California Consumer Privacy Notice/Notice at Collection
Table of Contents
- CCPA Privacy Notice at Collection
- Collection and Use
- Sources of Personal Information
- Notice of Right to Opt Out of Sale/Sharing
- Notice of Right to Limit Use of Sensitive Personal Information
- Retention of Personal Information
- Consumer Access Requests
- “Right to Correct” Requests
- “Right to Request Deletion” Requests
- Opt Out Preference Signals
- Non-Discrimination
- Consumers Under 16 Years of Age
- Updates
- Contact Us
Maintaining the privacy and security of your personal information is McGriff’s highest priority. In doing so, we want to provide transparency regarding how and why your data is collected, how it is used, and with whom it may be shared. This document, as well as McGriff’s Privacy Notice and Online Privacy Practices, set forth how we will interact with your personal information. Specifically, it provides information on how you may exercise your rights under California law. This Notice is directed to consumers who reside in the state of California. That said, all of our clients are welcome to submit questions or requests about their data.
To help ensure transparency around our handling of consumer data, we have established a Consumer Submission template to facilitate requests related to accessing, correcting and potentially deleting your information. This template helps us meet certain legal and compliance requirements such as those under the California Consumer Privacy Act (CCPA). It also provides non-CA clients a mechanism to make similar requests.
CCPA Privacy Notice at Collection
McGriff’s Privacy Notice and Online Privacy Practices provide consumers details about our practices concerning the privacy of your data. This notice provides further information about our practices, along with details concerning how “Consumer Access” (“Right to Know”), “Right to Correct” and/or “Right to Request Deletion” requests may be submitted. This notice is designed to provide additional information not covered elsewhere on our site, and to ensure compliance with the notice provisions of the CCPA.
The following are some general notes about McGriff’s practices related to the collection, use and sharing of consumer data.
Collection and Use
As a financial institution, it is necessary for us to collect certain personal information from and/or about our clients in order to provide our products and services, fulfill consumer requests, to comply with the federal and state laws and other legal obligations. Below is a list of categories of data we may collect about our clients:
- Personal Information (“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” as defined in the CCPA)
- Demographic/Protected class information
- Biometric information (ex: voice recordings when you contact a Call Center or leave a voicemail for a McGriff teammate)
- Commercial information
- Professional or employment-related information
- Education information
- Geolocation (ex: your IP address when visiting a McGriff website)
- Internet or other electronic network activity information
- Audio, electronic, visual, thermal or olfactory information
- Personally Identifiable Health Information
- Background/criminal record
- Marketing opt-out/preference information
- Inferences drawn from any of the above information
It is necessary for McGriff to share certain client data with affiliates and/or trusted service providers in order to provide our products and services, and to comply with legal and contractual obligations. When engaging such service providers, McGriff ensures that such partners will maintain the information in accordance with our privacy and security standards, and only use the data for the use(s) specified in the contract. While certain McGriff activities and responsibilities may be outsourced, McGriff recognizes and embraces ultimate accountability for the privacy and security of the data entrusted to us.
It is a violation of the McGriff Consumer Privacy Notice to share consumer information with non-affiliated third parties for their marketing purposes. Consumer information will not be shared with third parties (non-service providers) absent prior authorization from the client or their agents. Below are categories of third parties with whom we share personal information:
- Affiliates and other entities in the McGriff family
- Service Providers that provide various services to us
- Other parties when you authorize or direct us to share your information
- Government entities and other third parties as needed for legal or similar purposes
- Ad servers, networks, & exchanges
- Social media platforms
- Online publishers
- Data analytics providers
- Data providers and aggregators
- Advertising services platforms
- Market research companies
- Consumer survey companies
Purpose for Collection and Use
We collect information directly from you and from other sources in order to provide the products and services you have requested, to service your policy, maintain operational functions, to determine your eligibility for other products and services or to comply with federal and state laws and other legal obligations. In the past 12 months, we may have collected and used personal information for the following purposes:
- Deliver, manage, and support products and services (ex: account information, statements, notifications);
- Manage business operations;
- Assess and manage risk, manage internal financials;
- Meet legal, regulatory, or compliance requirements;
- Manage fraud and financial crimes;
- Support and optimize channels and interactions (ex: improving website performance);
- Identify and recommend new products and services;
- To manage hiring and ongoing employment, and to manage teammate / organizational performance and staffing
- Perform services on behalf of another entity or business (ex: processing data for commercial clients)
- Provide employee benefits and other services (ex: retirement, health, manage hiring, employment, performance, and staffing).
Sources of Personal Information
We may collect personal information about you from various sources in the course of providing products and services to you. Below is a list of the categories of sources from which we may obtain data:
- Directly from you or your guardians/representatives;
- Outside service providers, vendors, and third parties (such as insurance companies, intermediaries, brokers, or agents) from which we
- collect personal information or market data as part of providing products and services, completing transactions, or supporting operations;
- Outputs from analytics;
- Websites, mobile applications, and social media;
- Our affiliates or subsidiaries;
- Public records or publicly available data.
Notice of Right to Opt Out of Sale/Sharing
You may at any time direct McGriff to stop selling or sharing your personal information, which is called the “Right to Opt Out.” Once you make an opt out request, McGriff will comply within 15 business days, and will wait at least 12 months before asking you to reauthorize sales or sharing. You may exercise your right to opt out of sale/sharing by calling 866-858-5158, by clicking the link or on the McGriff home page, or by enabling a preference signal, described further in the section titled “Opt Out Preference Signals”.
Notice of Right to Limit Use of Sensitive Personal Information
CCPA provides you with a “right to limit” companies from using your sensitive personal information to infer characteristics about you for certain purposes – for example, for marketing. Since McGriff does not engage in any of those limitable activities, we do not provide a related opt out.
Retention of Personal Information
McGriff has established product and business-level criteria for retention and disposal according to business requirements, laws, regulations, and applicable industry standards.
Consumer Access Requests
Consumers may exercise their “Right to Know” under the CCPA to request that McGriff disclose categories of information we may have collected about them over the last 12 months, the categories of sources from which that information was collected, the business or commercial purpose(s) for which the information was collected, and the categories of third parties with whom we share personal information.
Consumers are welcome to submit requests for more information:
- Submit a data access request for yourself
- Submit a data access request on behalf of another individual
- Submit a data access request on behalf of a company
Consumers are also welcome to submit requests by calling 866-858-5158.
All requests must be verified prior to receiving a response, using McGriff authentication protocols. Requesters will be asked to supply certain basic Personal Information to enable us to validate the requestor is the consumer who is subject to the request, such as name, social security number and address. Information submitted for verification purposes will only be used to verify the requestor’s identity and/or authority to make a request on another’s behalf.
Requests made on another person’s behalf can only be accepted upon receipt of documentation that the requestor is an authorized agent, parent or legal guardian of the consumer whose information is being requested. This will require the submission of a valid Power of Attorney, Birth Certificate, approved Truist authorization form, Guardianship Order or other court order granting authority to receive information, as appropriate.
Upon submission of a request, CA consumers will receive an initial response confirming receipt within 10 days. A full response will be provided to CA consumers within 45 days (unless an extension of up to 45 additional days is requested, upon which the consumer will receive notice and an explanation for the extension).
Please note that McGriff is taking advantage of the exemption within the CCPA for data collected pursuant to the Gramm-Leach-Bliley Act (GLBA). This enables us to best protect the security of our clients when responding to requests. Data provided pursuant to GLBA is often highly sensitive Personal Information, including financial data, that could lead to identity theft should it land in the wrong hands. Therefore, specific pieces of data collected pursuant to GLBA will not be provided through the Consumer Rights Access Request Portal.
“Right to Correct” Requests
You have the right to request correction of inaccurate information maintained by McGriff. In many instances, such updates are best made by logging into your online account or employee portals, or by calling 866-858-5158, and some corrections may require specific documentation to be provided as required by law. If you provide us documentation, it will only be used or maintained for the purpose of correcting the information and complying with our recordkeeping requirements under the CCPA. McGriff also provides a request link and the privacy request line as described above.
“Right to Request Deletion” Requests
Consumers also have a right under the CCPA to request deletion of their Personal Information collected or maintained by McGriff.
The submission methods, authentication protocols, and time frames for response are identical to those referenced above in the “Consumer Access Requests” section. Keep in mind that the GLBA exemption and other legal exemptions may also apply to these requests. For example, McGriff cannot delete data provided by a client to service an active (or recently active) account, because such data is still needed to provide the product or service and/or meet legal retention requirements. Another example would be the inability to delete certain data that is subject to a legal hold.
McGriff will explain in its response the manner in which it has deleted the personal information. Or, if an exemption applies restricting McGriff’s ability to delete the data, McGriff will describe the basis for the denial of the request in its response. Should an exemption apply precluding the destruction of the data, McGriff will not use the consumer’s personal information for any other purpose than provided for by that exemption (for example, if certain data cannot be deleted due to a legal hold, we will ensure that such data is no longer used for McGriff marketing purposes).
Please note McGriff is also a service provider; for example, managing employee benefits solutions. If you are an employee, customer, representative, or otherwise associated with one of these clients, we encourage you to reach out to the business directly to exercise your rights specific to this information.
Opt Out Preference Signals
Your internet browser may give you more control over your privacy preferences via a Global Privacy Control (GPC) signal. This is a setting in your browser that notifies the websites you visit of your preferences to opt out of selling or sharing your personal information under California law. If you have opted out via the GPC signal, McGriff sites will recognize this signal and process your preference automatically as it pertains to tags, cookies and pixels that collect personal information when you visit McGriff.com. Please note, you will need to enable the signal on each browser that you use, as the signal is processed at the browser-level and is not applied if you visit McGriff.com from a different browser or device that does not have the GPC signal enabled.
Non-Discrimination
The submission of a Right to Know or Right to Request Deletion request will have no impact on the service and/or pricing you receive from McGriff Insurance Services. It will not result in any denial of goods or services, or different prices, rates or quality of goods or services, nor will it result in retaliation against an employee, applicant, or independent contractor.
Consumers Under 16 Years of Age
McGriff does not knowingly sell the personal information of minors under the age of 16 or share such information for cross-contextual advertising.
Updates
This California Consumer Privacy Notice may be revised from time to time, so please review this page periodically. Any changes will become effective when we post the revised notice on the site (please note the effective date listed at the bottom of this page). If we revise this or other privacy notices in a manner that materially changes our privacy practices, we will provide conspicuous notice on our website.
Contact Us
If you have any questions or comments on this notice or our privacy practices generally, please contact us at 866-858-5158.
Updated May 2024
Copyright © 2024 Marsh & McLennan Agency LLC. All rights reserved. CA license # #0H18131