California Consumer Privacy Policy

Last updated July 2021

Important Information for California Residents

Milliman, Inc. and its affiliates (“Milliman”) take data privacy very seriously. This CaliforniaConsumer Privacy Policy sets out the principles governing Milliman’s use and protection of personal information California of California residents that individuals and clients share with us (“personal information”) as well as describing the rights of California residents regarding their personal information.These disclosures are intended to supplement the disclosures contained in the Milliman Global Data Privacy Policy. This California Consumer Privacy Policy applies to Milliman’s data collection and use through this website and through its business operations in the United States.

The California Consumer Privacy Act of 2018 (CCPA) provides California consumers (California residents) with specific rights regarding their personal information. We have provided a detailed description of your rights under the CCPA and how to exercise them in this Privacy Policy.

Data Collection on Milliman’s Proprietary Data Collection Platforms

For some unique services, Milliman hosts and maintains its own proprietary software platforms (“Platforms”). These Platforms allow Milliman to offer enhanced services and more specialized products to our customers. In some cases these software platforms may require submissions of personal information by customers. In cases where our data collection is materially different than we describe in thisPrivacy Policy we will provide additional disclosures regarding such data collection on the applicable Platforms.

Rights of California Residents

The California Consumer Privacy Act of 2018 (CCPA) provides California consumers (California residents) with specific rights regarding their personal information. This section describes those rights and explains how to exercise them.

As a California resident, you have the right under the CCPA to exercise free of charge:

  1. Disclosure of Personal Information We Collect About You
  2. You have the right to know:

    1. The categories of personal information we have collected about you;
    2. The categories of sources from which the personal information is collected;
    3. Our business or commercial purpose for collecting or selling personal information;
    4. The categories of third parties with whom we share personal information, if any;
    5. The specific pieces of personal information we have collected about you; and

    Please note that we are not required to:

    1. Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
    2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
    3. Provide the personal information to you more than twice in a 12-month period.

  3. Disclosure of Personal Information Sold or Used for a Business Purpose
  4. In connection with any personal information we may sell or disclose to a third party for a business purpose, you have the right to know:

    1. The categories of personal information about you that we sold and the categories of third parties to whom the personal information was sold; and
    2. The categories of personal information that we disclosed about you for a business purpose.

  5. Right to Opt-Out of the Sale of Personal Information
  6. Under the CCPA, you have the right to opt-out of the sale of your personal information. Please be aware that Milliman is not in the business of selling personal information and therefore does not offer a mechanism to exercise the right to opt out.

  7. Right to Deletion
  8. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

    Please note that we may not delete your personal information if it is necessary to:

    1. Complete the transaction for which the personal information was collected, provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform services under a contract;
    2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;
    3. Debug to identify and repair errors that impair existing intended functionality;
    4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
    5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.);
    6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
    7. Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
    8. Comply with an existing legal or contractual obligation; or
    9. Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

  9. Protection Against Discrimination
  10. You have the right to not be discriminated against by us because you exercise any of your rights under the CCPA. This means we cannot, among other things:

    1. Complete the transaction for which the personal information was collected, provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform services under a contract;
    2. Deny goods or services to you;
    3. Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
    4. Provide a different level or quality of goods or services to you; or
    5. Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

    Please note that we may charge a different price or rate or provide a different level or quality of goods and/or services to you if that difference is reasonably related to the value provided to you by your personal information.

Submitting Requests

Requests to Know and Delete* may be submitted by either:

*Because Milliman is not in the business of selling personal information, the opt out option is not offered.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative thereof; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.

The above applies regardless of whether a request is submitted by you on your own behalf, by an authorized representative on your behalf, or by you on behalf of your minor child.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Collection of Personal Information

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household (“personal information”).

Categories of Personal Information Collected

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category Examples Collected (Yes or  No)
A. Identifiers. A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. Y
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. Y
C. Protected classification characteristics under California or federal law. Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Y
D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Y
E. Biometric information. Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. Y
F. Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. Y
G. Geolocation data. Physical location or movements. Y
H. Sensory data. Audio, electronic, visual, thermal, olfactory, or similar information. Y
I. Professional or employment-related information. Current or past job history or performance evaluations. Y
J. Non-public education information (per the Family Educational Rights and PrivacyAct (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. Y
K. Inferences drawn from other personal information. Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. Y

This Section on the rights of California residents does not address or apply to Milliman’s handling of:

  • Publicly available information from government records;
  • De-identified or aggregated consumer information;
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994;
  • Personal information we collect about job applicants, independent contractors, or current or former full-time, part-time and temporary employees and staff, officers, directors or owners of Milliman; and
  • Personal information about individuals acting for or on behalf of another company, to the extent the information relates to our transactions with such company, products or services that we receive from or provide to such company, or associated communications or transactions (accept that such individuals have the right to opt-out of any sale of their personal information and to not be subject to any discrimination for exercising such right).

Sources of Information Collected

We collect personal information directly from you, as well as automatically related to your use of our websites and other services, and from third parties. For example, we collect personal information:

  • From any form you may complete and submit through our websites, for example information collected from the "Contact Us" page of our websites;
  • From the content of surveys that you may complete;
  • From 'cookies' and other similar tools deployed on parts of our websites that can only be accessed by authenticated users who are logged into the website (for further information regarding cookies used on our websites, please see Cookie Policy here);
  • When you provide information as a client in connection with us providing professional services to you;
  • From other sources, such as public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected) and from other third parties; and
  • From or on behalf of clients when we provide professional services, which could include personal information about their employees, benefits recipients, insureds, etc.

Purposes of Collecting Information

Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The table above sets out generally the categories of personal information (as defined by the CCPA) about California residents that we collect and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Sources of Information Collected section above, and for the following purposes:

  • Contract administration;
  • Executing and performing our client engagements;
  • Providing various professional services to our clients;
  • Activating and maintaining client accounts;
  • Fulfilling requests for or responding to inquiries about our products or services;
  • Analyzing how our websites are used and how they are performing;
  • Performing business development analysis;
  • Providing offers and information to you (as permitted by law) about products, services, or events offered by us or that we think may be of interest to you; and
  • Facilitating the recruitment process.
  • We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing Personal Information

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

  • In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
    • Categories A-K in the above table.
  • We disclosed your personal information for a business purpose to the following categories of third parties:
    • Milliman affiliates;
    • Service providers and independent contractors we use to help deliver our products and/or services;
    • Other third parties we use to help us run our business, such as marketing agencies, website hosts, technical security solutions;
    • Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
    • Our insurers and brokers; and
    • Our banks.

We may disclose your personal information in response to subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information in order to enforce or apply our rights and agreements, or when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights, property, or safety of our businesses, our websites, our customers, our users, or others, as permitted under the applicable laws, or as otherwise required by law or by government and regulatory entities. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

Changes to Our California Privacy Disclosures

We reserve the right to amend these California specific privacy disclosures at our discretion and at any time. Milliman therefore asks all concerned California residents to check it occasionally to ensure that you are aware of the most recent version.

How to Contact Us

If you reside in California and have questions or comments about this Privacy Policy, you may contact us at: [email protected]. If you have questions about the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, see the Rights of California Residents above.