California and Other U.S. States Privacy Addendum
Last Updated: July 25, 2023
This California and Other U.S. States Privacy Addendum (“U.S. Privacy Addendum”) provides the information that U.S. states requires us to tell you in addition to (not in place of) our online Global Privacy Notice. Please keep in mind that we are a vendor to many companies and those companies have their own privacy notices. We process claims under contract with them, so their privacy notices will apply to your information. This U.S. Privacy Addendum only applies where we are the business collecting & using your information and not doing so on behalf of other companies and not as an employer or future employer.
Each state’s laws apply to their residents only and are available when that state’s law is effective. The states use different terms, such as “personal data” or “personally identifiable information” or “personal information.” We will use “personal data” for all of them.
We reserve the right to amend this U.S. Privacy Addendum at our discretion and at any time. When we make changes to this notice, we will post the updated version on our website and include that date. Should you have any questions, once you’ve read this and the Notice, please contact us at email@example.com.
Notice to U.S. Residents of California and Other States
If you are a resident of certain states, such as California, Virginia, and others – your state may provide you with certain rights and requires us to provide you with information on the data we collect, use, and share and other details.
Personal Data Collected
The U.S. states with privacy laws define personal information very broadly. Section 2 (Information We May Collect) of our Notice describes what we collect, but the table below describes the categories of personal data that we may collect. For California, this includes what we have collected within the past 12 months. California requires certain categories to be listed. If your state requires additional categories, that will be specified. Please also see Section 1 (Your Personal Data) of our Online Global Privacy Notice for more information.
|Name, mailing address, insurance policy number, IP address, email address, Social Security number, driver’s license number, passport number, or other similar identifiers.
|Characteristics of protected classifications under state or federal law (i.e., age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.
|Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
|Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. We do not collect this data on a routine basis and would only do so in relation to a claim.
|Internet or other similar activity
|Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement, which may include your username, password and other identifiers set to access your network or any password protected sites, applications, and other services, IP addresses, log files, login information, and software and hardware inventories, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
|Physical location or movements.
|Audio, electronic, visual, thermal, olfactory, or similar information
|Professional or employment- related information
|Occupation, current or past employment history or performance evaluations.
|Non-public education information
|Education records directly related to a student maintained by an educational agency/institution, such as, grades, transcripts, class lists, student identification codes, student financial information, or student disciplinary records. It is possible for us to have an educational entity as a client or an insurance company who has an educational entity as a client. We may, therefore, obtain information of this nature if it is pertinent to the claim.
|Inferences drawn from other PI
|Inferences drawn from any of the information identified in this list to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. This information is not common for us to create, but it is possible that we do so.
|Sensitive Personal Information**
** We only collect Sensitive Personal Information if we need it to provide services to you and the law allows it.
California also has exceptions to what is considered personal data, such as what is publicly available, aggregated, is not identifiable to a specific person, or what may be regulated under certain laws.
Where We Get Your Personal Data
We collect personal data directly from you, your devices, and activities, but also indirectly from the following sources:
- Our clients and business partners, such as corporate policyholders, insurers, brokers, network partners, employers, benefit plan sponsors, benefit plan administrators, health care providers, and their vendors/service providers.
- Other third parties, such as social media sites, advertising networks, analytics partners, and other third parties that we interface with.
- Publicly available information.
- Background checks and screening tools, such as industry fraud prevention and detection databases and credit agencies.
Please see Section 2 (How we get your Personal Data) of our Online Global Privacy Notice for more information.
Why We Have Your Personal Data (Purposes)
We use the types of personal data listed above to provide our Services to you, to operate, manage, and maintain our business as described in Section 3 (How and Why we Use your Personal Data) of our online Global Privacy Notice, and to for other business and related purposes, such as:
- Counting ad impressions to unique visitors, checking how we position ads and their quality, and making sure we are doing what we say we do (our own compliance);
- Making sure we only use your Personal Information where it’s necessary and proportionate;
- Debugging to identify and repair errors;
- Short-term use such as showing you regular ads;
- Providing advertising and marketing services to you, except for cross-context behavioral advertising;
- Developing new products and services;
- Improving or changing the products and services we provide; and
- Other purposes allowed under state privacy laws.
Sharing Your Personal Data
In the preceding 12 months, we have disclosed all categories of Personal Data listed in the chart above for a business purpose. See Section 4 (Sharing your Personal Data) of our online Global Privacy Notice. Additionally, within the past 12 months, we may have disclosed personal data to our social media, advertising, and analytics partners/vendors certain identifiers (like your IP address or device identifier), information about the use of our websites, applications, account logins, and/or Services collected automatically when you are on our website or using our services.
What is Sold or Shared to Third Parties
California Privacy Laws, along with a few other states, define “sale” as disclosing or making available personal data to a third party in exchange for monetary or other valuable consideration. The term “sharing” includes doing so for purposes of cross-context behavioral advertising and is considered a form of “sale.” While we do not “sell” personal data for money, the disclosures of certain identifiers, information about the use of our Sites, and other Internet or Similar Activity information may be considered “sharing” personal data because of how some state Privacy Laws define it. Please check below on how to opt out.
How Long We Keep Your Data
We keep your personal as long as necessary to do what we collected it for, but also for any legal, regulatory, accounting, or reporting requirements. For additional details, please refer to Section 5 (Keeping Your Personal Data) of our online Global Privacy Notice. Where your data has been aggregated or de-identified where we cannot tell who it is, we may keep the data indefinitely.
Your Privacy Rights
California Privacy Laws and other U.S. states provide their residents with specific rights regarding their personal data. Subject to certain exceptions, you have the right to make the following requests:
Right to Know/Access. You have the right to know if we process your information as a “controller” under most states (or a “business” under California law) and to access such information. You generally have the right to know the following.
- The categories of personal data we have collected about you;
- The categories of sources from which the personal data was collected;
- The business or commercial purpose for which the personal data was collected or sold;
- The categories of third parties with whom we disclose that personal data to for a business purpose;
- The specific pieces of personal data we collected about you in a format easily understandable to the average consumer (also called a data portability request or a right to obtain data); and
For California - In addition, where we “sell” or “share” personal data, you have the right to request the us to identify, during the past 12 months:
- The categories of personal data that we sold or shared, and the categories of third-party recipients; and
- The categories of personal data disclosed for a business purpose and the categories of recipients.
Right to Correct/Rectification. Subject to certain restrictions, you have the right to request that we correct inaccurate personal data that we have about you.
Right to Deletion/Erasure. Subject to several exceptions, you have the right to request that we delete any of your personal data that we collected from you and kept.
Right to Limit Use and Disclosure of Sensitive Personal Information. We only use your Sensitive Personal Data where reasonably necessary to perform services or where you might reasonably expect us to use it for and not for other unrelated purposes. The right to limit use and disclosure only applies where we would use or disclose your Sensitive Personal Data otherwise.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your rights under any Privacy Laws.
Right to Opt-out of Certain Practices.
- Targeted advertising and profiling: Most states have the right to opt out of targeted advertising and profiling.
- Selling for money: Most states have the right to opt out of selling personal data for money. We do not sell personal data for money.
- Sharing or selling for valuable consideration: As discussed above, California has a concept of “sharing” personal data for purposes of analytics, ads, etc. In addition, other states may broaden the concept of selling personal data to selling it for valuable consideration (something in exchange). We do at times share personal data to third parties for analytics or for our own marketing purposes.
How to opt out: to the extent applicable, you may opt out using these methods:
- Using the “How to Exercise Your Privacy Rights” as described below; or,
Other California Privacy Rights. California's “Shine the Light” law (Civil Code Section § 1798.83) permits California residents who are users of our websites to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. We do not disclose your Personal Information to third parties for their direct marketing purposes.
How to Exercise Your Privacy Rights
How to Submit Your Requests
If you are a resident of a U.S. state that has Privacy Laws and would like to exercise your rights as described above, you may do so via any of the methods described below:
- Calling us at (877) 495-2198; or
- Sending an email to firstname.lastname@example.org
You may designate an authorized agent to make a request on your behalf. Authorized agents will be required to provide proof of their authorization. By law, we require a written authorization document, signed by you, containing the applicable state’s resident’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on your behalf. We may also require that you directly verify your identity and the authority of your authorized agent. We reserve the right to reject authorized agents who have not fulfilled the above requirements or automated requests under Privacy Laws where we have reason to believe your privacy or security is at risk.
We are required to verify the identity of individuals who submit a consumer request.
Upon receiving a request, we will confirm receipt of the request within promptly and respond to the request typically within 45 calendar days from the date the request is received. If necessary, we may take an additional 45 calendar days to respond and if so, we will notify you of the extension and explain the reason(s) for the extension. States have limits on how often we are required to respond, which may be only once in a 12-month period.
You have the right to appeal our denial to act on your consumer rights under both the Connecticut and the Virginia Privacy Laws within a reasonable time. No other states have a right to appeal.
Call us at (877) 495-2198 or send an email to email@example.com .
You may also write us at Global Privacy Office at the following address:
Crawford and Company
5335 Triangle Parkway NW
Peachtree Corners, GA 30092