II. Notice of Colorado, Connecticut, Virginia and Utah Privacy Rights
The section (Notice of Colorado, Connecticut, Virginia and Utah Privacy Rights) relates solely to residents of the States of Colorado, Connecticut, Virginia and Utah, and provides you with information about your privacy rights under the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act and the Utah Consumer Privacy Act.
This section shall be effective for the residents of those States on the dates set forth below:
Effective January 1, 2023, for residents of the State of Virginia
Effective July 1, 2023, for residents of the States of Colorado and Connecticut
Effective December 31, 2023, for residents of the State of Utah
For purposes of this section, "residents", "consumers" or "you" means individuals of those states who are acting in their individual or household context. This section does not apply to individuals acting in their commercial or employment context.
1. Personal Information we collect
You have a right to know the categories and types of personal information we collect about you. We make this information available to you in the Personal Data We Collect section of our Global Privacy Notice.
2. Categories of sources from which we collect personal information
You have a right to know the categories of sources from which we collect your personal information. We make this information available to you in the How we Collect Your Personal Data section of our Global Privacy Notice.
3. Our processing of your personal information
You have the right to know how we process and use your personal information. We make this information available to you in the How We Use Your Personal Data section of our Global Privacy Notice.
For residents of the State of Virginia, to the extent that we maintain de-identified data, we take reasonable measures to ensure that de-identified data cannot be associated with a natural person, we publicly commit to maintaining and using de-identified data without attempting to re-identify the data, and we contractually obligate any recipient of the data to comply with the same obligations.
4. Disclosure of Personal Information
You have the right to know if we share your personal information with any third parties. We make this information available to you in the Who we Share Your Personal Data With section of our Privacy Notice.
5. No Sale of Data or Use of Data for Targeted Advertising
We do not sell your personal information and we do not use your data for targeted advertising (as that term is defined by your applicable state law). We may send you advertising in response to your request for information or feedback or based on your activities with our Sites, including your search queries and visits to our Sites. However, we will not send you targeted advertising based on your activities across non-affiliated Sites to predict your preferences or interests.
6. Your Rights
Where we act as the Controller of your personal information (as opposed to a Processor as those terms are defined in your applicable State law), you have the right to submit a request to us for the following:
Your right to access
You have the right to know if we process your personal information and have access to such information and certain details of how we use it.
Your right to correct
We take reasonable steps to ensure that information we hold about you is accurate and complete. However, you have the right to request that we correct any inaccurate personal information that we have about you.
Your right to delete
You may have the right to request that we delete your personal information where we act as a controller. This right is subject to several exceptions and we may deny your deletion request if retaining the information is necessary for us or our processors to:
- Complete the transaction for which we collected the personal information and take actions reasonably anticipated within the context of our ongoing business relationship with you or our client;
- Detect bugs or errors in our Sites, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
- Comply with a legal obligation; or
- Make other internal and lawful uses of that information as permitted by law or that are compatible with the context in which we collected it.
Your right to restriction of processing (opt-out)
You have the right to opt-out of processing your personal information for purposes of profiling in furtherance of any automated processing of your data that produce legal or similarly significant effects concerning you. (This right only applies to residents of the States of Colorado, Connecticut and Virginia.)
Your right to data portability
You have the right to obtain a copy of your data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to a third party.
Your right to non-discrimination and no retaliation
We will not discriminate or retaliate against you for exercising any of your rights, including but not limited to, by denying you goods or services, charging you different prices for goods or services, or providing you a different level or quality of goods or services.
Your right to restrict the processing of sensitive information
Unless we are processing your sensitive information pursuant to any of the legal exemptions listed in Section 7 below or as otherwise allowed by law:
- For residents of the States of Connecticut, Virginia and Colorado, we will not process your sensitive information without first obtaining your consent; and
- For residents of the State of Utah, we will not process your sensitive personal information without providing you with notice and an opportunity to opt out.
a. Exercising Your Rights
You may exercise your rights described above by submitting a request to us by either:
b. Authentication Process
We will only fulfill request when we can verify your identify and confirm that you are authority to make such a request.
Only you, you as the parent or legal guardian on behalf of your minor child, or your authorized agent, guardian or conservator may make a request related to personal information. If an authorized agent, legal guardian or conservator submits the request, we may require your written permission to do so and may require additional information to authenticate your identity. We may deny a request by an authorized agent, legal guardian or conservator who does not submit proof of authorization to act on your behalf.
We will only use the personal information you provide in a request to verify your identity or authority to make the request.
c. Response Timing and Format
We will respond to an authenticated request within forty- five (45) days of its receipt, and will notify you within those forty-five (45) days if we require more time to respond and the reasons for the additional time.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
If we cannot comply with a request or a portion of the request, we will include the reasons in our response.
For residents of the States of Colorado, Connecticut and Utah, you may make one request within a twelve-month period at no charge. For residents of the State of Virginia, you may make a request up to two (2) times within a twelve (12) month period at no charge. We reserve the right to charge a fee to process or respond to any request that we consider excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Right to Appeal
You have the right to appeal our decision within a reasonable period of time after receipt of our response. You may appeal our decision by sending us an email at GlobalPrivacyOffice@ajg.com. We will respond to your appeal within 60 days of receipt (45 days of receipt for residents of Colorado) and will inform you of any decisions and the reasons for such decisions.
* Please note that in certain cases we may collect your personal information as a processor (as opposed to a controller, as those terms are defined in your applicable state privacy law) pursuant to a contract we have with a commercial client (the controller) to provide a service. In such a case, we are required to collect and process your information only based on the instructions received from the controller. Should you direct your requests to exercise your rights to us, we may be required to share your request with the controller, who is the party responsible under your applicable state privacy law for receiving, authenticating and responding to your requests.
This section (Notice of Colorado, Connecticut, Virginia and Utah Privacy Rights) does not apply to certain entities and data that are exempt from your applicable state privacy law, including but not limited to the following: covered entities, business associates and protected health information governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH); financial institutions and personal information subject to the Gramm-Leach-Bliley Act (GLBA); and personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Family Educational Rights and Privacy Act, the Farm Credit Act and the Driver's Privacy Protection Act of 1994 (DPPA).