment to obtaining customer data lawfully and to transparency in the ever-growing security awareness culture, WSI actively monitors changes in laws and regulations and complies accordingly. WSI’s Privacy Policy, featured on our corporate website as well as each of our brand websites, details our compliance with data privacy regulations, customer rights, and notifications, types of personal information collected, use and opt-out terms, and methods to secure data. We provide consent disclosures on our websites at the point of collection, including direct marketing opt-in and SMS opt-in, and all disclosures include links to the Privacy Policy. For example, we comply with the California Consumer Privacy Act (“CCPA”), which gives California consumers the right to access and delete data.

For international shipping orders, Williams-Sonoma, Inc. brands partner with Borderfree, Inc. (“Borderfree”). We have contracted with Borderfree to assure that they will carefully process customer information consistent with WSI’s Privacy Policy.

We do not sell or transfer customer information to third parties in exchange for money. However, we do transfer personal information to certain third parties in order to operate our business (for example, to optimize search preferences). We respect our customers’ choices when it comes to handling their information, which is why we are transparent about this process, and provide the opportunity to opt-out of this practice.

In addition, when we do collect or share personal information for legitimate business purposes, we obtain consent from our customers, and our Privacy Policy dictates our terms for the use of personal information. We regularly work to review and enhance our standard operating procedures, policies, and standards.  This is an example of WSI’s commitment to implementing the leading data security safeguards, which has reduced the threat and occurrence of data privacy incidents. However, in the event of a policy change or data breach, our policy requires that we notify data subjects in a timely manner.

Training & Verification

WSI trains all management, associates, and contractors on its data protection policy, customer data handling, and use-requirements at least annually in order to create a compliance-minded awareness in our workforce. We require additional annual security training for all associates who have access to information systems. The Technology Security Team regularly conducts privacy risk assessments and audits, and at a minimum, annually audits external vendors who handle any customer information. As a united front, we work diligently to protect our customers’ personal information while creating a space to educate our associates and the surrounding community alike.

With the rapid growth of technology in our lives, we are dedicated to safeguarding our customers’ personal information by using a number of data security policies and procedures as routine practice at Williams-Sonoma, Inc.  Our associates, as well as third parties who provide services on our behalf, are required by policy and practice, as well as by contract, if applicable, to treat customer information with care.

To protect our customers’ personal information and maintain the integrity of our internal systems, we use a series of technologies and practices to prevent data security breaches and to detect and respond to potential data security issues. We also utilize external independent audits, conducted at least once a year, for PCI compliance and third-party penetration tests.

Image: West Elm Work