Effective Date: January 1, 2023

Last Reviewed on: July 12, 2023

This Privacy Notice for California Residents (this “Notice”) supplements the information contained in the Hub International Privacy Policy (the “Policy”) and is provided on behalf of Hub International Limited and its subsidiaries listed here.

This Notice provides our “notice at collection” and provides certain mandated disclosures about our treatment of California residents’ information, both online and offline. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as supplemented by the California Privacy Rights Act of 2020 (collectively “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice (unless separately defined in this Notice). This Notice applies solely to residents of the State of California as defined in the CCPA (“California Residents”) who do business with us directly and/or visit the websites of Hub International Limited and its subsidiaries (“our websites”).

Changes to this Notice

We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the websites and update the Notice's effective date. We encourage you to look for updates and changes to this Notice when you access our websites. Your continued use of our websites following the posting of changes constitutes your acceptance of such changes with respect to your use of the websites.

Accessibility

If you have special needs with regard to accessing the content of this Notice, we recommend that you or someone on your behalf, contact us by email at: [email protected]

Definition and Exclusions of Personal Information and Sensitive Personal Information under the CCPA and at Hub International Limited

Generally, Personal Information under the CCPA and in this Notice means information that identifies (whether directly or indirectly) you, such as your name, postal address, email address, and telephone number. Due to the nature of our business as described in “Information We Collect” section below, Personal Information may also include:

  • your name, Social Security Number, driver’s license or other government-issued identification;
  • assets and income, occupation and employment status, dependent information and other relevant financial information;
  • information relating to any of your past claims;
  • information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
  • information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship;
  • your premium payment history;
  • credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers; and
  • passive tracking information from our websites or the Internet, including information obtained through the use of internet “cookies.”

Personal Information as defined under the CCPA does not include:

  • Publicly available information from government records as defined under Civil Code Section 1798.140;
  • Deidentified or aggregated consumer information;
  • Health or medical information to the extent covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
  • Personal information to the extent covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994.

Certain types of Personal Information are considered “Sensitive Personal Information” under the CCPA. Specifically, Sensitive Personal Information is defined under the CCPA as information that reveals a consumer’s:

  • Social Security, driver’s license, state identification card, or passport number;
  • Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • Precise geolocation;
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership;
  • Mail, email, and text message content, unless the business is the intended recipient of the communication;
  • and/or Genetic data;
  • Biometric information, which may reference certain physiological, biological, or behavioral characteristics; or DNA information; which could potentially establish an individual’s identity. Retina scans, fingerprints or voice recordings could also be considered such information.

Personal Information We Collect

The following categories of Personal Information and/or Sensitive Personal Information may have been collected from California Residents within the last twelve (12) months. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below.

Category

California Sensitive Personal Information may be considered to be within this Category
(YES or NO)

Examples

Collected

A. Identifiers.

YES

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.

YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80I).

YES

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some Personal Information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

YES

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

YES

D. Commercial information.

NO

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

YES

Genetic, physiological, behavioral and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

NO

Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.

YES

G. Precise geolocation data.

YES

Physical location or movements within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet. 

NO

H. Sensory data.

YES

Audio, electronic, visual, thermal, or similar information.

NO

I. Professional or employment-related information.

NO

Current or past job history.

YES

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

NO (if de-identified)

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

K. Inferences drawn from other Personal Information.

YES

Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

NO


Sources of Personal Information We Collect

We may obtain the categories of Personal Information listed above from the following categories of sources:

  • Directly from you – for example, from insurance applications or in connection with your other communications with us.
  • From third parties – for example, from insurance carriers and other industry service providers, and other third parties with which you maintain a relationship, such as an employer, financial service or medical or health providers, or any industry provider from which we purchase or acquire industry assets or operations. This may occasionally include referral sources.
  • Indirectly from you – for example, from observing your actions on our websites, including through the use of “cookies” as described on our websites, or as may otherwise be developed over time based on your interactions with us.

Use of Personal Information

We may use or disclose the Personal Information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information and for our everyday business purposes – for example, to obtain quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
  • To comply with, or exercise rights under, applicable law – for example to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
  • To market products and services to you, including through the use of targeted or similar advertising on the internet.
  • To provide or receive shared organizational services.
  • As described to you when collecting your Personal Information or as otherwise set forth in the CCPA.
  • To evaluate or effect a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, in which Personal Information held by us about our consumers is among the assets evaluated or transferred.

Sharing of Personal Information under the CCPA

Under the CCPA, the Sharing of Personal Information means sharing, renting, disclosing, disseminating, making available or otherwise communicating a consumer’s Personal Information to a third party for uses such as targeted advertising for the benefit of the business. 

California residents have certain rights under the CCPA around limiting the Sharing of their Personal Information.

The CCPA addresses two distinct categories of information disclosure by businesses, differentiating the Sharing of Personal Information for a Commercial Purposes from the Disclosure of Personal Information for a Business Purpose, as described below.

Sharing of Personal Information for a Commercial Purpose

The CCPA defines the Sharing of Personal Information for a Commercial Purpose as including the sale of a customer’s Personal Information for monetary of other consideration paid to the sharing business. 

In the preceding twelve (12) months, HUB has not Shared your Personal Information for a Commercial Purpose.

Disclosure of Personal Information for a Business Purpose

The CCPA excludes from the definition of Sharing Personal Information any use of Personal Information which was requested by you (the customer), including the expected and typical use of that information by a third party for the reasonably necessary purposes to achieve the requested service. Such an information transfer is considered the Disclosure of Personal Information for a Business Purpose under the CCPA.

In the preceding twelve (12) months, we may have Disclosed the following categories of Personal Information for a Business Purpose:

Category A: Identifiers.
Category B: California Customer Records Personal Information categories.
Category C: Protected classification characteristics under California or federal law.
Category D: Commercial information.
Category F: Internet or other similar network activity.
Category H: Sensory data.
Category I: Professional or employment-related information.

We may Disclose your Personal Information for a Business Purpose to perform services on your behalf and provide you with the insurance products and services you expect from us to the following categories of third parties:

  • Service providers.
  • Insurance carriers and other industry service providers.
  • Other third parties with which you or we maintain a relationship regarding your insurance.

Sales of Personal Information

In the preceding twelve (12) months, we have not sold Personal Information.

Information Specific to Employment Data of Hub International Limited

In addition, for recruitment and/or employment purposes, in the past twelve (12) months we have collected or may have collected and retained the following categories of Personal Information as necessary from California residents. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below:

Category

California Sensitive Personal Information may be considered to be within this Category (YES or NO)

Examples

Collected

Additional personal details, contact details and identifiers.

YES

Additional personal details for recruitment/employment purposes, such as national identification number, social security number, insurance information, marital/civil partnership status, domestic partners, dependents, emergency contact information, and military history; professional/personal calendar availability/scheduling information for meeting/communication purposes.

YES

Education information and professional or employment-related information.

NO

Information about your education and professional or employment-related information, such as your employment history.

YES

Sensitive data for recruitment purposes.

YES

Certain types of sensitive information when permitted by local law or with your consent, such as health/medical information (including disability status), trade union membership information, religion, race or ethnicity, minority flag, and information on criminal convictions and offences. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness (subject to legal limits on the timing of collection of such information and other applicable limitations) and to provide benefits; background checks and diversity-related Personal Information (such as race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination.

YES

Documentation required under immigration laws.

YES

Data on citizenship, passport data, and details of residency or work permit (a physical copy and/or an electronic copy).

YES, as to employees of HUB.

Financial information for payroll/benefits purposes.

YES

Your banking and other relevant financial details we need for payroll/benefits purposes.

YES

Talent management information.

YES

Information necessary to complete a background check, details on performance decisions and outcomes, performance feedback and warnings, e-learning/training programs, performance and development reviews (including information you provide when asking for/providing feedback, creating priorities, updating your input in relevant tools), driver’s license and car ownership information, and information used to populate biographies.

YES

Requested recruitment information.

NO

Information requested to provide during the recruitment process, to the extent allowed by applicable law.

YES

Recruitment information you submit.

NO

Information that you submit in résumés / CVs, letters, writing samples, or other written materials (including photographs).

YES

Information generated by us during recruitment.

NO

Information generated by interviewers and recruiters related to you, based on their interactions with you or basic Internet searches where allowed under applicable law.

NO

Recruitment information received from third parties.

NO

Information related to you provided by third-party placement firms, recruiters, or job-search websites, where applicable.

NO

Audiovisual information processed during recruitment.

YES

Photograph, and images/audio/footage captured on CCTV or other video systems when visiting our office or captured in the course of recruitment events or video recruitment interviews.

NO

Recommendations.

NO

Recommendations related information provided on your behalf by others.

NO

Immigration.

YES

Documentation and related information required under immigration laws.

YES, as to employees of HUB

Employment history and background checks.

YES

Information about your prior employment, education, and where applicable and allowed by applicable law, credit history, criminal records or other information revealed during background screenings.

YES

Diversity related information.

YES

Information about race / ethnicity / religion / disability / gender and self-identified LGBT status, for purposes of government reporting where required by law, as well as to understand the diversity characteristics of our workforce, subject to legal limits.

YES

Assessment information.

YES

Information generated by your participation in psychological, technical or behavioral assessments. You will receive more information about the nature of such assessments before your participation in any of them.

YES


Your Rights and Choices

The CCPA at Section 7011 (e)(2) provides California Residents with specific rights regarding their Personal Information:

(A) Access. The right to know what Personal Information the business has collected about the consumer, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom the business discloses Personal Information, and the specific pieces of Personal Information the business has collected about the consumer;

(B) Deletion. The right to delete Personal Information that the business has collected from the consumer, subject to certain exceptions;

(C) Correction. The right to correct inaccurate Personal Information that a business maintains about a consumer;

(D) Opt-out of Sale or Sharing. If the business sells or shares Personal Information, the right to opt-out of the sale or sharing of their Personal Information by the business;

(E) Limitation on the Use of Sensitive Personal Information. If the business uses or discloses sensitive Personal Information for reasons other than those set forth in section 7027, subsection (lm), the right to limit the use or disclosure of sensitive Personal Information by the business; and

(F) Non-discriminatory Treatment. The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

The following sections describe these CCPA rights in further detail and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability and Deletion Rights”), we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • The categories of Personal Information shared for a business purpose for each category of recipients.
  • The specific pieces of Personal Information we collected about you (also called a data portability request).

In addition to the rights listed above, you may request limitations on the use of your Sensitive Personal Information consistent with the terms and limitations described in the CCPA, and pursuant to Civil Code Section 1798.120 et.seq. Limited use of Sensitive Information may continue to include those uses which the average consumer would reasonably expect in context, and for uses which are reasonably necessary and proportionate for our business.

Deletion Request Rights 

You have the right to request that we delete any of your Personal Information that we collected from you and retained. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability and Deletion Rights”), we will delete your Personal Information from our records, unless an exception applies.

We may deny your deletion request in whole or in part for other reasons and exceptions described in the CCPA.

Exercising Access, Data Portability and Deletion Rights

To exercise the access, data portability and deletion rights described above, please submit a verifiable consumer request to us by:

To protect your information and privacy, only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. Designated agents making any request will be required to provide signed permission for the agent to submit a request. In addition, when an authorized agent submits a request, we may also require that you verify your own identity directly to us or confirm with us that you have requested that the agent to submit the request. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information as we may request that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative of such person, which may include personal and/or commercial identifiers, such as an insurance policy number. Depending on the sensitivity of the information you are requesting, we may ask for additional information to verify your identity.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

Response Timing and Format

We will acknowledge receipt of your request within ten (10) days. We will endeavor to respond in substance to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the extension period which may not exceed an additional forty-five (45) days beyond the original forty-five (45) day period.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without significant hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website who are California Residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please write us at the mailing address shown beneath the heading “Contact Information for Requests under this Notice.”

Contact Information for Requests under this Notice

If you have any questions or comments about this Notice, the ways in which we collect and use your Personal Information described herein, and in the Policy, your choices, and rights regarding such use, or wish to exercise your rights under California law, please contact us at:

Postal Address:
Chief Legal Officer
Hub International Limited
150 N Riverside Plaza, 17th Floor
Chicago, IL 60606

Phone: 866-415-2207

Email: [email protected]

 Situations Where Rights Cannot Be Granted

There may be situations where we cannot grant a particular request — for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law, or if we are unable to verify your identity through standard and reasonable requirements. We may also decline to grant a request where doing so would undermine our legitimate use of data for antifraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied could be that granting the request would jeopardize the privacy of others; that the request is substantively frivolous or vexatious; or that granting the request would be highly impractical in the context of our legitimate business purposes.