California Residents: Your privacy rights under the California Consumer Privacy Act (CCPA)
Effective Date: January 1, 2020
The California Consumer Privacy Act (CCPA) gives California residents certain privacy rights with respect to some of the personal information we collect. These rights are:
- The right to notice of the personal information we collect
- The right to know the categories, sources and specific pieces of personal information we have collected about you in the past 12 months, including our purpose for collecting the information and the categories of third parties with whom we share that personal information, subject to certain exceptions
- The right to delete some or all of the personal information we collect, subject to certain exceptions
- The right to opt-out of our sale of your personal information, if we sell your personal information
This privacy notice describes the steps you must take to exercise these rights, how we will verify your identity, and how we will respond to your requests.
Your rights under the CCPA are limited. In some cases, federal law protects certain classes of personal information that we collect, such as all the information we collect in order to provide you with financial and insurance products and services. Such personal information is excluded from the CCPA. Personal Information does not include:
- Publicly available information from government records
- De-identified data (where personally identifiable information has been removed) or aggregated consumer information (information provided in a summary format)
- Information excluded from the CCPA's scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 and the California Confidentiality of Medical Information Act or clinical trial data; personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, and the Driver's Privacy Protection Act of 1994.
Notice of Collection
We collect personal information about California residents from a variety of sources and use it for purposes related to our business. We may disclose personal information to our service providers in order to manage consumer accounts, provide goods and services to our consumers, market our products, improve our business, including our marketing services, and respond to legal and regulatory requirements. A fuller description of the purposes for which we collect the personal information of our consumers is provided below.
The personal information we collect includes not only clear personal identifiers, but also any information that directly or indirectly can be associated with, or linked to, our consumers or their households. Below are the categories of personal information we collect about our consumers, the sources of that information, the purposes for which we use personal information and the types of third parties with whom we have shared personal information in the past 12 months.
For more information on the purposes for which we use personal information, see the section below on “Purposes for which we use your data.”
Personal Information We Collect, Use and Share
Categories of Personal Information we collected | Sources of Personal Information | Purposes for which We use your data | Disclosed for a Business Purpose in the last 12 months? |
Types of third parties with whom we have shared Personal Information in the past 12 months |
---|---|---|---|---|
Personal Identifiers: your name, alias, postal address, email address, unique personal identifier, online identifier, account name, Internet Protocol address, social security number, driver’s license number, passport number, or other similar identifiers. We may collect similar information about your spouse, children and beneficiaries. |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Additional personal identifiers: your signature, physical characteristics or description, insurance policy number, bank account, credit card and debit card number, or any other financial information, medical information, and health, life or other insurance information, including your claims history |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Sensitive information protected by federal or state law: your age, gender, familial status, disability, sex, national origin, marital status, veteran status, medical condition, ancestry, source of income, and genetic information |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Commercial information: records of your personal property, products or services you have purchased or considered, and other histories or tendencies to purchase or consume particular products and services |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Biometric information: physiological, biological or behavioral characteristics that can be used to identify you, such as fingerprints, retina scans, photos used for facial recognition and genetic information |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | No |
|
Internet or other electronic network activity information: browsing history, search history, and information about your interaction with a website, online application and advertisements |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Geolocation data |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Sensory information: audio, electronic, visual, thermal, olfactory or similar information, including voice signatures and recorded calls |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Professional or employment-related information: such as your job title, job history, income |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Educational information not publicly available: your level of education, schools attended, your degrees |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Inferences drawn from any of the above categories of information to create a profile about you: Information about your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
|
We may use this data for a number of our operational functions, including underwriting and issuing insurance policies; providing services under your insurance contract; meeting our legal and compliance obligations; detecting security incidents; performing data analytics and engaging our customers; improving our technology and systems, and marketing our products to you directly and through our joint marketing partners. | Yes |
|
Purposes for which we use your data
We may use your data for the following business purposes:
- To consider your application for insurance, assess and evaluate institutional risk and provide you with an insurance product and services, where applicable;
- To administer your insurance product and maintain your account, including processing premium payment, processing claims, administering benefits and paying out withdrawals, surrenders and claims settlements, and encouraging customer engagement;
- To provide account statements and other required documents;
- To respond to court orders and legal investigations or as otherwise required or permitted by federal and state law;
- To comply with legal requirements;
- To report to consumer reporting agencies;
- To authorize, settle and clear the collection of amounts charged, debited or otherwise used to pay premium or receive payments and the audit of such information;
- To prevent and detect security incidents, fraud, money laundering, unauthorized access, data destruction and other crimes;
- To obtain reinsurance, or stop loss or excess loss insurance on our operations;
- To improve our products and technology, carry out market research, perform data analytics, risk modeling and statistical analysis and for mergers and reorganizations;
- For marketing and analytic purposes.
Your Rights under California’s Privacy Law
Right to know
You have a right to ask us to disclose certain personal information that we have collected about you over the 12 months before we received your request. You, or your authorized agent, may ask us to disclose, subject to certain exceptions:
(i) the categories of personal information we have collected;
(ii) the categories of sources for the personal information we collected about you;
(iii) the purposes for which we collected the personal information;
(iv) the categories of third parties with whom we have shared the personal information; and
(v) the specific pieces of personal information that we have collected.
Before we respond to your request to know, we must verify the identity of the requestor. Our process for verifying the identity of the requestor is described below.
Right to delete
You have the right to ask us to delete some or all of the personal information we have collected or maintained about you, subject to certain exceptions.
Before we respond to your request to delete personal information, we must verify the identity of the requestor. Our process for verifying the identity of the requestor is described below.
Right to non-discrimination if you exercise your consumer rights
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by law, we will not do any of the following to you if you exercise your CCPA rights:
- Deny you goods or services
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties
- Provide you a different level or quality of goods or services
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services
Ability to opt-out of third-party cookies
We do not sell personal information about current or former customers to any third parties. We may allow third-party advertising cookies to be placed on your browser or mobile device when you visit our website. You may opt-out of third-party cookies. For more information on third party cookies and for instructions on how you can opt-out of third party cookies, go to the section of our Privacy Policy that describes our Cookie Policy.
How to submit a request to exercise your rights
Authorized Agent
You may designate an authorized agent to submit a request to know or a request to delete on your behalf.
If that agent is not already authorized to access your account in your profile, please submit a notarized special power of attorney in writing that provides the authorized agent with permission to make a request to know or a request to delete on your behalf. We may also ask you to verify your identity directly with us.
We will deny a request from an authorized agent that does not submit proof that they have been authorized by you to act on your behalf
Request to know: You or your authorized agent may submit a request to know by completing this webform [provide link] or by calling this toll-free number – 1.800.888.2461 – to speak to a customer service representative.
If we deny your request in whole or in part, we will provide you with an explanation or direct you to our general business practices for collecting personal data. Under no circumstances will we provide the requestor with a consumer’s Social Security number, driver’s license number or other government-issued identification number, financial account numbers, any health insurance or medical identification numbers, any account passwords, or any security questions and answers. If you maintain a password-protected account with us, we may comply with your request to know by using a secure self-service portal for you to use to access, view and receive a portable copy of your personal information. We will use reasonable security measures when transmitting information to a consumer.
Request to delete: You or your authorized agent may submit a request to delete all or some of your personal information by completing this webform [provide link] or by calling this toll-free number – 1.800.888.2461 – to speak to a customer service representative.
Submitting a request to delete is a two-step process. After you submit a request to delete, we will ask you separately to confirm that you want all or some of your personal information deleted.
Once we receive your verified request to delete and confirm your identity, we will delete (and direct our service providers to delete) your personal information from our records, unless the information is subject to other laws or we need the information to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
- Debug products to identify and repair errors that impair existing intended functionality
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.)
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us
- Comply with a legal obligation
- Make other internal and lawful uses of that information that are compatible with the context in which you provided
How we will verify your identity
Only you, or an authorized agent, may submit a request to know or to delete your personal information. You may also make a request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will use the personal information you provide to us when submitting a consumer request only to verify the requestor's identity or authority to make the request.
Policy/Contract owners who have a web-access account: if you have a web-based account with us that has a password, we will verify your identity using our existing authentication process. We may require you to correctly match at least two data points we have previously collected about you. We will match this information against information we have previously collected about you to verify your identity and your request. If we are unable to verify your identity as part of your request, we will not honor your request.
Policy/Contract owner who do not have a web-access account: If you do not have a web-access account with us, we will require the following information to verify your identity:
- For requests to know categories of personal information: We will require you to correctly match at least two data points we have previously collected about you.
- For requests to know specific pieces of personal information we have collected in the past 12 months: We will require you to correctly match at least three data points we have previously collected about you. We may also require you to sign a declaration under penalty of perjury that the requestor is the consumer whose personal information is being requested.
- For requests to delete: We will require you to correctly match at least two or three data points we have previously collected about you, depending on the sensitivity of the personal information you are requesting. We may also require you to sign a declaration under penalty of perjury that the requestor is the consumer whose personal information is being requested.
Data we may request to verify your identity: When we request additional information from you to verify your identity, we may request other account information, answers to security questions, your name, government identification number, date of birth, contact information, or other personal identifying information.
How we will respond to your request
We intend to confirm receipt of your request within 10 days and to respond to a verified request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding our receipt of a verified request from you. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For requests to know the specific pieces of information we have collected, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request
For more information, contact:
Chief Compliance Officer
Security Benefit
One Security Benefit Place
Topeka, Kansas 66636-0001