CA Notice at Collection and Privacy Policy

California Notices at Collection

California Privacy Policy

This Policy applies to Granite Surety Insurance Company (“Granite”), defined as a “business” pursuant to the California Consumer Protection Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). This California Privacy Policy (“CCPA Policy”) only applies to California consumers. California consumers (“consumers”) are persons who are California residents. This CCPA Policy only applies to consumers’ whose Personal Information is collected, used or disclosed by Granite. Personal Information is defined below. Any other terms defined in the CCPA have the same meaning when used in this CCPA Policy.

This purpose of this CCPA Policy is to provide consumers with a comprehensive description of Granite’s online and offline information practices regarding the collection, use, disclosure, and retention of personal information. It is also intended to inform consumers about the rights they have regarding their personal information. It also provides the information necessary for them to exercise those rights.,

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.


  • Granite does not sell or share consumers' Personal Information.
  • Granite does not have actual knowledge that it sells or shares the Personal Information of consumers under 16 years of age.
  • Granite does not use or disclose sensitive personal information for purposes other than those allowed in the CCPA. See CCPA Regulations §7027, subsection (m).

Personal Information does not include:

  • Publicly available information or lawfully obtained, truthful information that is a matter of public concern.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

I. Categories of Personal Information Granite has Collected About Consumers in the Last 12 Months:

The categories of Personal Information Granite has collected about consumers over the past 12 months include the following. Please note that personal information collected about any particular consumer will depend on the reason for collecting the information. For example, disability or employment information may be collected because the consumer is a Granite employee. Whereas a driver’s license number may be collected because a consumer is covered under a policy of insurance or is making a claim against a policy.

  1. Personal Identifiers: such as a real name, signature, physical characteristics, physical description, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, telephone number, passport number, social security number, driver’s license or state identification card number.
  2. Financial Identifiers: such as insurance policy number, bank account number, credit card number, debit card number, or any other financial information.
  3. Medical Information: such as health insurance or medical information, unique personal identifier for health insurance, online identifier, account name, or other similar identifiers;
  4. Employment and Education Information: such as education history, employment or professional history, union membership, education information, as defined in FERPA, which is not publicly available information.
  5. Protected classifications under California or federal law, including: age, race, color, sex, creed, gender, sexual orientation and identity, national origin, ethnicity, disability, immigration status, citizenship status, marital status, military or veteran status.
  6. Commercial information: including records of personal property or products or services purchased, obtained, or considered.
  7. Internet or other electronic network activity information, including, but not limited to, search history, and information regarding a consumer’s interaction with Granite’s Internet Web sites, or applications.
  8. Audio, electronic, or similar information, including recordings of phone calls or messages left on a Granite phone system or e-mails where Granite is the intended recipient or where a consumer is using Granite’s e-mail system or other Granite technology asset as an employee.

II. Categories of Sources from Which Granite Has Collected the Categories of Personal Information Described Above:

  • Directly from the consumer. Individual Businesses that are seeking or have received insurance products or services from Granite, where the consumer is an employee or covered individual under the policy or service.
  • Third party Service Providers including vendors, law firms, reinsurers and other entities that provide services directly to Granite, pursuant to a contract, so that we can provide our insurance products and services and to provide employment support and services to our employees and any persons covered under medical, retirement or other employee benefits.
  • Government entities.
  • Internet service providers, data analytics providers, operating systems and platforms and social networks.

The categories of sources from which Granite collects Personal Information vary, depending upon the particular nature of the interaction with each consumer.

III. Business or Commercial Purposes For Which Granite Has Collected Consumers Personal Information:

  • To provide products and services that are requested
    • including , underwriting, maintaining and servicing accounts, providing customer services, processing or fulfilling requests and transactions, verifying customer information, processing payments, administering changes or amendments to existing products and services, processing claims, providing advertising or marketing services, providing analytic services, or providing similar services, and for Granite’s operational purposes which are reasonably necessary and proportionate to achieve the purpose for which the information was originally collected or for another purpose that is compatible with the context in which the personal information was collected.
  • To recommend different or additional insurance or risk management products or services, based upon the information provided as well as Granite’s understanding of insurance needs.
  • Detecting, preventing, and investigating security incidents that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted personal information.
  • Protecting against malicious, deceptive, fraudulent or illegal activity directed at Granite, and prosecuting those responsible for that activity.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Undertaking activities to verify or maintain the quality or safety of a service or product that is developed or provided by Granite, and to improve, upgrade, or enhance any service or product that is developed or provided by Granite.
  • Auditing related to a current interaction with a consumer and concurrent transactions including auditing for compliance with the CCPA and other standards.
  • Undertaking internal research for technological development and demonstration.
  • To collect or process sensitive personal information where such collection or processing is not for the purpose of inferring characteristics about a consumer.
  • For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with Granite. When used for this purpose, personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with Granite.

IV. Categories of Personal Information That Granite Has Disclosed for a Business Purpose to Third Parties:

Granite has disclosed the following categories of Personal Information to third parties in the preceding 12 months for a business or commercial purpose:

All categories of Personal Information.

V.Categories of Third Parties to Whom Granite Has Disclosed Personal Information Described Above:

Granite may disclose consumer Personal Information with a third party service provider for a business or commercial purpose. When Granite discloses Personal Information for a business or commercial purpose, it enters into a contract, as required, that describes the purpose and requires the service provider recipient to both keep the Personal Information confidential and not use it for any purpose except performing the contract.

Granite discloses your Personal Information with the following categories of third parties:

  • Service Providers
  • Internet Service Providers
  • Government Entities

VI. Business or Commercial Purpose for Disclosing Personal Information.

Granite discloses personal information for multiple business reasons, depending on the specific nature and purpose for the disclosure. We disclose information to service providers to assist Granite in providing and servicing accounts, investigating and paying claims, engaging in litigation or claims investigations, for billing and payment recovery, for cyber security incidents, investigations and required reporting, and for employment purposes such as providing and administering benefits.

VII. Right to Know

Consumers have the right to request that Granite disclose certain Personal Information Granite has collected about them during the last 12 months. Granite will not disclose any Personal Information unless it receives a Verifiable Consumer Request (Information on how to complete a Verifiable Consumer Request is found below in Section XI). Consumers have the right to request the following:

  • Categories of Personal Information Granite has collected about the consumer.
  • Categories of sources from which the Personal Information is collected.
  • The business or commercial purpose for collecting Personal Information.
  • Categories of third parties to whom Granite discloses Personal Information.
  • Categories of Personal Information that Granite disclosed for a business purpose about the consumer.
  • Specific pieces of Personal Information that Granite has about the consumer.

VIII. Right to Request Deletion

Consumers have the right to request that Granite delete any of their Personal Information that Granite collected from them and retained, subject to certain exceptions. Once Granite receives a Verifiable Consumer Request - and separately confirms the Verifiable Consumer Request to delete- Granite will delete (and direct its service providers to delete) the Personal Information from its records, unless an exception applies. Granite will not delete personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person. Granite may elect to deidentify or aggregate the consumer information rather than deleting it. Information on how to complete a Verifiable Consumer Request to delete is found below.

Granite may deny a deletion request if maintaining the information is necessary for Granite to:

  1. Complete the transaction for which the Personal Information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of Granite’s ongoing business relationship with the consumer, or otherwise perform a contract between Granite and the consumer.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  3. Debug to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their right of free speech, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when Granite’s deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with Granite and compatible with the context in which the consumer provided the information.
  8. Comply with federal, state, or local laws; or comply with a court order or subpoena or other legal obligation; or to comply with a civil, criminal or regulatory inquiry by federal, state or local authorities or law enforcement agencies.
  9. Make other internal and lawful uses of that information that are compatible with the context in which the consumer provided it.
  10. Exercise or defend legal claims.

IX. Right to Correct Inaccurate Personal Information

Consumers have the right to request that Granite correct inaccurate personal information about the consumer, maintained by Granite, taking into account the nature of the personal information and the purposes of the processing of the personal information. Once Granite receives a Verifiable Consumer Request, as described below, it will use commercially reasonable efforts to correct the inaccurate personal information, as directed by the consumer. Granite will not correct personal information about the consumer that belongs to, or the business maintains on behalf of, another natural person.

X. Right to Non-Discrimination

Consumers have the right not to receive discriminatory treatment by Granite for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

XI. Exercising Right to Know, Right to Delete and Right to Correct.

To exercise the right to know, right to delete or right to correct described above, please submit a Verifiable Consumer Request to Granite by either:

Granite needs to verify that the consumer making the request is the consumer about whom the business has collected information. Only the consumer or an Authorized Agent may make a Verifiable Consumer Request related to their Personal Information. An “Authorized Agent” is a person registered with the California Secretary of State that consumers have authorized to act on their behalf or an individual granted authority under a written power of attorney issued pursuant to California Probate Code sections 4121 to 4130. If an Authorized Agent is making the request and has not provided registration information or a power of attorney, Granite must receive signed written permission from the consumer for the Agent to act on the consumer’s behalf.

Consumers may only make a Verifiable Consumer Request to Know twice within a 12-month period. The Verifiable Consumer Request must:

  • Provide sufficient information that allows Granite to verify, to a reasonably high degree of certainty, that the requestor is the consumer about whom Granite collected Personal Information or an Authorized Agent.
  • Describe the request with sufficient detail to allow Granite to properly understand, evaluate, and respond to it.

NOTE: Completing as much information as possible on the Verifiable Consumer Request form will make it more likely that Granite will be able to provide a substantive response.

Granite will attempt to match data provided in the Verifiable Consumer Request to data that Granite maintains on the consumer. Granite will require a declaration under penalty of perjury, swearing that the requestor is the consumer or Authorized Agent whose Personal Information is the subject of the request. If Granite cannot, to a reasonably high degree of certainty, verify a requestor’s identity or authority to make the request and confirm the Personal Information relates to the consumer, the request will be denied. Granite will also deny a request made by an Authorized Agent if the Authorized Agent does not submit proof that they have been authorized by the consumer to act on their behalf and the consumer also directly confirms to Granite that they have given the Authorized Agent permission, as described above. If this happens Granite will state so in its response.

Making a Verifiable Consumer Request does not require the requestor to create an account with Granite. Granite will only use Personal Information provided in a Verifiable Consumer Request to verify the requestor’s identity or authority to make the request.

Granite will provide a response either by mail or electronically, at the requestor’s option.

XII. Verifiable Consumer Request Response and Timing

Granite will confirm receipt of a Verifiable Consumer Request within 10 days of receipt and, upon verification, provide a response within 45 days. Granite may require an additional 45 days to verify and respond to some requests. If more than 45 days are required, Granite will notify the requestor within the first 45 days, explaining the reason for the delay.

Granite will not charge a fee to process or respond to a Verifiable Consumer Request unless it is excessive, repetitive, or manifestly unfounded. If Granite determines that the Request warrants a fee, it will inform the requestor of that decision.

NOTICE: Nothing in this CCPA Policy or the CCPA shall limit Granite’s ability to comply with applicable laws; comply with civil, criminal, or regulatory inquiries by federal, state or local authorities; cooperate with law enforcement concerning any potential violations of law; or otherwise exercise or defend legal claims.

This CCPA Policy may be printed as a separate document by utilizing your browser’s print function.

XIII. Contact for More Information:

Persons with a disability can receive alternative formats of this CCPA Policy by contacting Granite below. If a consumer has any questions or concerns about this CCPA Policy or any consumer rights under the CCPA, Granite can be contacted at:

This CCPA Privacy Policy was last updated: 01-01-2024