HFS Privacy Notice - State Law Supplement
This State Law Supplement supplements our Privacy Notice with additional information for California, Colorado, Connecticut, Ohio, Utah, and Virginia residents only. It provides information required under the following laws, effective as of the effective date of each of the laws specified below (collectively, “US Privacy Laws”):
- California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, “CCPA”)
- Colorado Privacy Act of 2021 (“CPA”)
- Connecticut Data Privacy Act (“CTDPA”)
- Ohio Personal Privacy Act (“OPPA”)
- Utah Consumer Privacy Act of 2022 (“UCPA”)
- Virginia Consumer Data Protection Act of 2021 (“VCDPA”)
Some portions of this State Law Supplement apply only to consumers of particular states. In those instances, we have indicated that such language applies only to those consumers. This State Law Supplement should be read in conjunction with our Privacy Notice. In the event of an irreconcilable conflict between this State Law Supplement and our Privacy Notice, the terms of this State Law Supplement shall apply with respect to consumers covered under this State Law Supplement.
DEFINITIONS
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information includes “personal data” as that term is defined in the applicable US Privacy Law. Personal Information also includes “Sensitive Personal Information” except where otherwise noted.
“Sensitive Personal Information” means Personal Information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of emails or text messages; and genetic data. Sensitive Personal Information also includes processing of biometric information for the purpose of uniquely identifying a consumer and Personal Information collected and analyzed concerning a consumer’s health, sex life, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the applicable US Privacy Law.
“Third Party” has the meanings ascribed to it in the applicable US Privacy Law.
“Vendor” means a service provider, contractor, or processor as those terms are defined in the applicable US Privacy Law.
To the extent other terms used in this Supplemental Notice are defined under the applicable US Privacy Law, they shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the US Privacy Laws, the definitions applicable to the consumer are those provided in the statute for the state in which you are a consumer. For example, if you are a Colorado consumer, terms used in this Supplemental Notice that are defined in the CPA shall have the meanings afforded to them in the CPA as this State Law Supplement applies to you.
As described in further detail above, we collect data directly from you and automatically collect data about you when you access our website or when you use our services.
COLLECTION, PROCESSING, AND USE OF PERSONAL INFORMATION
Categories of Information Collected and Processed:
We, and our Vendors, may have collected and processed the categories of Personal Information about you identified in the chart below in the preceding 12 months. Please also refer to the “Personal Information That We Collect” section of the Privacy Notice.
| Category | Examples | Collected | Business Purpose for Processing |
| Identifiers | A real name, alias, postal address, unique personal identifier, online identifier, email address, account name, Social Security number, or other similar identifiers. | NO | N/A |
| Contact and financial information | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some personal information included in this category may overlap with other categories. |
NO | N/A |
| Protected classification characteristics under state or federal law | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
|
NO | N/A |
| Commercial information | Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | NO | N/A
|
| Biometric information | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO | N/A |
| Internet or other similar network activity | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | NO | N/A
|
| Geolocation data | Physical location or movements. | NO | N/A
|
| Sensory data | Audio, electronic, visual, thermal, olfactory, or similar information. | NO | N/A |
| Professional or employment-related information | Current or past job history or performance evaluations. | NO | N/A |
| Non-public education information | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
|
NO | N/A |
| Inferences drawn from other personal information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | NO | N/A |
Sources from Which We Collect Personal Information
We may collect Personal Information directly from consumers, as well as from our affiliates, business partners, joint marketing partners, public databases, providers of demographic data, publications, professional organizations, social media platforms, caregivers, third party information providers, affiliates with whom you have a business relationship, service providers with which we have a contractual relationship and to which you have provided your Personal Information, Vendors, and Third Parties when they share the information with us.
ENTITIES TO WHOM WE DISCLOSE PERSONAL INFORMATION
| Personal Information Category | Category of Third-Party Recipients | |
| Business Purpose Disclosures | Sale of Personal Information | |
| Identifiers | None | None |
| California Customer Records personal information categories | None | None |
| Protected classification characteristics under California or federal law | None | None |
| Commercial information | None | None |
| Biometric information | None | None |
| Internet or other similar network activity | None | None |
| Geolocation data | None | None |
| Sensory data | None | None |
| Professional or employment-related information | None | None |
| Non-public education information. | None | None |
| Inferences drawn from other personal information. | None | None |
DISCLOSURE FOR CALIFORNIA CONSUMERS
Unless specifically stated, we have not sold or shared Personal Information about California consumers to third parties for their own use in the past 12 months. Relatedly, we do not have actual knowledge that we sell or share Personal Information of California consumers under 16 years of age. However, we may share your Personal Information with our affiliates and trusted partners in arrangements that may meet the broad definition of “sale” or “share” under California law. In these arrangements, use of the information we share is limited by policies, contracts, or similar restrictions.
For purposes of the CPRA, a “sale” is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and “share” means the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
DISCLOSURE FOR COLORADO, VIRGINIA, OHIO, UTAH, AND CONNECTICUT CONSUMERS
Unless specifically stated, we do not sell or share Personal Information to Third Parties for their own use. However, we may share or process one or more of the above categories of Personal Information with our affiliates and trusted partners in arrangements for purposes of targeted advertising, as the terms “sell,” “share,” “process,” and “targeted advertising” are defined in the CPA, VCDPA, UCPA, and CTDPA, as applicable. In these arrangements, use of the information we share is limited by policies, contracts or similar restrictions.
RIGHT TO OPT OUT OF SALE OR SHARING
To the extent that our practice constitutes a “sale” of Personal Information under certain state laws and/or, in California, “sharing” (which is a term used to address the sharing of information for advertising purposes), you have the right to opt-out of the same or sharing of your Personal Information with Third Parties for purposes of targeted advertising by contacting us at 800-304-4005. Signals we receive from global privacy controls or universal opt-out mechanism used by a California or Colorado resident will be treated the same as other opt-out requests to the extent technically possible.
UNDERSTANDING YOUR RIGHTS
California, Colorado, Virginia, Ohio, Utah, and Connecticut customers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. Subject to certain limitations and depending on your state of residence, you have the following rights with respect to Personal Information that we collect about you:
Right to Know. You may request that we provide you with the following information about how we have handled your Personal Information in the 12 months preceding your request:
- The categories of Personal Information we collect about you.
- The categories of sources for the Personal Information we collect about you.
- Our business or commercial purpose for collecting, sharing, or selling that Personal Information.
- The categories of Third Parties with whom we share that Personal Information.
- The specific pieces of Personal Information collected about you.
- If we disclosed your Personal Information for a business purpose, a list of the categories of Personal Information.
- If we sold your Personal Information for a business purpose, a list of the categories of Personal Information.
Right to Data Portability. You have to the right to receive any Personal Information that we have about you in a readily usable format that allows you to save, edit, or transfer your Personal Information.
Right to Request Deletion of Personal Information. Subject to limited exceptions, you may request that we delete any Personal Information about you that we collected from you.
Right to Correct. You can ask us to correct inaccurate Personal Information that we have about you.
Right to Opt-Out of Targeted Advertising or Sale. You can ask us to stop using your Personal Information for targeted advertising. Please see the “Right to Opt Out of Sale or Sharing” section, above.
Right Against Discrimination. We will not discriminate against you for exercising your rights.
Right to Restrict or Limit the Use of Sensitive Personal Information: You have the right to restrict the use and disclosure of Sensitive Personal Information to certain purposes related to the offering of goods or services as listed in the CPRA and as otherwise described in the CPA. To exercise this right, you or your authorized representative may submit a request by calling us at 800-304-4005.
EXERCISING YOUR RIGHTS
To exercise your rights described above, please submit a verifiable consumer request to us by calling 800-304-4005.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. We will use the information you will use the information you provide in your request to verify your identity and to identify the presence of the requestor in our systems. Information required for a verifiable request to includes: your full name, email address, and phone number. Additional information may be needed to verify your identity in some circumstances and depending on the sensitivity of the Personal Information that is the subject of the request.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. If we are unable to verify your identity, we reserve the right to deny the request. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
If you choose to use an authorized agent to submit a request to know or a request to delete your information, we may require that you: (1) provide the authorized agent written permission to do so; and (2) verify your own identity directly with us. We will not require these steps if we have received proof that you have provided the authorized agent with a power of attorney pursuant to applicable probate law. We may deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf. We may also deny a request from an agent that does not meet the requirements for authorized agents under applicable law. Once we have verified your identity (and your authorized agent, as applicable), we will respond to your request as appropriate. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request. If we are unable to complete your request in whole or in part, we will let you know why.
Residents of Colorado, Connecticut, and Virginia can appeal a refusal to take action on a request by calling us at 800-304-4005. Please specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.
Response Timing and Format
We use good faith efforts to respond to a verifiable consumer request within 45 days after its receipt. If we need more time (up to 45 additional days), we will inform you of the reason and the needed extension period in writing. We will deliver our written response by email. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. If we cannot comply with any portion of a request, the response we provide will also explain why, if applicable. For data portability requests, we will select a commercially reasonable format to provide your Personal Information that is commonly useable and should allow you to transmit the information from one entity to another entity without hindrance, but we do not guarantee that all formats are useable in all media. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Most recently updated: [9/12/24]