CA Notice at Collection and Privacy Policy

California Notices at Collection

These notices at collection were last updated: 07-30-2020

California Privacy Policy

Effective Date: January 1, 2020.

This Policy applies to Granite Surety Insurance Company (“Granite”), defined as a “business” pursuant to the California Consumer Protection Act (“CCPA”). This California Privacy Policy (“CCPA Policy”) only applies to California consumers. California consumers (“consumers”) are persons who are California residents. This CCPA Policy only applies to consumers’ whose Personal Information is collected, used or disclosed by Granite. Personal Information is defined below. Any other terms defined in the CCPA have the same meaning when used in this CCPA Policy.

This CCPA Policy describes Granite’s business practices, both online and offline, regarding:

  • The collection, use, and disclosure of consumers’ Personal Information, and;
  • The rights of consumers regarding their own Personal Information.

NOTE: Granite does not sell consumers' Personal Information. Granite does not sell the Personal Information of minors under 16 years of age without affirmative authorization.

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Personal Information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

I. Right to Know

Consumers have the right to request that Granite disclose certain Personal Information Granite has collected about them during the last 12 months. Granite will not disclose any Personal Information unless it receives a Verifiable Consumer Request (Information on how to complete a Verifiable Consumer Request is found below*). Consumers have the right to request the following:

  • Categories of Personal Information Granite has collected about the consumer.
  • Categories of sources from which the Personal Information is collected.
  • The business or commercial purpose for collecting Personal Information.
  • Categories of third parties to whom Personal Information was disclosed for a business purpose.
  • Categories of Personal Information that Granite disclosed for a business purpose about the consumer.
  • Specific pieces of Personal Information that Granite has about the consumer.

II. Right to Request Deletion

Consumers have the right to request that Granite delete any of their Personal Information that Granite collected from them and retained, subject to certain exceptions. Once Granite receives a Verifiable Consumer Request - and separately confirms the Verifiable Consumer Request to delete- Granite will delete (and direct its service providers to delete) the Personal Information from its records, unless an exception applies. Information on how to complete a Verifiable Consumer Request to delete is found below.

Granite may deny a deletion request if maintaining the information is necessary for Granite to:

  1. Complete the transaction for which the Personal Information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of Granite’s ongoing business relationship with the consumer, or otherwise perform a contract between Granite and the consumer.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  3. Debug to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when Granite’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with Granite.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which the consumer provided it.

III. Exercising Right to Know and Right to Delete

To exercise the right to know and right to delete described above, please submit a Verifiable Consumer Request to Granite by either:

Only the consumer or an Authorized Agent may make a Verifiable Consumer Request related to their Personal Information. An “Authorized Agent” is a person registered with the California Secretary of State that consumers have authorized to act on their behalf or an individual granted authority under a written power of attorney issued pursuant to California Probate Code sections 4000 to 4465. If an Authorized Agent is making the request and has not provided registration information or a power of attorney, Granite must receive written permission from the consumer for the Agent to act on the consumer’s behalf.

Consumers may only make a Verifiable Consumer Request for access or deletion twice within a 12-month period. The Verifiable Consumer Request must:

  • Provide sufficient information that allows Granite to verify, to a reasonably high degree of certainty, that the requestor is the consumer about whom Granite collected Personal Information or an Authorized Agent.
  • Describe the request with sufficient detail to allow Granite to properly understand, evaluate, and respond to it.

NOTE: Completing as much information as possible on the Verifiable Consumer Request form will make it more likely that Granite will be able to provide consumers with a substantive response.

Granite will attempt to match data provided in the Verifiable Consumer Request to data that Granite maintains on the consumer. Granite will require a declaration under penalty of perjury, swearing that the requestor is the consumer or Authorized Agent whose Personal Information is the subject of the request. If Granite cannot, to a reasonably high degree of certainty, verify a requestor’s identity or authority to make the request and confirm the Personal Information relates to the consumer, the request will be denied. Granite will also deny a request made by an Authorized Agent if the Authorized Agent does not submit proof that they have been authorized by the consumer to act on their behalf, as described above. If this happens Granite will state so in its response.

Making a Verifiable Consumer Request does not require the requestor to create an account with Granite. Granite will only use Personal Information provided in a Verifiable Consumer Request to verify the requestor’s identity or authority to make the request. Granite will provide a response either by mail or electronically, at the requestor’s option.

IV. Verifiable Consumer Request Response and Timing

Granite will confirm receipt of a Verifiable Consumer Request within 10 days of receipt and, upon verification, provide a response within 45 days. Granite may require an additional 45 days to verify and respond to some requests. If more than 45 days are required, Granite will notify the requestor within the first 45 days, explaining the reason for the delay.

Granite will not charge a fee to process or respond to a Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If Granite determines that the Request warrants a fee, it will inform the requestor of that decision.

V. Non-Discrimination

Granite will not discriminate against a consumer because the consumer exercised any of the consumer’s rights under the CCPA.

VI. Categories of Personal Information Granite has Collected in the Last 12 Months:

The categories of Personal Information Granite has collect about consumers over the past 12 months include the following:

  1. Personal Identifiers: such as a real name, signature, physical characteristics, physical description, alias, postal address, IP address, email address, telephone number, passport number, social security number, driver’s license or state identification card number.
  2. Financial Identifiers: such as insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
  3. Medical Information: such as health insurance or medical information, unique personal identifier for health insurance, online identifier, account name, or other similar identifiers;
  4. Employment and Education Information: such as education history, employment or professional history, education information, as defined in FERPA.
  5. Protected classifications under California or federal law, including: age, race, color, sex, creed, gender, sexual orientation and identity, national origin, disability, citizenship status, marital status, military or veteran status.
  6. Commercial information, records of products or services purchased, obtained, or considered.
  7. Internet or other electronic network activity information, including, but not limited to, search history, and information regarding a consumer’s interaction with an Internet Web site, or application.
  8. Audio, electronic, or similar information, including recordings of phone calls or messages left on a Granite phone system.

VII. Categories of Sources from Which Granite Has Collected the Categories of Personal Information Described Above:

  • Directly from the consumer: all categories of Personal Information. This could occur as a result of a phone conversation, completing an application or claim report, requesting a change, or otherwise interacting with Granite.
  • Individual Businesses: all categories Personal Information.
  • Third party Service Providers: all categories of Personal Information.

The categories of sources from which Granite collects Personal Information and the specific categories of Personal Information vary, depending upon the particular nature of the interaction with each consumer.

VIII. Business or Commercial Purposes For Which Granite Has Collected the Categories of Personal Information Described Above:

  • To provide products and services that are requested
    • including , underwriting, maintaining and servicing accounts, providing customer services, processing or fulfilling requests and transactions, verifying customer information, processing payments, administering changes or amendments to existing products and services, processing claims, providing advertising or marketing services, providing analytic services, or providing similar services, and for Granite’s operational purposes which are reasonably necessary and proportionate to achieve the purpose for which the information was originally collected.
  • To recommend different or additional products or services, based upon the information provided as well as Granite’s understanding of insurance needs.
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Undertaking activities to verify or maintain the quality or safety of a service or product that is developed or provided by Granite, and to improve, upgrade, or enhance any service or product that is developed or provided by Granite.
  • Auditing related to a current interaction with a consumer and concurrent transactions including auditing for compliance with the CCPA and other standards.
  • Undertaking internal research for technological development and demonstration.
  • Undertaking activities to verify or maintain the quality of services and products owned or controlled by Granite and to improve, upgrade or enhance those services and products.
  • Advancing Granite’s lawful commercial or economic interests.

IX. Categories of Third Parties With Whom Granite Has Shared Personal Information Described Above:

Granite may share consumer Personal Information with a third party for a business or commercial purpose. When Granite discloses Personal Information for a business or commercial purpose, it enters into a contract that describes the purpose and requires the third party recipient to both keep the Personal Information confidential and not use it for any purpose except performing the contract.

Granite shares your Personal Information with the following categories of third parties:

  • Service Providers
  • Internet Service Providers
  • Government Entities

X. Disclosures of Personal Information Described Above for a Business or Commercial Purpose:

Granite has disclosed the following categories of Personal Information to third parties in the preceding 12 months for a business or commercial purpose:

All categories of Personal Information.

Granite has not sold any Personal Information to third parties for a business or commercial purpose in the preceding 12 months.

NOTICE: Nothing in this CCPA Policy or the CCPA shall limit Granite’s ability to comply with applicable laws; comply with civil, criminal, or regulatory inquiries by federal, state or local authorities; cooperate with law enforcement concerning any potential violations of law; or otherwise exercise or defend legal claims.

This CCPA Policy may be printed as a separate document by utilizing your browser’s print function.

XI. Contact for More Information:

Persons with a disability can receive alternative formats of this CCPA Policy by contacting Granite below. If a consumer has any questions or concerns about this CCPA Policy or any consumer rights under the CCPA, Granite can be contacted at:

This CCPA Policy was last updated: 01-01-2020