California resident privacy notice
California Consumer Privacy Act and California Privacy Rights Act
The California Comprehensive Privacy Laws and Unum
Thank you for your inquiry regarding California’s comprehensive privacy laws. The California Consumer Privacy Act, adopted in 2018, was substantially amended by the California Privacy Rights Act of 2020 (“CPRA”). We have updated our guidance below in light of the changes brought by the California Privacy Rights Act. In the guidance below we use the abbreviation “CCPA” to refer to the statute in its current state, inclusive of the amendments from the CPRA.
We value our customer relationships and external partnerships and understand the importance of protecting personal information, both as a matter of law and principle. We are committed to protecting personal information in compliance with the numerous state, federal, and international privacy laws and regulations that apply to our business.
Unum has assessed the CCPA’s applicability to its products and services based on the current version of the law, as amended by the CPRA, and implementing regulations. Unum has implemented a CCPA compliance program for the limited instances in which Unum’s operations are subject to the CCPA.
Unum’s Insurance Products
The CCPA does not apply to any of Unum’s insurance products due to the exemptions under Cal. Civ. Code § 1798.145 (excluding Cal. Civ. Code § 1798.150). These exemptions apply to personal information that is collected, used, or disclosed subject to the federal Gramm-Leach-Bliley Act (GLBA) and its implementing regulations. All personal information collected by Unum in connection with any of its insurance products is subject to the GLBA and is therefore not subject to the CCPA. Additionally, Unum’s dental, vision, and long-term care products are also exempted from the CCPA as they are subject to the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Even if any of Unum’s insurance products were subject to the CCPA, Unum, as an insurance company providing insurance products, would be a business (“Business”), which the CCPA defines as the entity which “determines the purposes and means of the processing of consumers’ personal information.” (Cal. Civ. Code § 1798.140(d)). When acting as an insurance company, Unum is not a “Service Provider” a “Contractor” or a “Third Party” as those terms have been defined under the CCPA. (Cal. Civ. Code § 1798.140). Therefore, the contractual requirements for any of these entities under the CCPA are inapplicable to Unum when it is acting as an insurer.
For additional clarification, the relationship between a group or individual insurance policyholder and an insurance company cannot be interpreted as a typical relationship between a service receiver and a service provider. Nor should existing agreements between Unum and its customer, that reference the term “service provider” be interpreted to have the same definition as Service Provider under the CCPA. While conducting business as an insurer, including issuing and administering insurance policies, Unum cannot sign agreements which define Unum as a “Service Provider,” “Contractor,” or “Third Party” as those terms has been defined under the CCPA.
Unum also offers our customers services that include leave, absence management plans, behavioral health, and other benefit-related services. When providing these services, to the extent that the personal data collected and used provide these services is subject to the CCPA, Unum is acting as a “Service Provider” as defined under the CCPA.
Even in those scenarios where Unum is acting as a “Service Provider” under the CCPA, most, if not all, of the personal data processed by Unum will not be subject to the CCPA. However, to the extent necessary to address those instances where Unum is acting as a “Service Provider” and processing personal data subject to the CCPA, Unum will agree to execute a “Service Provider” addendum on Unum’s paper to ensure that all required provisions of the CCPA are included in its agreements with its customers subject to the CCPA.
In addition to the requirements set forth in the CCPA, when providing our insurance products and our services, Unum is subject to numerous federal and state privacy laws and regulations, data breach notification laws, and insurance laws and regulations. Under those laws, Unum is obligated to protect the confidentiality and security of the personal data it obtains and may be subject to regulatory enforcement actions, as well as fines and penalties for compliance failures.
Frequently Asked Questions and Answers:
Why won’t Unum sign a CCPA compliance agreement or addendum for our insurance products?
The CCPA does not apply to our insurance products, and, even if it did, Unum is not a “Service Provider, Contractor, or Third Party” as those terms have been defined under the CCPA when administering insurance products.
The CCPA does not apply to any of Unum’s insurance products, due to the exemptions under Cal. Civ. Code § 1798.145 (excluding Cal. Civ. Code § 1798.150).
Even if Unum’s insurance products were subject to the CCPA, Unum is not a “Service Provider, Contractor, or Third Party,” as those terms have been defined under the CCPA, when it sells or administers any of its insurance products. As such, it would be inappropriate for Unum to execute any addendum or agreement that attempts to define Unum as a “Service Provider, Contractor, or Third Party.” As such, Unum cannot execute any such agreements in connection with its insurance products.
Will Unum sign a CCPA compliance agreement or addendum related to any non-insurance services Unum provides?
Unum has developed a fully compliant CCPA addendum for when it is acting as a “Service Provider” and will agree incorporate that addendum into its customer agreements.
For our non-insurance services, Unum has drafted a CCPA-compliant “Service Provider Addendum” that contains all the required provisions for Unum to be considered a “Service Provider” under the CCPA. Unum will agree to execute this addendum when Unum is providing non-insurance services. Due to the complexity and nature of our business and the regulatory requirements for processing personal information, Unum cannot agree to execute a customer’s specific CCPA addendum or agreement or otherwise agree to modify its CCPA-compliant addendum as Unum cannot accommodate special processing instructions for each customer and still meet Unum’s legal and regulatory obligations.
Will Unum Sign a CCPA Service Provider or Third Party Agreement for Insurance Products with us Anyway?
Unum does not sign CCPA Agreements naming Unum as a “Service Provider,” “Contractor,” or “Third Party” with our customers when we are only providing insurance products.
How does Unum ensure that it effectively manages privacy and data protection issues?
Through its legal, compliance and risk management frameworks.
Privacy and information security risks sit within the scope of our enterprise risk management framework, with systems of governance in place including risk committees to provide appropriate, robust oversight and guidance across the business.
Regular risk assessments are carried out, which feed into our operational risk registers and committees, ultimately reporting to the Unum Audit and Risk Committee.
What does Unum do to Comply with the CCPA?
Unum has a CCPA compliance program.
We have developed and implemented a CCPA compliance program for Unum’s US operations that provide insurance and related services to consumers residing in California. The program includes policies and procedures for providing CCPA compliant privacy notices, practicing data minimization, retaining personal data only as long as required by applicable law, and responding to consumers exercising their rights under the CCPA, among other measures.