California Consumer Privacy Policy

Last updated January 2023

Important Information for California Residents

Milliman, Inc. and its affiliates (“Milliman”) take data privacy very seriously. This California Consumer Privacy Policy sets out the principles governing Milliman’s use and protection of personal information of California residents that individuals and clients share with us (“personal information”) as well as describing the rights of California residents regarding their personal information. These disclosures are intended to supplement the disclosures contained in the Milliman Global Data Privacy Policy. This California Consumer Privacy Policy applies to Milliman’s data collection and use through this website and through its business operations in the United States.

The California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 et seq.), as amended by the California Privacy Rights Act of 2020 (together, “CCPA”) provides California consumers (California residents) with specific rights regarding their personal information. We have provided a detailed description of your rights under the CCPA and how to exercise them in this Privacy Policy.

Data Collection on Milliman’s Proprietary Data Collection Platforms

For some unique services, Milliman hosts and maintains its own proprietary software platforms (“Platforms”). These Platforms allow Milliman to offer enhanced services and more specialized products to our customers. In some cases, these software platforms may require submissions of personal information by customers. In cases where our data collection is materially different than we describe in this Privacy Policy we will provide additional disclosures regarding such data collection on the applicable Platforms.

Rights of California Residents

The California Consumer Privacy Act of 2018 (CCPA) provides California consumers (California residents) with specific rights regarding their personal information. This section describes those rights and explains how to exercise them.

As a California resident, you have the right under the CCPA to exercise free of charge:

1. Disclosure of Personal Information We Collect About You

You have the right to know:

1. The categories of personal information we have collected about you;
2. The categories of sources from which the personal information is collected;
3. Our business or commercial purpose for collecting, selling, or sharing personal information;
4. The categories of third parties to whom we disclose personal information, if any;
5. The specific pieces of personal information we have collected about you; and



You have the right to correct inaccurate personal information that we maintain about you;

Please note that we are not required to:

1. Retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
2. Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or
3. Provide the personal information to you more than twice in a 12-month period.


2. Disclosure of Personal Information Sold or Shared

In connection with any personal information we may sell or share to a third party for a business purpose, you have the right to know:

1. The categories of personal information about you that we sold and shared and the categories of third parties to whom the personal information was sold and shared; and
2. The categories of personal information that we disclosed about you for a business purpose.


3. Right to Opt-Out of the Sale or Sharing of Personal Information

Under the CCPA, you have the right to opt-out of the sale or sharing of your personal information. Please be aware that Milliman is not in the business of selling or sharing personal information and that Milliman has not sold nor shared personal information in the precedent twelve (12) months. Milliman does therefore not offer a mechanism to exercise the right to opt-out. Milliman uses and/or discloses sensitive personal information for the permitted purposes specified in the CCPA and therefore does not offer a mechanism to exercise the right to limit the use of sensitive personal information.

4. Right to Deletion

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

Please note that we may not delete your personal information if it is necessary to:

1. Complete the transaction for which the personal information was collected, provide a good or service requested by you or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform services under a contract;
2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity;
3. Debug to identify and repair errors that impair existing intended functionality;
4. Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et seq.);
6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
7. Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
8. Comply with an existing legal or contractual obligation; or
9. Otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.


5. Right to Correction

You have the right to correct inaccurate personal information that we maintain about you.

6. Protection Against Discrimination

You have the right to not be discriminated against by us because you exercise any of your rights under the CCPA. This means we cannot, among other things:

1. Deny goods or services to you;
2. Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
3. Provide a different level or quality of goods or services to you; or
4. Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.



Please note that we may charge a different price or rate or provide a different level or quality of goods and/or services to you if that difference is reasonably related to the value provided to you by your personal information.

Submitting Requests

Requests to Know, Correct and Delete* may be submitted by either:

• Calling us at 1-866-467-8688 + service code 740 at prompt; or
• Writing an e-mail to Milliman’s Data Privacy Request Team at [email protected].

*Because Milliman is not in the business of selling personal information, the opt out option is not offered.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative thereof; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify your identity or authority to make the request.

The above applies regardless of whether a request is submitted by you on your own behalf, by an authorized representative on your behalf, or by you on behalf of your minor child.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Collection of Personal Information

Categories of personal information that we collect and disclose.

We collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Our collection, use and disclosure of personal information about a California resident will vary depending upon the circumstances and nature of our interactions or relationship with such resident. The sections below set out generally the categories of personal information about California residents that we collect from and disclose to others for a business purpose. We collect these categories of personal information from the sources described in the Sources of Information Collected section below, and for the purposes described in the Categories of Personal Information Collected and Purpose of Collection section below. We do not sell or share the personal information of individuals under 16 years of age.

Categories of Personal Information Collected and Purposes of Collection

In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Categories of Personal Information Collected	Purposes Personal Information, Including Sensitive Information, is Used
Identifiers and Contact Information. This category includes names, alias, postal address, gender, telephone numbers, mobile numbers, unique personal identifiers, online identifier, Internet Protocol address, email address, signature, account name, dates of birth, bank account information, citizenship status, marital status, demographic data (including age, nationality, place of birth), and other similar contact information and identifiers.	Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration Maintain personnel and exam records, including evaluations, and record retention requirements Comply with applicable state and federal labor, employment, tax, benefits, workers’ compensation, disability, equal employment opportunity, workplace safety, and related laws Analyze human resources trends and metrics Provide career development, coaching, and training opportunities Communicate with employees and/or employees’ emergency contacts and plan beneficiaries Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information Ensure adherence to Milliman’s policies Investigate complaints, grievances, and suspected violations of internal policies Monitor attendance, including vacation, sick leave, and other absences Provide general corporate services Store, process, and manage employee information using human resources information systems Adhere to whistleblowing procedures Provide global mobility and immigration services Contract administration Execute and perform client engagements in Milliman’s capacity as a Service Provider or as a Business (where it manages the administration of contracts) as these terms are defined in the CCPA Maintain client accounts Fulfill and respond to requests and inquiries about Milliman products or services Send marketing communications, surveys, and questionnaires Operate Milliman’s business Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract
Personal Information categories listed in California Civil Code § 1798.80(e). This category includes insurance policy number, employment history, medical information, or health insurance information (generally in pseudonymized form or de-identified)	Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration Provide various professional services to clients, in Milliman’s capacity as a Service Provider as that term is defined in the CCPA
Protected Classification Information. This category includes characteristics of protected classifications under California or federal law, such as race, color, religion or creed, national origin or ancestry, citizenship, medical condition, physical or mental disability, age (40 years or older), sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, and veteran or military status.	Comply with applicable state and federal equal employment opportunity, pay equity, and pay transparency laws Design, implement, and promote Milliman’s diversity, equity, and inclusion programs Investigate complaints, grievances, and suspected violations of Milliman policies Provide various professional services to clients in Milliman’s capacity as a Service Provider as that term is defined in the CCPA
Commercial information. This category includes products or services provided, obtained, or considered.	Contract administration Execute and perform client engagements Provide various professional services to clients Activate and maintain client accounts Providing offers and information to you about products, services, or events offered Maintain client account Send marketing communications, surveys, and questionnaires
Biometric Information. This category can include identifiers or identifying information, such as fingerprints.	Comply with industry and legal requirements, including background check requirements
Internet or other Electronic Data. This category includes, without limitation: All activity on Milliman’s information systems, such as anonymized internet browsing history, anonymized search history or intranet activity, email communications, stored documents and emails, IP addresses, login details, usernames, passwords, and All activity on communications systems including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices.	Prevent unauthorized access to or use of Milliman’s property, including Milliman’s information systems, electronic devices, network, data, and information Information Technology (IT) security purposes, including incident responses IT administration, including providing backups, software installation, helpdesk services, the logging and monitoring of network activity and the administration of Milliman’s cloud platform Investigate complaints, grievances, and suspected violations of Milliman policies Analyze how our websites are used, accessed, and how they are performing Operate Milliman’s business Manage the relationship with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract Communicate with clients’ representatives, officers, agents and employees, business partners, providers, parties to a contract
Audio, electronic, and visual information. This category includes information collected from cameras, microphones, and similar devices.	Prevent unauthorized access to or use of Milliman’s property, including Milliman’s server rooms Conduct interviews and meetings Providing offers and information to you about products, services, or events offered
Professional or Employment-related Information. This category includes, without limitation: Data submitted with employment applications including salary history, employment history, job titles, employment recommendations, etc., Professional and criminal background check information, Work authorization, Fitness for duty data and reports, Performance evaluations and disciplinary records, Salary, compensation, and bonus data, Timesheets, Practice group, Professional licenses, skills, and training records, Benefit plan enrollment, participation, and claims information, and Leave of absence information, including religious and family obligations, physical and mental health data concerning employee and their family members.	Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration Maintain personnel and exam records, including evaluations, and comply with record retention requirements Communicate with employees and/or employees’ emergency contacts and plan beneficiaries Comply with applicable state and federal labor, employment, tax, benefits, workers compensation, disability, equal employment opportunity, workplace safety, and related laws Business management Investigate complaints, grievances, and suspected violations of Milliman policies Analyze human resources trends and metrics Provide learning and career development, coaching, and training opportunities Store, process, and manage employee information using human resources information systems Monitor attendance, including vacation, sick leave, and other absences Verification of employment Adhere to whistleblowing procedures, including collection of information and administration Provide global mobility and immigration services
Education Data. This category includes education history, degrees, and related information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Sec. 1232g; 34 C.F.R. Part 99).	Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding Evaluate an individual’s appropriateness for hire or promotion at Milliman Analyze human resources trends and metrics Provide and track career development and training opportunities Design, implement, and promote Milliman’s diversity, equity, and inclusion programs Maintain employee records, including exam records Store, process, and manage employee/applicant information using human resources information systems Provide global mobility and immigration services
Medical Information. This category includes, without limitation: Symptoms, test results, and other indicators of exposure to the coronavirus (COVID-19) and related vaccination status information, Medical conditions, device identifiers, record number, and treatment information, Dates of medical service, diagnosis, and disease/disorder information, Disability information, Insurance policy information, Leave of absence information, including family obligations, physical and mental health data concerning employee and their family members, and Travel information and information regarding close contacts.	Communicate with employees and/or employees’ emergency contacts Maintain personnel records and documents Comply with applicable state and federal laws Adaptability to the workplace Monitor attendance, including sick leave
Inferences. This category includes engaging in human capital analytics, including, but not limited to, identifying certain correlations about individuals and success on their jobs, analyzing data to improve retention, and analyzing employee preferences to inform HR policies, programs and procedures.	Employee engagement and pulse survey analysis to determine retention strategies
Sensitive Personal Information. This category includes sensitive information, such as: Social Security, driver’s license, state identification card, or passport number, Financial account information that allows access to an account, including log-in credentials, financial account numbers, passwords, etc., Racial or ethnic origin, or religious or philosophical beliefs, Content of mail, email, and text messages, unless Milliman is the intended recipient of the communication.	Collect and process employment applications, including confirming eligibility for employment, recruitment, background and related checks, onboarding, and offboarding Process payroll, other forms of compensation, and employee benefit plan and program design and administration, including enrollment and claims handling, and leave of absence administration Design, implement, and promote Milliman’s diversity, equity, and inclusion programs Comply with applicable state and federal laws Maintain personnel records and documents Analyze human resources metrics and trends Monitor attendance, including vacation, sick leave, and other absences Verification of employment Provide global mobility and immigration services

This Section on the rights of California residents does not address or apply to Milliman’s handling of:

• Publicly available information from government records;
• De-identified or aggregated consumer information;
• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994;
• Personal information we collect about job applicants, independent contractors, or current or former full-time, part-time and temporary employees and staff, officers, directors or owners of Milliman; and
• Personal information about individuals acting for or on behalf of another company, to the extent the information relates to our transactions with such company, products or services that we receive from or provide to such company, or associated communications or transactions (except that such individuals have the right to opt-out of any sale of their personal information and to not be subject to any discrimination for exercising such right).

Sources of Information Collected

We collect personal information directly from you, as well as automatically related to your use of our websites and other services, and from third parties. For example, we collect personal information:

• From any form you may complete and submit through our websites, for example information collected from the “Contact Us“ page of our websites;
• From the content of surveys that you may complete;
• From ‘cookies’ and other similar tools deployed on parts of our websites that can only be accessed by authenticated users who are logged into the website (for further information regarding cookies used on our websites, please see Cookie Policy here);
• When you provide information as a client in connection with us providing professional services to you;
• From other sources, such as public databases, joint marketing partners, social media platforms (including from people with whom you are friends or otherwise connected) and from other third parties; and
• From or on behalf of clients when we provide professional services, which could include personal information about their employees, benefits recipients, insureds, etc.

Data Minimization

In order to achieve the purposes identified above, the collection, use, and retention of personal information shall be reasonably necessary and proportionate. We collect the minimum personal information that is necessary to fulfill such purposes. When we act as a Service Provider, we only request the minimum personal information that is necessary to provide the services to our clients acting as Businesses. The terms Service Provider and Business are given the meanings set forth in the CCPA.

Disclosing Personal Information to a Third Party

We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

• In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose:
• Categories A-K in the above table.
• We disclosed your personal information for a business purpose to the following categories of third parties:
• Milliman affiliates;
• Service providers and independent contractors we use to help deliver our products and/or services;
• Other third parties we use to help us run our business, such as marketing agencies, website hosts, technical security solutions;
• Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
• Our insurers and brokers; and
• Our banks.

We may disclose your personal information in response to subpoenas, court orders, or other lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information in order to enforce or apply our rights and agreements, or when we believe in good faith that disclosing this information is necessary or advisable, including, for example, to protect the rights, property, or safety of our businesses, our websites, our customers, our users, or others, as permitted under the applicable laws, or as otherwise required by law or by government and regulatory entities. This includes exchanging information with other companies and organizations for fraud protection and credit risk reduction.

Changes to Our California Privacy Disclosures

We reserve the right to amend these California specific privacy disclosures at our discretion and at any time. Milliman therefore asks all concerned California residents to check it occasionally to ensure that you are aware of the most recent version.

How to Contact Us

If you reside in California and have questions or comments about this Privacy Policy, you may contact us at: [email protected]. If you have questions about the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, see the Rights of California Residents above.