Skip to main content

USA Data Privacy Policy

Last Updated January 2025

Important Information for Individuals in the U.S (United States)

Milliman, Inc. and its affiliates (“Milliman” or “we”) take data privacy very seriously. This U.S. Data Privacy Policy (“Data Privacy Policy”) sets out the principles governing Milliman’s use and protection of personal information of individuals (consumers or residents) in the U.S. (“you”) that individuals and clients share with us. These disclosures are intended to supplement the disclosures contained in the Milliman Global Data Privacy Policy. This Data Privacy Policy applies to Milliman’s data collection and use through this website and through its business operations in the United States.

Overview

This Data Privacy Policy relates to U.S. state privacy laws, including state consumer health privacy laws, hereafter “U.S. State Privacy Laws”, including but not limited to the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Montana Consumer Data Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act, the Utah Consumer Privacy Act, the Virginia Consumer Data Protection Act, the Nevada My Health My Data and the My Washington My Data Act.

Please also refer to Milliman’s B2B Business Contact Notice at Collection for disclosures related to the California Consumer Privacy Act.

This Data Privacy Policy does not address or apply to Milliman’s handling of:

  • Publicly available information from government records.
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA).

Milliman does not maintain a distinct Washington Health Data Privacy Policy due to its role as a Data Processor in handling personal information pertaining to Washington resident that identifies their past, present, or future physical or mental health status (“Health Data”).

Data Collection on Milliman’s Proprietary Data Collection Platforms

For some unique services, Milliman hosts and maintains its own proprietary software platforms (“Platforms”). These Platforms allow Milliman to offer enhanced services and more specialized products to our customers. In some cases, these software platforms may require submissions of personal information by customers. In cases where our data collection is materially different than what we describe in this Privacy Policy, we will provide additional disclosures regarding such data collection on the applicable Platforms.

Rights of Individuals in the U.S.

Depending on your state of residence and subject to certain exceptions, you may have certain data privacy rights. Privacy rights pertaining to personal information collected in a commercial or employment context are subject only to the California Consumer Privacy Act of 2018 (CCPA) and are processed by Milliman in its capacity as a Business (as defined in the California Consumer Privacy Act). Privacy rights associated to personal information processed by Milliman as a Service Provider or Data Processor (as these terms are defined under U.S. State Privacy Laws) are contingent upon our clients’ privacy policies. In such instances, Milliman would forward your request to its clients as per Milliman’s contractual obligations.

California (for California residents)

California (for California residents)

Under the California Consumer Privacy Act of 2018 ("CCPA") as amended by the California Privacy Rights Act ("CPRA"), 2023:

Right to Access.  You have the right to confirm whether we are processing your personal information and to access that data. You have the right to know:

  • The categories of personal information we have collected about you.
  • The categories of sources from which personal information is collected.
  • Our business or commercial purpose for collecting, selling, or sharing personal information.
  • The categories of third parties to whom we disclose personal information, if any.
  • The specific pieces of personal information we have collected about you.

In connection with any personal information, we may sell or share to a third party for a business purpose, you have the right to know:

  • The categories of personal information about you that we sold and shared and the categories of third parties to whom the personal information was sold and shared; and
  • The categories of personal information that we disclosed about you for a business purpose.

Right to Opt-Out of the Sale or Sharing of Personal Information. You have the right to opt-out of the sale or sharing of your personal information. Please be aware that Milliman as a Business (as defined in the California Consumer Privacy Act) is not in the business of selling or sharing personal information and that Milliman has not sold nor shared personal information in the precedent twelve (12) months. Milliman does therefore not offer a mechanism to exercise the right to opt-out. If such requests are addressed to Milliman in its capacity as a Service Provider (as defined in the California Consumer Privacy Act), Milliman would forward your request to its clients in their capacity as Businesses as per Milliman’s contractual obligations.

Right to Limit the Use and Disclosure. We use and/or disclose sensitive personal information for the permitted purposes specified in the CCPA and therefore do not offer a mechanism to exercise the right to limit the use of sensitive personal information.

Right to Deletion. You have the right to request that Milliman delete the Personal Information it has collected or maintains about you. Once a verified request is received, Milliman will let you know what, if any, Personal Information can be deleted from its records, and Milliman will direct any service providers and contractors to whom it disclosed your Personal Information to also delete your Personal Information from their records.

There may be circumstances where Milliman cannot delete your Personal Information or direct service providers or contractors to delete your Personal Information from their records. Such instances include, but are not limited to, enabling solely internal uses that are reasonably aligned with your expectations based on your relationship with Milliman and compatible with the context in which you provided the information or to comply with a legal obligation.

Right of Correction. You have the right to correct inaccurate personal information that we maintain about you, taking into account the nature of that information and purpose for processing it.

Protection Against Discrimination. You have the right to not be discriminated against by us because you exercise any of your rights.

Right of Portability. You have the right to obtain your personal information in a portable and readily usable format that allows you to transmit the data to another entity without hindrance.

Submitting Requests

Requests for the application of your rights may be submitted by either:

  • Calling us at 1-866-467-8688 + service code 740 at prompt; or
  • By accessing our webform Privacy Web Form (onetrust.com). You will be asked to provide certain personal information when submitting your request including your first and last name, email address for us to determine if your information is in our systems.

The verifiable request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative thereof; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable request does not require you to create an account with us. We will only use personal information provided in a verifiable request to verify your identity or authority to make the request.

The above applies regardless of whether a request is submitted by you on your own behalf, by an authorized representative on your behalf, or by you on behalf of your minor child.

Response Timing and Format

We endeavor to respond to a verifiable request within 45 days of its receipt. If we require more time (up to 90 days depending on applicable U.S. State Privacy Law), we will inform you of the reason and extension period in writing. For requests subject to California Consumer Privacy Act of 2018 (CCPA), any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

Depending on applicable U.S. State Privacy Law, we will not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. In addition, we may charge an additional amount for a second or subsequent request within a 12-month period. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Collection of Personal Information

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.

Our collection, use and disclosure of personal information about individuals in the U.S. will vary depending upon the circumstances and nature of our interactions or relationship with such individuals. The sections below set out generally the categories of personal information about U.S. individuals that we collect from and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Sources of Information Collected section below, and for the purposes described in the Categories of Personal Information Collected and Purpose of Collection section below.

Categories of Personal Information Collected and Purposes of Collection

We have collected the following categories of personal information from U.S. individuals within the last twelve (12) months. Personal information related to individuals acting in a commercial or employment context are subject only to the California Consumer Privacy Act of 2018 (CCPA). This information pertains solely to California residents. We act as a Business (as defined in California Consumer Privacy Act) when processing such personal information. Additionally, we may process personal information as a Service Provider or Data Processor (as these terms are defined under U.S. State Privacy Laws) to our clients. That information is subject to our clients’ privacy policies.

Categories of Personal Information Collected

 Purposes Personal Information, Including Sensitive Information, is Used

Identifiers and Contact Information. This category includes names, alias, postal address, gender, telephone numbers, mobile numbers, unique personal identifiers, online identifier, Internet Protocol address, email address, signature, account name, dates of birth, bank account information, citizenship status, marital status, demographic data (including age, nationality, place of birth), and other similar contact information and identifiers.

·  Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding.

·  Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration.

·  Maintain personnel and exam records, including evaluations, and record retention requirements.

·  Comply with applicable state and federal labor, employment, tax, benefits, workers’ compensation, disability, equal employment opportunity, workplace safety, and related laws.

·  Analyze human resources trends and metrics.

·  Provide career development, coaching, and training opportunities.

·  Communicate with employees and/or employees’ emergency contacts and plan beneficiaries.

·  Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information.

·  Ensure adherence to Milliman’s policies.

·  Investigate complaints, grievances, and suspected violations of internal policies.

·  Monitor attendance, including vacation, sick leave, and other absences.

·  Provide general corporate services.

·  Store, process, and manage employee information using human resources information systems.

·  Adhere to whistleblowing procedures.

·  Collect and process scholarship applications.

·  Provide global mobility and immigration services.

·  Contract administration.

·  Execute and perform client engagements (where it manages the administration of contracts).

·  Maintain client accounts.

·  Fulfill and respond to requests and inquiries about Milliman products or services.

·  Send marketing communications, surveys, and questionnaires.

·  Operate Milliman’s business.

·  Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract.

·  Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract.

Personal Information categories listed in California Civil Code § 1798.80(e). This category includes insurance policy number, employment history, medical information, or health insurance information (generally in pseudonymized form or de-identified).

·  Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding.

·  Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration.

· Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Protected Classification Information. This category includes characteristics of protected classifications under California or federal law, such as race, color, religion or creed, national origin or ancestry, citizenship, medical condition, physical or mental disability, age (40 years or older), sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, and veteran or military status.

·  Comply with applicable state and federal equal employment opportunity, pay equity, and pay transparency laws.

·  Design, implement, and promote Milliman’s diversity, equity, and inclusion programs.

·  Investigate complaints, grievances, and suspected violations of Milliman policies.

· Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Commercial information. This category includes products or services provided, obtained, or considered.

·  Contract administration.

·  Execute and perform client engagements.

·  Provide various professional services to clients.

·  Activate and maintain client accounts.

·  Providing offers and information to you about products, services, or events offered.

·  Maintain client account.

·  Send marketing communications, surveys, and questionnaires.

Biometric Information. This category can include identifiers or identifying information, such as fingerprints.

·  Comply with industry and legal requirements, including background check requirements.

Internet or other Electronic Data. This category includes, without limitation:

  • All activity on Milliman’s information systems, such as anonymized internet browsing history, anonymized search history or intranet activity, email communications, stored documents and emails, IP addresses, login details, usernames, passwords, and
  • All activity on communications systems including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices.

·  Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information.

·  Information Technology (IT) security purposes, including incident responses.

·  IT administration, including providing backups, software installation, helpdesk services, the logging and monitoring of network activity and the administration of Milliman’s cloud platform.

·  Investigate complaints, grievances, and suspected violations of Milliman policies.

·  Analyze how our websites are used, accessed, and how they are performing.

·  Operate Milliman’s business.

·  Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract.

·  Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract.

Audio, electronic, and visual information. This category includes information collected from cameras, microphones, and similar devices.

·  Prevent unauthorized access to or use of Milliman’s property, including Milliman’s server rooms.

·  Conduct interviews and meetings.

·  Providing offers and information to you about products, services, or events offered.

Professional or Employment-related Information. This category includes, without limitation:

  • Data submitted with employment applications including salary history, employment history, job titles, employment recommendations, etc.
  • Professional and criminal background check information,
  • Work authorization,
  • Fitness for duty data and reports,
  • Performance evaluations and disciplinary records,
  • Salary, compensation, and bonus data,
  • Timesheets,
  • Practice group,
  • Professional licenses, skills, and training records,
  • Benefit plan enrollment, participation, and claims information, and
  • Leave of absence information, including religious and family obligations, physical and mental health data concerning employee and their family members.

·  Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding.

·  Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration.

·  Maintain personnel and exam records, including evaluations, and comply with record retention requirements.

·  Communicate with employees and/or employees’ emergency contacts and plan beneficiaries.

·  Comply with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws.

·  Business management.

·  Investigate complaints, grievances, and suspected violations of Milliman policies.

·  Analyze human resources trends and metrics.

·  Provide learning and career development, coaching, and training opportunities.

·  Store, process, and manage employee information using human resources information systems.

·  Monitor attendance, including vacation, sick leave, and other absences.

·  Verification of employment.

·  Adhere to whistleblowing procedures, including collection of information and administration.

·  Provide global mobility and immigration services.

·  Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Education Data. This category includes education history, degrees, and related information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).

·  Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding.

·  Collect and process scholarship applications, including confirming eligibility for scholarships for which Milliman acts as a sponsor.

·  Evaluate an individual’s appropriateness for hire or promotion at Milliman.

·  Analyze human resources trends and metrics.

·  Provide and track career development and training opportunities.

·  Design, implement, and promote Milliman’s diversity, equity, and inclusion programs.

·  Maintain employee records, including exam records.

·  Store, process, and manage employee/applicant information using human resources information systems.

·  Provide global mobility and immigration services.

·  Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Medical Information. This category includes, without limitation:

  • Symptoms, test results, and other indicators of exposure to the coronavirus (COVID-19) and related vaccination status information,
  • Medical conditions, device identifiers, record number, and treatment information,
  • Dates of medical service, diagnosis, and disease/disorder information,
  • Disability information,
  • Insurance policy information,
  • Leave of absence information, including family obligations, physical and mental health data concerning employee and their family members, and
  • Travel information and information regarding close contacts.

·  Communicate with employees and/or employees’ emergency contacts.

·   Maintain personnel records and documents.

·   Comply with applicable state and federal laws.

·   Adaptability to the workplace.

·   Monitor attendance, including sick leave.

·   Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Inferences. This category includes engaging in human capital analytics, including, but not limited to, identifying certain correlations about individuals and success on their jobs, analyzing data to improve retention, and analyzing employee preferences to inform HR policies, programs and procedures.

·  Employee engagement and pulse survey analysis to determine retention strategies.

·  Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).

Sensitive Personal Information. This category includes sensitive information, such as:

  • Social Security, driver’s license, state identification card, or passport number,
  • Financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc.,
  • Racial or ethnic origin, or religious or philosophical beliefs,
  • Religious beliefs.
  • Sexual Orientation.
  • Citizenship or immigration status.
  • Personal information from a known child.
  • Mental of physical health condition.
  • Content of mail, email, and text messages, unless Milliman is the intended recipient of the communication.

·  Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding.

·  Comply with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws.

·  Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration.

·  Monitor attendance, including vacation, sick leave, and other absences.

·  Design, implement, and promote Milliman’s diversity, equity, and inclusion programs.

·  Comply with applicable state and federal laws.

·  Maintain personnel records and documents.

·  Analyze human resources metrics and trends.

·  Monitor attendance, including vacation, sick leave, and other absences.

·  Provide global mobility and immigration services.

·  Verification of employment.

·  Provide various professional services to clients in its capacity as a Service Provider or Data Processor (the personal information is typically in pseudonymized form or de-identified).
Health data (personal information that is linked or capable of being linked to the individuals’ past, present, or future physical or mental health status) Provide various professional services to clients in its capacity as Data Processor (the personal information is typically in pseudonymized form or de-identified).

Sources of Information Collected

We collect personal information directly from you, as well as automatically related to your use of our websites and other services, and from third parties. For example, we collect personal information:

  • From any form you may complete and submit through our websites, for example information collected from the ‘Contact Us’ page of our websites.
  • From the content of surveys that you may complete.
  • From ‘cookies’ and other similar tools deployed on parts of our websites that can only be accessed by authenticated users who are logged into the website (for further information regarding cookies used on our websites, please see Cookie Policy.
  • When you provide information as a client in connection with us providing professional services to you.
  • From other sources, such as public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected) and from other third parties; and
  • From or on behalf of clients when we provide professional services, which could include personal information about you in your capacity as their employees, benefits recipients, insureds, etc.

Data Minimization

In order to achieve the purposes identified above, the collection, use, and retention of personal information shall be reasonably necessary and proportionate. We collect the minimum personal information that is necessary to fulfill such purposes. When we act as a Service Provider, we only request the minimum personal information that is necessary to provide the services to our clients acting as Business or Data Controller. The terms Business, Data Controller and Service Provider are given the meanings set forth in U.S. State Privacy Laws.

Disclosing Personal Information to a Third Party

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, we have your personal information for a business purpose to the following categories of third parties:

  • Milliman affiliates.
  • Service providers and independent contractors we use to help deliver our products and/or services as well as human resources functions (for personal information collected in an employment context).
  • Other third parties we use to help us run our business, such as marketing agencies, website hosts, technical security solutions.
  • Designers and manufacturers of scholarships and other educational support programs for corporations, where Milliman acts as a sponsor for such scholarships.
  • Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers.
  • Our insurers and brokers; and
  • Our banks.

We may disclose your personal information in response to subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information in order to enforce or apply our rights and agreements, or when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights, property, or safety of our businesses, our websites, our customers, our users, or others, as permitted under the applicable laws, or as otherwise required by law or by government and regulatory entities. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

Use of Deidentified Information

Milliman will take reasonable measures to ensure that deidentified information (as defined by the applicable U.S. State Privacy Laws) it receives or creates will not be associated with an individual or household and will maintain and use the information in deidentified form and not attempt reidentification.

Personal Information of Minors

Our services and website are not directed to minors under 13, and we do not knowingly sell or share for behavioral advertising the personal information of minors, including minors under 16 years of age.

Changes to Our Privacy Disclosures

We may update our privacy policy occasionally for changes in our business practice or the law.  Updates will be posted to this webpage.

Accessibility

To make accessibility-related requests or report barriers, please contact us at [email protected].

How to Contact Us

If you have questions or comments about this Data Privacy Policy, you may contact us at: [email protected]. If you have questions about the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under law, see the section ‘Right of Individuals in the U.S.’ above.

We’re here to help

Ask the tough questions. We’re ready for them.