Privacy Policy and Collection Notice for California Residents
Last Updated: January 1, 2023
This Privacy Policy, which also serves as a Notice at Collection (“Notice”) is provided on behalf of Highland Capital Brokerage, Inc. (“Highland”) specifically to advise California residents who are applying for life insurance (“Covered Individuals”) of the types of personal information that we may collect about you that may be covered by the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”), and the purposes for which we collect such information. We may update this Notice from time to time. Our general Highland Privacy Policy, which is available at www.quotacy.com/privacy/ provides additional information about the personal information Highland collects, how we collect it, how we may use and share it, and rights individuals may have related to it, among other things. Except where specifically noted below, both the CCPA and the CPRA are collectively referred to as the CCPA in this Notice.
The information provided in this Notice applies only to individuals who are California residents. Highland reserves the right to amend this Notice at our discretion and at any time.
Personal Information We Collect and How We Use It
Under the CCPA, personal information is defined as information that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly, with a particular consumer or household in California.
Highland may collect or otherwise obtain the following categories of personal information1 about Covered Individuals for the purpose of carrying out and supporting insurance-related functions and activities, including the uses set forth below.
Subject to any applicable limitations under law, we may collect the following categories of personal information and sensitive personal information about Covered Individuals and use it for the following purposes. Please note that the examples of the types of information within these categories that may be personal information are not intended to be comprehensive and that there may be overlap between categories.
We do not use sensitive personal information to infer characteristics about Covered Individuals and only use sensitive personal information for the uses outlined below.
Categories of Personal Information
We do not use sensitive personal information to infer characteristics about you and typically limit our use of sensitive personal information to (1) perform services, such as to provide benefits to our customers; (2) to resist deceptive, fraudulent, or illegal actions; and (3) to ensure the physical safety of our personnel, customers, visitors, and others.
With respect to each of the categories of data below, we may also disclose personal information with any person to whom we may transfer any of our rights or obligations under any agreement, or in connection with a sale, merger, or consolidation of our business or other transfer of our assets, whether voluntarily or by operation of law, or to any person who is otherwise deemed to be our successor or transferee. We may also collect and use information as described to you when collecting the information.
Categories of Personal Information Obtained | Our Uses of Personal Information |
---|---|
Contact information and other personal identifiers, such as name, postal and email address, phone number, unique personal identifier, account name, registration number, tax identification number, Social Security number, driver’s license number, passport number, and similar identifiers. | To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To ensure the physical safety of natural persons, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. To perform services on behalf of the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. Such business purposes include maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. To verify or maintain the quality of a product or, service that is owned, or controlled by the business, and to improve, upgrade, or enhance the service that is owned or controlled by the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For purposes that do not infer characteristics about the consumer. Regulatory registration. |
Internet or electronic activity information and device and online identifiers, such as online identifier or device ID, or other similar identifiers; information regarding interaction with a website, device, database, or application, including time and duration of internet and network connections; browsing history; and calls and emails sent and received. | To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. |
Demographic, protected classification, and association information, such as date of birth/age, sex, marital status, race, gender, ethnicity, citizenship and visa status, military, or veteran status; association-related information, such as whether an individual is related to someone who is employed in the securities industry, information about dependents, beneficiaries, and parties related to an account, emergency contact information; and disability and health-related information. | Regulatory registration. To perform services on behalf of the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. Such business purposes include maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. |
Audio, electronic, visual, or similar information, including photographs, CCTV footage and other video event recordings, and voicemail and other telephone recordings (e.g., for call center support lines). | To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. |
Education and professional background information, such as degrees, licenses, professional designations, or certificates sought or obtained; training records, transcripts, performance and talent management information; resumes, work history, firm element, job descriptions; references; compensation, bonus, stock-option information, and similar information; membership in professional bodies, appointments, gross dealer concession, outside business activities; publications and work product; discipline, conduct, absence records; and criminal history. | To perform services on behalf of the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. Such business purposes include maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. To verify or maintain the quality of a service that is owned, or controlled by the business, and to improve, upgrade, or enhance the service that is owned or controlled by the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. Regulatory Registration. |
Other personal information provided to us or stored on our systems, such as information provided by email or in a phone call. | To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. |
Categories of Sensitive Personal Information Obtained | Our Uses of Sensitive Personal Information |
---|---|
Government identifiers, including Social Security number, driver’s license number, state identification card number, passport number. | To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, and or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. To ensure the physical safety of natural persons, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. To perform services on behalf of the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. Such business purposes include maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business. To verify or maintain the quality of a service that is owned or controlled by the business, and to improve, upgrade, or enhance the service that is owned or controlled by the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For purposes that do not infer characteristics about the consumer. |
Sources of Personal Information
Highland collects or receives the categories of personal information listed above from the following categories of sources:
- Self-disclosure by you, during communications between you and Highland, its service providers, contractors, and vendors, such as on onboarding documentation.
- Indirectly from you, such as monitoring information that your computer or mobile device transmits when interacting with our applications.
- Monitoring, managing, and securing resources, property, and independent contractors, including usage of Highland email systems, applications, telephone systems, and computer networks.
- Public and governmental agencies, sources, and records.
- Social media platforms when you interact with our social media pages and accounts.
- Records and property to which we have lawful access, e.g., device inventories for company property or documents stored on our systems.
Disclosing Personal Information
We make disclosures including personal information to other parties to help us operate and conduct our business.
Disclosures of Personal Information for a Business Purpose
With respect to existing Covered Individuals, in the preceding twelve (12) months, we have disclosed each of the categories of personal information described above for a business purpose.
We disclose your personal information for a business purpose to the following categories of parties:
- Our corporate affiliates in the financial services industry and authorized associates, including through complaints, issue resolution events, data inputs to Highland websites, issuance of required mailings, regulatory monitoring and retention, and enhancing and improving communications, services, and products designed to meet our business needs;
- Service providers, contractors, vendors, including through processing insurance transactions, maintaining accounts and service capabilities, reports and account statements, marketing, analytic, processing of insurance related services;
- Third parties and non-affiliates, such as product sponsors, and business contacts and partners related to the provision or offering of insurance products or services, and business operations, management, and administration;
- Governmental authorities and other third parties, such as self-regulatory organizations, to comply with applicable laws and legal requirements or in response to court orders, subpoenas, government inquiries, other legal processes, to defend against claims and allegations, or to protect property, personnel, or members of the public;
- Other parties to whom you authorize us to disclose your personal information in connection with insurance-related products and services.
We may also use or disclose your personal information to a third party in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
Information Security
Highland is committed to the security of the personal information it holds. To protect personal information from unauthorized access and use, we implement and maintain reasonable security measures that are intended to maintain the confidentiality of personal information. However, no security measures are infallible, and we cannot and do not guarantee that our safeguards will always work. Please always use caution when transmitting information, including over the Internet, use strong and unique passwords that you do not also use on other online services, and notify us immediately of any concerns regarding your account or passwords.
You also have an obligation to help protect Highland IT systems and data, and to comply with applicable Highland information security and privacy policies and procedures. If you suspect there has been a breach of Highland systems, your IT credentials or any other circumstances that may compromise the security, integrity, confidentiality or availability of company IT resources or data, report your concerns immediately to compliance@highland.com or (833) 241-2643.
Accessibility
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report a concern, please contact us at (833) 241-2643 or contact compliance@highland.com.
You have the right to be informed about the personal information we collect and the purposes for which we use your personal information, possibly among other rights relating to such information.
Retention Period
We retain your personal information for as long as reasonably necessary and proportionate to fulfill the purposes outlined in this Privacy Policy. Our retention of your information is governed by applicable law. We may retain personal information for longer to honor your requests, as applicable, and to comply with legal, regulatory, accounting, or other obligations.
Additional Information About Our Uses of Personal Information Regarding Covered Individuals
In addition to the uses set forth above, we may use the categories of personal information identified to establish or defend legal claims and allegations; to respond to valid legal requests; and to comply with requirements under applicable law, court order, or governmental regulations.
Rights Relating to Personal Information
Covered Individuals should have no expectation of privacy in their use of Highland-owned or administered networks or applications, including email and other electronic communications, and other business records. Anything that is sent, received, or stored on any company administered network or application may be read, listened to, tracked, or copied without notice.
Rights and Additional Information Under State Law (California)
If you are a resident of California, you may have rights under the CCPA regarding your personal information. This section describes your CCPA rights and explains how to exercise those rights.
Much of the personal information that Highland collects is exempt from the rights provided by CCPA. The rights under the CCPA described below do not apply, for instance, to personal information collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing regulations or the California Financial Information Privacy Act. As a general matter, those laws apply to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes. This section therefore does not cover information falling with the scope of these exemptions or to which the CCPA’s relevant provisions do not apply.
Access, Deletion and Correction Rights Under the CCPA
Right to Request Disclosure of Personal Information We Collect (Access Rights)
Individuals whose personal information is covered by the CCPA have a right to request that Highland provide the information listed below. Our responses to these access requests will cover the personal information we have collected and maintain about the consumer on or after January 1, 2022, or for a shorter period if an exemption applies or if requested by the consumer.
- The categories and sources of personal information that Highland has collected about you
- The categories of sources from which Highland collected your personal information
- The business or commercial purposes for which Highland collected and/or sold the personal information
- The categories of any third parties with which Highland disclosed the Personal information
- The specific pieces of personal information Highland collected over the past year
Consumers may also submit a request for the following information:
- The categories of personal information that we have disclosed for a business purpose, and the categories of third parties to whom each category of personal information was disclosed for a business purpose.
Right to Request the Deletion of Personal Information We have Collected from You (Deletion Rights)
Individuals whose personal information is covered by the CCPA may also request that we delete personal information covered by the CCPA that we maintain, subject to certain exemptions. Upon receiving and verifying such a request, Highland will delete the personal information, unless that information is necessary for Highland to complete the transaction for which we collected the information; to provide you with a good or service you requested, or reasonably anticipated within the context of Highland’s ongoing business relationship with you; to perform a contract Highland entered into with you; to help ensure security and integrity (e.g., to prevent, detect, or investigate data security incidents); maintain the functionality and security of Highland’s systems; to comply with or exercise rights provided by the law; or to use the personal information internally in ways that are compatible with the context in which you provided the information to Highland, among other things. We may also retain information where another exception to the deletion requirements in the CCPA applies. Please note that if you request that your personal information be deleted, you may no longer be able to access or use certain parts of the Sites.
Right to Request Correction of Inaccurate Personal Information (Correction Right)
If you determine that Highland maintains inaccurate personal information about you, you have the right to request that Highland correct that inaccurate personal information, considering the nature of the personal information and the purposes of the processing of the personal information. If Highland receives a verifiable consumer request to correct inaccurate personal information, Highland will use commercially reasonable efforts to correct the inaccurate personal information as directed by you. We will consider any documentation that you provide in connection with your right to correct whether provided voluntarily or as required by Highland. We may require you to provide documentation if necessary to rebut our own documentation that the personal information at issue is accurate. We may delete the contested personal information as an alternative to correcting the information if the deletion of the personal information does not negatively impact you or you consent to the deletion.
To exercise these CCPA rights, please email compliance@highland.com or contact Highland at (833) 241-2643.
ii. Our Processes for Responding to CCPA Requests
Verifying Requests: Depending on the nature of your request, we may ask you for additional information to verify your request and identity and a declaration attesting to your identity, signed under penalty of perjury.
Response Format: Highland will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
Timeline for Responding: We endeavor to respond to a verifiable consumer request within the time periods provided by the CCPA and CCPA regulations. We ordinarily process requests, within 45 days of its receipt. In some cases, we may extend this period to 90 calendar days. If we require more than 45 days, we will inform you or your authorized agent in writing of the reason we did so and the extension period. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Using an Agent: Requests by an authorized agent must include a written, notarized declaration which documents the authorized agent’s authority to act on the consumer’s behalf. The declaration must certify that (a) the authorized agent is a natural person over the age of 18 or a business entity, (b) the agent is authorized to make a request on behalf of the consumer, and (c) that such authorization is still in full force and effect. The declaration must further enclose an authorization to request personal information on behalf of the identified consumer along with a copy of the consumer’s valid government-issued photo identification. A declaration must include the sentence “I UNDERSTAND THAT THE INFORMATION PROVIDED HEREIN IS TO BE RELIED UPON BY HIGHLAND TO RESPOND TO A CALIFORNIA CONSUMER PRIVACY REQUEST IN ACCORDANCE WITH THE LAW.” An authorized agent must submit the written declaration to compliance@highland.com and respond to any questions required for Highland to verify the consumer’s identity.
The authorized agent may include, but we do not require, a copy of a valid power of attorney in order for you to use an authorized agent to act on your behalf. Please note that this subsection of the Notice does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.
Sharing of Personal Information
In the preceding twelve (12) months, we have not shared your personal information with a third party for cross-context behavioral advertising.
Right to Opt-Out of Sale of Personal Information
You have the right to opt-out of the sale of your personal information. To exercise the right to opt out of the sale of your personal information, submit a request by telephone at (833) 241-2643.
The personal information that we sell is not linked to your device or browser. Therefore, Highland cannot process GPC signals to opt you out of personal information sales. To effectuate an opt-out request, you need to identify yourself and submit an opt out request as described above.
Minors Right to Opt In
Highland does not sell the personal information of minors under 16 years of age.
Non-discrimination
We are committed to complying with the law. If you exercise any of the rights explained in this Notice, we will continue to treat you fairly. You have a right not to be discriminated against for the exercise of the privacy rights conferred by the CCPA.
For Questions
Should you have any questions, please contact us by writing to us at Highland Capital Brokerage, Inc., Attn: Legal & Compliance, 3535 Grandview Parkway, Suite 600, Birmingham, AL 35243, calling us at (833) 241-2643, or emailing us at compliance@highland.com.
Effective Date: January 1, 2023