We’re here to help you break through complex challenges and achieve next-level success.
Last Updated August 2025
Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This U.S. Data Privacy Policy (“Data Privacy Policy”) sets out the principles governing Milliman’s use and protection of personal information of individuals (consumers or residents) in the U.S. (“you”) that individuals and clients share with us. These disclosures are intended to supplement the disclosures contained in the Milliman Global Data Privacy Policy. This Data Privacy Policy applies to Milliman’s data collection and use through this website and through its business operations in the United States.
This Data Privacy Policy relates to U.S. state privacy laws, including state consumer health privacy laws, hereafter “U.S. State Privacy Laws”, including but not limited to the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Montana Consumer Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Nevada My Health My Data and the My Washington My Data Act.
Please also refer to Milliman’s B2B Business Contact Notice at Collection for disclosures related to the California Consumer Privacy Act.
This Data Privacy Policy does not address or apply to Milliman’s handling of:
Milliman does not maintain a distinct Washington Health Data Privacy Policy due to its role as a Data Processor in handling personal information pertaining to Washington resident that identifies their past, present, or future physical or mental health status (“Health Data”).
For some unique services, Milliman hosts and maintains its own proprietary software platforms (“Platforms”). These Platforms allow Milliman to offer enhanced services and more specialized products to our customers. In some cases, these software platforms may require submissions of personal information by customers. In cases where our data collection is materially different than what we describe in this Privacy Policy, we will provide additional disclosures regarding such data collection on the applicable Platforms.
Depending on your state of residence and subject to certain exceptions, you may have certain data privacy rights. Privacy rights pertaining to personal information collected in a commercial or employment context are subject only to the California Consumer Privacy Act of 2018 (CCPA) and are processed by Milliman in its capacity as a Business (as defined in the California Consumer Privacy Act). Privacy rights associated to personal information processed by Milliman as a Service Provider or Data Processor (as these terms are defined under U.S. State Privacy Laws) are contingent upon our clients’ privacy policies. In such instances, Milliman would forward your request to its clients as per Milliman’s contractual obligations.
Under the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), 2023:
Right to Access. You have the right to confirm whether we are processing your personal information and to access that data. You have the right to know:
In connection with any personal information, we may sell or share to a third party for a business purpose, you have the right to know:
Right to Opt-Out of the Sale or Sharing of Personal Information. You have the right to opt-out of the sale or sharing of your personal information. Please be aware that Milliman as a Business (as defined in the California Consumer Privacy Act) is not in the business of selling or sharing personal information and that Milliman has not sold nor shared personal information in the precedent twelve (12) months. Milliman does therefore not offer a mechanism to exercise the right to opt-out. If such requests are addressed to Milliman in its capacity as a Service Provider (as defined in the California Consumer Privacy Act), Milliman would forward your request to its clients in their capacity as Businesses as per Milliman’s contractual obligations.
Right to Limit the Use and Disclosure. We use and/or disclose sensitive personal information for the permitted purposes specified in the CCPA and therefore do not offer a mechanism to exercise the right to limit the use of sensitive personal information.
Right to Deletion. You have the right to request that Milliman delete the Personal Information it has collected or maintains about you. Once a verified request is received, Milliman will let you know what, if any, Personal Information can be deleted from its records, and Milliman will direct any service providers and contractors to whom it disclosed your Personal Information to also delete your Personal Information from their records.
There may be circumstances where Milliman cannot delete your Personal Information or direct service providers or contractors to delete your Personal Information from their records. Such instances include, but are not limited to, enabling solely internal uses that are reasonably aligned with your expectations based on your relationship with Milliman and compatible with the context in which you provided the information or to comply with a legal obligation.
Right of Correction. You have the right to correct inaccurate personal information that we maintain about you, taking into account the nature of that information and purpose for processing it.
Protection Against Discrimination. You have the right to not be discriminated against by us because you exercise any of your rights.
Right of Portability. You have the right to obtain your personal information in a portable and readily usable format that allows you to transmit the data to another entity without hindrance.
Requests for the application of your rights may be submitted by either:
The verifiable request must:
We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us. We will only use personal information provided in a verifiable request to verify your identity or authority to make the request.
The above applies regardless of whether a request is submitted by you on your own behalf, by an authorized representative on your behalf, or by you on behalf of your minor child.
We endeavor to respond to a verifiable request within 45 days of its receipt. If we require more time (up to 90 days depending on applicable U.S. State Privacy Law), we will inform you of the reason and extension period in writing. For requests subject to California Consumer Privacy Act of 2018 (CCPA), any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Depending on applicable U.S. State Privacy Law, we will not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. In addition, we may charge an additional amount for a second or subsequent request within a 12-month period. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
Our collection, use and disclosure of personal information about individuals in the U.S. will vary depending upon the circumstances and nature of our interactions or relationship with such individuals. The sections below set out generally the categories of personal information about U.S. individuals that we collect from and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Sources of Information Collected section below, and for the purposes described in the Categories of Personal Information Collected and Purpose of Collection section below.
We have collected the following categories of personal information from U.S. individuals within the last twelve (12) months. Personal information related to individuals acting in a commercial or employment context are subject only to the California Consumer Privacy Act of 2018 (CCPA). This information pertains solely to California residents. We act as a Business (as defined in California Consumer Privacy Act) when processing such personal information. Additionally, we may process personal information as a Service Provider or Data Processor (as these terms are defined under U.S. State Privacy Laws) to our clients. That information is subject to our clients’ privacy policies.
|
Categories of Personal Information Collected |
Purposes Personal Information, Including Sensitive Information, is Used |
|---|---|
|
Identifiers and Contact Information. This category includes names, alias, postal address, gender, telephone numbers, mobile numbers, unique personal identifiers, online identifier, Internet Protocol address, email address, signature, account name, dates of birth, bank account information, citizenship status, marital status, demographic data (including age, nationality, place of birth), and other similar contact information and identifiers. |
· Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding. · Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration. · Maintain personnel and exam records, including evaluations, and record retention requirements. · Comply with applicable state and federal labor, employment, tax, benefits, workers’ compensation, disability, equal employment opportunity, workplace safety, and related laws. · Analyze human resources trends and metrics. · Provide career development, coaching, and training opportunities. · Communicate with employees and/or employees’ emergency contacts and plan beneficiaries. · Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information. · Ensure adherence to Milliman’s policies. · Investigate complaints, grievances, and suspected violations of internal policies. · Monitor attendance, including vacation, sick leave, and other absences. · Provide general corporate services. · Store, process, and manage employee information using human resources information systems. · Adhere to whistleblowing procedures. · Collect and process scholarship applications. · Provide global mobility and immigration services. · Contract administration. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor. · Execute and perform client engagements (where it manages the administration of contracts). · Maintain client accounts. · Fulfill and respond to requests and inquiries about Milliman products or services. · Send marketing communications, surveys, and questionnaires. · Operate Milliman’s business. · Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract. · Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract. |
|
Personal Information categories listed in California Civil Code § 1798.80(e). This category includes insurance policy number, employment history, medical information, or health insurance information (generally in pseudonymized form or de-identified). |
· Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding. · Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
|
Protected Classification Information. This category includes characteristics of protected classifications under California or federal law, such as race, color, religion or creed, national origin or ancestry, citizenship, medical condition, physical or mental disability, age (40 years or older), sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, and veteran or military status. |
· Comply with applicable state and federal equal employment opportunity, pay equity, and pay transparency laws. · Design, implement, and promote Milliman’s diversity, equity, and inclusion programs. · Investigate complaints, grievances, and suspected violations of Milliman policies. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
|
Commercial information. This category includes products or services provided, obtained, or considered. |
· Contract administration. · Execute and perform client engagements. · Provide various professional services to clients. · Activate and maintain client accounts. · Providing offers and information to you about products, services, or events offered. · Maintain client account. · Send marketing communications, surveys, and questionnaires. |
|
Biometric Information. This category can include identifiers or identifying information, such as fingerprints. |
· Comply with industry and legal requirements, including background check requirements. |
|
Internet or other Electronic Data. This category includes, without limitation:
|
· Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information. · Information Technology (IT) security purposes, including incident responses. · IT administration, including providing backups, software installation, helpdesk services, the logging and monitoring of network activity and the administration of Milliman’s cloud platform. · Investigate complaints, grievances, and suspected violations of Milliman policies. · Analyze how our websites are used, accessed, and how they are performing. · Operate Milliman’s business. · Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract. · Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract. |
|
Audio, electronic, and visual information. This category includes information collected from cameras, microphones, and similar devices. |
· Prevent unauthorized access to or use of Milliman’s property, including Milliman’s server rooms. · Conduct interviews and meetings. · Providing offers and information to you about products, services, or events offered. |
|
Professional or Employment-related Information. This category includes, without limitation:
|
· Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding. · Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration. · Maintain personnel and exam records, including evaluations, and comply with record retention requirements. · Communicate with employees and/or employees’ emergency contacts and plan beneficiaries. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor. · Comply with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws. · Business management. · Investigate complaints, grievances, and suspected violations of Milliman policies. · Analyze human resources trends and metrics. · Provide learning and career development, coaching, and training opportunities. · Store, process, and manage employee information using human resources information systems. · Monitor attendance, including vacation, sick leave, and other absences. · Verification of employment. · Adhere to whistleblowing procedures, including collection of information and administration. · Provide global mobility and immigration services. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically, but not always, in pseudonymized form or de-identified). |
|
Education Data. This category includes education history, degrees, and related information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99). |
· Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding. · Collect and process scholarship applications, including confirming eligibility for scholarships for which Milliman acts as a sponsor. · Evaluate an individual’s appropriateness for hire or promotion at Milliman. · Analyze human resources trends and metrics. · Provide and track career development and training opportunities. · Design, implement, and promote Milliman’s diversity, equity, and inclusion programs. · Maintain employee records, including exam records. · Store, process, and manage employee/applicant information using human resources information systems. · Provide global mobility and immigration services. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
|
Medical Information. This category includes, without limitation:
|
· Communicate with employees and/or employees’ emergency contacts. · Maintain personnel records and documents. · Comply with applicable state and federal laws. · Adaptability to the workplace. · Monitor attendance, including sick leave. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
|
Inferences. This category includes engaging in human capital analytics, including, but not limited to, identifying certain correlations about individuals and success on their jobs, analyzing data to improve retention, and analyzing employee preferences to inform HR policies, programs and procedures. |
· Employee engagement and pulse survey analysis to determine retention strategies. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
|
Sensitive Personal Information. This category includes sensitive information, such as:
|
· Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding. · Comply with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws. · Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration. · Monitor attendance, including vacation, sick leave, and other absences. · Design, implement, and promote Milliman’s diversity, equity, and inclusion programs. · Comply with applicable state and federal laws. · Maintain personnel records and documents. · Analyze human resources metrics and trends. · Monitor attendance, including vacation, sick leave, and other absences. · Provide global mobility and immigration services. · Verification of employment. · Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified). |
| Health data (personal information that is linked or capable of being linked to the individuals’ past, present, or future physical or mental health status) | Provide various professional services to clients in its capacity as Data Processor (the personal information is typically in pseudonymized form or de-identified). |
We collect personal information directly from you, as well as automatically related to your use of our websites and other services, and from third parties. For example, we collect personal information:
In order to achieve the purposes identified above, the collection, use, and retention of personal information shall be reasonably necessary and proportionate. We collect the minimum personal information that is necessary to fulfill such purposes. When we act as a Service Provider, we only request the minimum personal information that is necessary to provide the services to our clients acting as Business or Data Controller. The terms Business, Data Controller and Service Provider are given the meanings set forth in U.S. State Privacy Laws.
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, we have your personal information for a business purpose to the following categories of third parties:
We may disclose your personal information in response to subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information in order to enforce or apply our rights and agreements, or when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights, property, or safety of our businesses, our websites, our customers, our users, or others, as permitted under the applicable laws, or as otherwise required by law or by government and regulatory entities. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.
Milliman will take reasonable measures to ensure that deidentified information (as defined by the applicable U.S. State Privacy Laws) it receives or creates will not be associated with an individual or household and will maintain and use the information in deidentified form and not attempt reidentification.
Our services and website are not directed to minors under 13, and we do not knowingly sell or share for behavioral advertising the personal information of minors, including minors under 16 years of age.
We may update our privacy policy occasionally for changes in our business practice or the law. Updates will be posted to this webpage.
To make accessibility-related requests or report barriers, please contact us at [email protected].
If you have questions or comments about this Data Privacy Policy, you may contact us at: [email protected]. If you have questions about the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under law, see the section ‘Right of Individuals in the U.S.’ above.