California Casualty California Consumer Privacy Notice

Effective Date: September 1, 2021

This California Consumer Privacy Notice (“Notice”) applies to “Consumers” as defined by the California Consumer Privacy Act (“CCPA”) as a supplement to the California Casualty Group insurance companies’, including California Casualty Management Company, California Casualty Indemnity Exchange, California Casualty Insurance Company, California Casualty & Fire Insurance Company, California Casualty General Insurance Company of Oregon, and California Casualty Compensation Insurance Company (“California Casualty” “us” “we” “our”), other privacy policies or notices.

In the event of a conflict between this Notice and other Company privacy notices or policies, this Notice will prevail as to California Consumers’ rights under the CCPA. Please see also any general privacy policy or notice posted or referenced on our websites, apps, products, or services including, without limitation, www.calcas.com/privacy.

This Notice covers our collection, use, disclosure, and sale of California Consumers’ “Personal Information” (“PI”) as defined by the CCPA, except to the extent such PI is exempt from the notice obligations of the CCPA (e.g., personal information collected processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act or the CA Financial Information Privacy Act). For more information on our practices governed by privacy laws regulating financial institutions, including state insurance regulations, see our Notice of Insurance Practices here. The description of our data practices in this Notice is based on our practices during calendar year 2020 and through the Effective Date and will be updated annually. Our practices following the Effective Date may differ, however, if materially different from this Notice, then to the extent required by the CCPA, we will provide pre-collection notice of the current practices, which may include reference to our general privacy policy or other applicable privacy notices, which will reflect current practices.

Consistent with the CCPA, job applicants, current and former employees and independent contractors (“Personnel”), and subjects of certain business-to-business communications acting solely in their capacity as representatives of another business, are not considered “Consumers” for purposes of this California Privacy Notice or the rights described herein. However, our Personnel may obtain a separate privacy notice that is applicable to them by contacting our Human Resources department or by seeing our Applicant and Employment Privacy Policy here. Publicly available information is also not treated as PI under the CCPA, so this notice is not intended to apply to that data and your Consumer privacy rights do not apply to that data.

We Respect Your Privacy. Your privacy is important to us. We work hard to protect the personal information you entrust to us. We have procedures in place to prevent misuse of this information.

Information Gathering. Based on our 2020 practices through the Effective Date, we give you notice that we collect the following types of PI about California Consumers and use and share it as set forth below:

  • Identifiers. This may include, but is not limited to: a name, address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers;
  • Personal Records. This may include, but is not limited to: physical characteristics or description, signature, telephone number, education, employment, employment history, insurance policy, claims history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
  • Personal Characteristics or Traits. This may include, but is not limited to: sex, marital status, or familial status;
  • Commercial Information. This may include, but is not limited to: records of personal property, products or services purchased, obtained, or other purchasing;
  • Biometric Information. This may include, but is not limited to: fingerprints;
  • Internet Usage. This may include, but is not limited to: browsing history, search history, and information regarding your interaction with an Internet Web site or application;
  • Geolocation Data. This may include, but is not limited to: device location data collected with your use of our website;
  • Audio Recordings. This may include, but is not limited to: audio recordings of customer care calls;
  • Professional or Employment Information. This may include, but is not limited to: professional, educational, or employment-related information;
  • Education Records. This may include, but is not limited to: education level and school;
  • Inferences. This may include, but is not limited to: creating a profile about a Consumer reflecting the Consumer’s preferences, characteristics, or attitudes.

The above reflects that categories of PI required by the CCPA. There may be additional information that we collect that meets the CCPA’s definition of PI but is not reflected by a category, in which case we will treat it as PI as required by the CCPA, but will not include it when we are required to describe our practices by category of PI.

As permitted by applicable law, we do not treat deidentified data or aggregate consumer information as PI and we reserve the right to convert, or permit others to convert, your PI into deidentified data or aggregate consumer information, and may elect not to treat publicly available information as PI. We have no obligation to re-identify information or keep it longer than we need it to respond to your requests.

Sources of PI. We gather this information from multiple sources including: you, other individuals, service providers or other vendors, publicly available sources, consumer reporting agencies, government agencies, and other businesses.

What We Do With Your Information. Generally, we collect, retain, use, and share your PI to provide you services and as otherwise related to the operation of our business. We may collect, use, and share the PI we collect for one or more of the following business purposes: processing transactions, managing transactions, performing services, research and development, quality assurance, and to protect the safety and security of the Company.

Additional business purposes include sharing PI with third parties for other than a sale or one of the foregoing business purposes as required or permitted by applicable law, such as to our vendors that perform services for us, to the government or private parties to comply with law or legal process, the consumer or other parties at the consumer’s request, or the additional purposes explained in our Online Privacy Policy, and to assignees as part of a merger or asset sale (“Other Business Purposes”).

Subject to restrictions and obligations of the CCPA, our vendors may also use your PI for some or all of the above listed business purposes. Our vendors may themselves engage service providers or subcontractors to enable them to perform services for us, which sub-processing is, for purposes of certainty, an Other Business Purpose for which we are providing you notice.

Sharing of PI. We only share your personal information with others when we are permitted or required by law to do so. To better serve you, we reserve the right to share all of the information about you that we collect, but only as described in this Notice. We do not believe that we “sell” your PI as such is defined under the CCPA. In particular, we may share information, including without limitation, during calendar year 2020 through the Effective Date, as follows:

  • Identifiers. This may include, but is not limited to: a name, address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers;
  • Personal Records. This may include, but is not limited to: physical characteristics or description, signature, telephone number, education, employment, employment history, insurance policy, claims history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
  • Personal Characteristics or Traits. This may include, but is not limited to: sex, marital status, or familial status;
  • Commercial Information. This may include, but is not limited to: records of personal property, products or services purchased, obtained, or other purchasing;
  • Biometric Information. This may include, but is not limited to: fingerprints;
  • Internet Usage. This may include, but is not limited to: browsing history, search history, and information regarding your interaction with an Internet Web site or application;
  • Geolocation Data. This may include, but is not limited to: device location data collected with your use of our website;
  • Audio Recordings. This may include, but is not limited to: audio recordings of customer care calls;
  • Professional or Employment Information. This may include, but is not limited to: professional, educational, or employment-related information;
  • Education Records. This may include, but is not limited to: education level and school;
  • Inferences. This may include, but is not limited to: creating a profile about a Consumer reflecting the Consumer’s preferences, characteristics, or attitudes.

How We Protect Your Information. We take reasonable efforts to limit access to your PI to employees and Service Providers who need to know this information. Also, we take reasonable security measures to protect your PI. We update and test our systems from time to time to enhance the level of protection we provide.

Protecting Your Privacy on Our Web Site. We know that protecting your privacy when you use our Web site involves additional concerns not discussed in this Notice. Please see our Online Privacy Policy here for additional privacy information.

California Privacy Rights
The CCPA is a recent law and there remain differing interpretations of it and the regulations that implement it. Accordingly, we may from time-to-time update information in our notices regarding our data practices and your rights, modify our methods for you to make and for us to respond to your requests, and/or supplement our response(s) to your requests, as we continue to develop our compliance program to reflect the evolution of the law and our understanding of how it relates to our data practices.

We provide California Consumers the privacy rights described in this section. You have the right to exercise these rights via an authorized agent who meets the agency requirements of the CCPA and related regulations. As permitted by the CCPA, any request you submit to us is subject to an identification process (“Verifiable Consumer Request”). We will not fulfill your CCPA request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected PI.

Some PI we maintain about Consumers is not sufficiently associated with enough PI about the Consumer for us to be able to verify that it is a particular Consumer’s PI when a Consumer request that requires verification pursuant to the CCPA’s verification standards is made (e.g., clickstream data tied only to a pseudonymous browser ID). As required by the CCPA, we do not include that PI in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use PI provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses, unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify Consumer PI that we collect, process, store, disclose and otherwise use, and to respond to your California Consumer privacy rights requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Consistent with the CCPA and our interest in the security of your PI, we will not deliver to you your social security number, driver’s license number or other government-issued id number, financial account number, any health or medical identification number, an account password, or security questions or answers in response to a CCPA request. Further, as an insurance company, much of the personal information that we collect and maintain about Consumers is specifically exempt from the Consumer request rights under the CCPA and, although we may elect to include exempt data in response to a Consumer request, we have no obligation to do so and do not commit to do so. However, you may be able to access some of this information yourself through your account if you have an active account with us.

Your California Consumer privacy rights are as follows:

  1. The Right to Know:
    1. Categories:

      You have the right to send us a request, no more than twice in a twelve-month period, for any of the following for the period that is twelve months prior to the request date:

      • The categories of PI we have collected about you.
      • The categories of sources from which we collected your PI.
      • The business or commercial purposes for our collecting your PI.
      • The categories of third parties to whom we have shared your PI.
      • A list of the categories of PI disclosed for a business purpose in the prior 12 months and, for each, the categories of recipients, or that no disclosure occurred.
      • A list of the categories of PI sold about you in the prior 12 months and, for each, the categories of recipients, or that no sale occurred.

      To make a request, fill out this online form here, or call us at 1.877.795.3555. In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the consumer we may have collected personal information about or a person who has been duly authorized to make the request on behalf of the consumer. We are required to verify a consumer’s request to know categories of PI to a reasonable degree of certainty, which may include matching at least two data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer. If you fail to do so we will be unable to verify you sufficiently to honor your request. The information you send for us to verify your identity will be used for this purpose only.

      For your specific pieces of information, as required by the CCPA, we will apply the heightened verification standards set forth in subsection (ii) below. Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

    2. Specific Pieces:

      You have the right to make or obtain a transportable copy, no more than twice in a twelve-month period, of your PI that we have collected in the period that is 12 months prior to the request date and are maintaining. To make a request, fill out this online form here, or call us at 1.877.795.3555. In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the consumer we may have collected personal information about or a person who has been duly authorized to make the request on behalf of the consumer. We are required to verify a consumer’s request to know specific pieces of PI to a reasonably high degree of certainty, which may include matching at least three data points provided by the consumer with data points maintained by us, which we have determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. If you fail to provide the data points, we will be unable to verify you sufficiently to honor your request. The information you send for us to verify your identity will be used for this purpose only.

      Please note that PI is retained by us for various time periods, so we may not be able to fully respond to what might be relevant going back 12 months prior to the request.

  2. Do Not Sell:

    We do not believe that we “sell” your PI as such is defined under the CCPA and accordingly we do not offer a “do not sell” opt-out. We will not sell PI that we collected without having given you an opportunity to opt-out unless we first give you notice of our intent to sell and an express opportunity to opt-out of that sale. We do not knowingly sell the PI of Consumers under 16.

    We may disclose your PI for the following purposes, which are not a sale: (i) if you direct us to share PI; (ii) to comply with your requests under the CCPA; (iii) disclosures amongst the entities that constitute Company as defined above, or as part of a merger or asset sale; and (iv) as otherwise required or permitted by applicable law.

  3. Delete:

    Except to the extent we have a basis for retention under CCPA, you may request that we delete your PI that we have collected directly from you and are maintaining. Our retention rights include, without limitation, to complete transactions and service you have requested or that are reasonably anticipated, for security purposes, for legitimate internal business purposes, including maintaining business records, to comply with law, to exercise or defend legal claims, and to cooperate with law enforcement. Note also that we are not required to delete your PI that we did not collect directly from you or that is exempt from coverage under the CCPA (e.g., insurance customer data).

    To make a request, fill out this online form here, or call us at 1.877.795.3555. In order for us to look into your request, we first need to verify your identity, meaning that we need to make sure that you are the consumer we may have collected personal information about or a person who has been duly authorized to make the request on behalf of the consumer. We are required to verify a consumer’s request to delete to a reasonable degree of certainty, which may include matching at least two data points provided by the consumer with data points maintained by us, or to a reasonably high degree of certainty, which may include matching at least three data points provided by the consumer with data points maintained by us, depending on the sensitivity of the PI and the risk of harm to the consumer posted by unauthorized deletion. If you fail to provide the data points, we will be unable to verify you sufficiently to honor your request. The information you send for us to verify your identity will be used for this purpose only.

  4. Non-Discrimination and Financial Incentive Programs:

    We will not discriminate against you in a manner prohibited by the CCPA because you exercise your CCPA rights.

  5. Authorized Agents: If a Consumer chooses to submit a request through an authorized agent, we require the Consumer to:
    • Provide the authorized agent signed permission by the Consumer to submit a request, a copy of which must be provided to us;
    • Verify their own identity directly with us;
    • Directly confirm with us that they provided the authorized agent permission to submit the request.

    If the authorized agent has a power of attorney issued under California Probate Code sections 4000 to 4465, then the written agreement is not necessary. Pursuant to Probate Code Sections 4121 and 4122, a power of attorney is only valid if it is notarized or witnessed by two adults other than the attorney-in-fact. Where witnesses are used rather than a notary, we require verification of the witnesses’ identities, and verification that they in fact witnessed the appointment. The power of attorney must be sufficiently broad, or specific, to establish agency to make a CCPA request. We are entitled to reject any request submitted through a power of attorney if the attorney-in-fact cannot reasonably verify the validity of the power of attorney.

    If the authorized agent is not authorized by a power of attorney, we require an agent that is an entity be registered with the Secretary of State to conduct business in California. We are entitled to verify the legitimacy of an agency appointment, such as through a representation under the penalty of perjury with two verified witnesses. We are entitled to require a natural person acting on behalf of an entity agent to attest under penalty of perjury with two verified witnesses that (1) they are authorized to act on behalf of the entity and the consumer; (2) they are who they claim to be; and (3) everything they have submitted is valid and accurate. We are entitled to require the same of an individual acting as an agent, except for the qualification that they be registered with the Secretary of State to do business in California.

    In the absence of any of the general conditions detailed above, we are entitled to reject any request submitted through an agent. In addition, the agent is subject to the verification standards applicable to the type of request(s) made.

  6. Limitation of Rights:

    Notwithstanding anything to the contrary, we may collect, use and disclose your PI as required or permitted by applicable law and this may override your CCPA rights. Specifically, your California Privacy Rights are subject to a number of exemptions, including the Gramm-Leach Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Health Information Portability and Insurance Act (HIPAA). If we decline your request based on a CCPA exemption, we will advise you of the basis for that determination. In addition, we need not honor any of your requests to the extent that doing so would infringe upon our or any other person or party’s rights or conflict with applicable law.

  7. Additional California Notice:

    We will not share your personal information with companies outside of the California Casualty family of companies, except for our everyday business purposes, for marketing our products and services to you, or with your consent. In addition, you have the right to access and correct all personal information that is collected pursuant to our Notice of Insurance Practices. For more information on our practices governed by privacy laws regulating financial institutions, including state insurance regulations, see our Notice of Insurance Practices here.