California Privacy Statement

Last updated: August 2, 2024

Privacy Notice for California Residents Contents

Introduction
Collection, Use, and Disclosure Details
Data retention
Your consumer privacy rights
Making a request and scope of requests
Shine the Light law
Changes to this Notice
How to contact us  

Introduction

Maximus, Inc. and its subsidiaries (Maximus, we, us) respects your privacy and we have developed the following Privacy Notice For California residents (“California Notice”) to demonstrate our commitment to you, and in connection with compliance under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (collectively, the “CCPA”).

This California Notice supplements our general Privacy Notice (“Privacy Notice”). In the event of any inconsistency between the Privacy Policy and this California Notice, this California Notice will control as to California residents (“Consumers”).

This California Notice explains the collection, use, sale and sharing of the personal information we collect through Maximus.com and other sites that link to this California Notice (the “Site”).  This California Notice is designed to provide you with notice of our recent, historical data practices over the prior 12 months (from the Last Updated date listed at the top of this California Notice). This California Notice also applies to our current data practices, such that it is also meant to provide you with “Notice at Collection,” which is notice of personal information we collect online and offline, and the purposes for which we process such personal information. For any new or substantially different processing activities that are not described in this California Notice, we will notify you as required by applicable law, including by either notifying you at the time of collecting personal information, or by updating this Privacy Policy. Terms not defined in this California Notice will have the meaning provided under the Privacy Policy or the CCPA, as applicable. As used in this California Notice, “personal information” is given the meaning ascribed to it under the CCPA, which is generally consistent with how we define that term in the Privacy Policy.

As is the case with our Privacy Notice, this California Notice does not govern personal information collected independently by Third-Party Services or privacy practices associated with such Third-Party Services.

Return to Contents

Collection, Use, and Disclosure Details

Generally, we collect, retain, use, and disclose your personal information to provide you our products and services and as otherwise related to the operation of our business. More specifically, we collect, retain, use, and disclose your personal information for the business and commercial purposes set forth in our Privacy Notice, including those listed in the “How do we use personal information we collect from you?” and “With whom we share your personal data and for what purposes” sections in the Privacy Notice.

The table below describes our data collection and disclosure practices in further detail including the categories of personal information we collect (left column), examples of types of data that fit within such categories (middle column), and the categories of recipients that receive such personal information as part of disclosures for business purposes (right column).

Category

Examples

Category of Recipients for Business Purpose Disclosures

Personal identifiers and contact information

Name, postal address, email address, and Internet Protocol (IP) address and other digital IDs

  • Software and Other Business Vendors (“Business Vendors”)
  • Email, customer relationship management, and other marketing Vendors (“Marketing Vendors”)
  • Third-Party Digital Businesses

 

Personal Information defined in Cal. Civ. Code Section 1798.80(e)

Name, signature, address, telephone number, and financial information (e.g., payment card information). Some personal information included in this category may overlap with other categories.

  • Business Vendors
  • Marketing Vendors

 

Commercial information

Commercial information such as products or services purchased,

obtained, or considered

  • Business Vendors
  • Marketing Vendors

 

Location Information

We may collect non-precise location information derived from your IP address when you visit our Site.

  • Business Vendors
  • Website Management Vendors

 

Internet or other similar network activity

When you use our Site, we may collect information regarding such use, interactions, or communications with us, our systems, and third-party applications, or other sites, applications, or content, subject to any applicable consent requirement. This includes information such as: your device functionality (browser, operating system, hardware, mobile network information); the URL that referred you to our service; the areas within our services and systems that you visit and your activities there (such as browsing history and search history);  your interaction with emails and messages we send you, such as whether you open them or click on links within; your device location (if you have enabled such features on your device); your device characteristics; and device data and the time of day.

  • Business Vendors
  • Website Management Vendors
  • Marketing Vendors
  • Third-Party Digital Businesses

 

Professional or employment-related information

For example, if you inquire about our business services, we may request the name of your employer and your job title.

  • Business Vendors
  • Marketing Vendors

Inferences

For example, we may infer that you are interested in particular services based on your prior business history with us, or your use of our Site.

  • Business Vendors
  • Marketing Vendors
  • Third-Party Digital Businesses


We also may disclose each category of personal information in the table to the following categories of recipients in a manner that does not constitute Sale or Sharing: 

  • Other parties at your direction or through your intentional action
  • The government or private parties to comply with law or legal process; and
  • Assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business.

In addition, our Vendors and the other recipients listed in the above table may, subject to contractual restrictions imposed by us and/or legal obligations, also use and disclose your personal information for business purposes. For example, our Vendors and the other categories of recipients listed in the table above may engage subcontractors to enable them to perform services for us or process for our business and commercial purposes.

We may Sell or Share the following categories of personal information to Third-Party Digital Businesses: personal identifiers and contact information, Internet or other similar network activity, and inferences. We do not Sell or Share the other categories of personal information listed in the table.

The following business and commercial purposes may implicate Sale and Sharing: making you aware of benefits, products, services, or events offered by Maximus that may interest you, including through marketing and digital advertising activities, and purposes disclosed at the time you provide your personal information.

Sensitive Personal Information

We do not believe we collect “Sensitive Personal Information” as defined in the CCPA. The CCPA requires us to state that we do not use or disclose Sensitive Personal Information for purposes beyond certain internal purposes defined in the CCPA regulations.

Sources of Personal Information

As described in our Privacy Notice, we collect personal information directly from you or from your device, Third-Party Services and other trusted third parties, and Vendors.

Return to Contents

Data retention

Because there are so many different types of personal information in certain categories, and so many purposes and use cases for different data, we are unable to provide retention ranges based on categories of personal information in a way that would be meaningful and transparent to you.  Actual retention periods for all personal information will depend upon how long we have a legitimate purpose for the retention consistent with the collection purposes and applicable law.  For instance, we may maintain business records for so long as relevant to our business and may have a legal obligation to hold personal information for so long as potentially relevant to prospective or actual litigation or government investigation.  We apply the same criteria for determining if we have a legitimate purpose for retaining your personal information that you ask us to delete.  If you make a deletion request, we will conduct a review of your personal information to confirm if legitimate ongoing retention purposes exist, will limit the retention to such purposes for so long as the purpose continues, and will respond to you with information on any retention purposes on which we rely for not deleting your personal information. 

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing a notice to you.

Return to Contents

Your consumer privacy rights

As described in further detail below, we provide Consumers – which are, for clarity, residents of California – the privacy rights described in this section.  Further below, we discuss how to make a privacy rights request, and the identity verification procedures that we carry out pursuant to the state privacy laws.

Right to Know Categories

Consumers have the right to request that we share with you certain information to you about our collection, use and disclosure of your personal information over the 12-month period prior to the request date, related to categories of personal information. You can request that we disclose to you: (1) the categories of personal information we collected about you; (2) the categories of sources for the personal information; (3) our business or commercial purpose for collecting or selling that personal information ; (4) a list of the categories of personal information disclosed for a business purpose in the prior 12 months and, for each category of personal information, the categories of recipients; and (5) a list of the categories of personal information sold or shared about you in the prior 12 months and, for each, the categories of recipients.

Right to Know Specific Pieces

You have the right to request a transportable copy of the specific pieces of personal information we collected about you in the 12-month period preceding your request. Please note that personal information is retained by us for various time periods, so there may be certain information that we have collected about you that we do not even retain for 12 months (and thus, it would not be able to be included in our response to you). Under the CCPA, Consumers are only permitted to make two “right to know” requests in a one-year period.

Right to Delete

You have the right to request that we delete any of your personal information that we have collected [directly from/about] you and retained, subject to certain exceptions which we will explain in our response (if they apply). After we confirm that your deletion request is a Verifiable Consumer Request, subject to permitted retention exceptions, we will carry out one or more of the following: (i) permanently erase your personal information on our existing systems with the exception of archived or back-up systems, (ii) deidentify your personal information, or (iii) aggregate your personal information with other information. In our response to your request to delete, we will tell you the method for deleting your personal information. Where legal exceptions will apply to your request for deletion, we will tell you which one(s) and will limit retention to the permitted purpose(s).

Right to Correct

You have the right to request that we correct inaccuracies that you find in your personal information maintained by us. Your request to correct is subject to our verification (discussed above) and the response standards in the applicable state privacy laws.

Opt-out of Sale and Sharing

Under the CCPA, Consumers have the right to opt-out of certain processing activities. California has opt-outs specific to targeted advertising activities – which the CCPA refers to as “cross-context behavioral advertising” – and which involves the use of personal information from different businesses or services to target advertisements to you. The CCPA provides Consumers the right to opt-out of Sharing, which includes providing or making available personal information to third parties for such targeted advertising activities. The CCPA also has opt-outs specific to the Sale of personal information, which at a minimum requires providing or otherwise making personal information available to a third party.

Sales and Sharing activities may occur when Third-Party Digital Businesses associate Tracking Technologies on our Site that collect personal information when you use or access the Site, or otherwise collect and process personal information that we make available to them for marketing and advertising purposes. Giving access to personal information on our Site, or otherwise making available personal information, to certain Third-Party Digital Businesses could be deemed a Sale and Sharing under the CCPA. Therefore, we will treat such personal information collected by Third-Party Digital Businesses (e.g., cookie ID, IP address, and other online IDs and internet or other electronic activity information) as such, and subject to the opt-out requests described above. In some instances, the personal information we make available about you is collected directly by such Third-Party Digital Businesses using Tracking Technologies on our Site or our advertisements that are served on third-party sites or services (which we refer to as “cookie PI”). However, certain personal information which we make available to Third Party Digital Businesses is information that we have previously collected directly from you or otherwise about you (which we refer to below as “non-cookie PI”).

When you opt-out pursuant to the instructions below, it will have the effect of opting you out of Sale and Sharing. Instructions for opting out are below. Please note that there are distinct instructions for opting out of cookie PI and non-cookie PI, which we explain below. This is because we have to use different technologies to apply your opt-out of cookie PI and to non-cookie PI.

Opt-out for cookie PI: If you would like to submit a request to opt-out of Sale or Sharing of your cookie PI, you need to exercise a separate opt-out request on our cookie management tool by going to the preference center of the tool, which you can do by either clicking “Your Privacy Choices” on the footer of our website. Our cookie management tool enables you to exercise such an opt-out request and enable certain cookie preferences on your device. You must exercise your preferences on each of our websites you visit, from each browser you use, and on each device that you use.  Since your browser opt-out is designated by a cookie, if you clear or block cookies, your preferences will no longer be effective, and you will need to enable them again via our cookie management tool.  Beware that if you use ad blocking software, our cookie banner may not appear when you visit our Services.

Opt-Out Preference Signal: The CCPA requires businesses to receive requests to opt-out of Sale and Sharing through opt-out preference signals (OOPS), which are signals sent by a platform, technology, or mechanism enabled by individuals on their devices or browsers that communicate the individual’s choice to opt-out. To use an OOPS, you can download an internet browser or a plugin with “Global Privacy Control” (GPC) to use on your current internet browser and follow the settings to enable it. See https://globalprivacycontrol.org/ for more information.

We have configured our OneTrust consent management platform to receive and process GPC signals according to its operating instructions. Please note that when we receive and process a OOPS/GPC signal, we will apply such signal as an opt-out of Sale and Sharing as to cookie PI only.

The CCPA requires us to state that we do not: (1) charge a fee for use of our websites if you have enabled GPC; (2) change your experience with our websites if you use GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the GPC.

The CCPA also requires us to state that we do not knowingly Sell or Share the personal information of Consumers under 16 years of age.

See also the “Tracking technologies and your choices” section in the Privacy Notice for more information on our use of cookies and other Tracking Technologies and various industry opt-out programs.

Automated decision-making and profiling

We do not believe we engage in processing that constitutes automated decision-making or profiling as it is proposed to be regulated under the CCPA. As of the Effective Date, the definitions of these concepts, and any associated opt-out and access rights have not been finalized and added to the updated regulations of the CCPA.

Right to non-discrimination

You have the right to not receive discriminatory treatment, in a manner prohibited by the CCPA, for the exercise of your privacy rights.

Making a request and scope of requests

As permitted by the state privacy laws, certain requests you submit to us are subject to an identity verification process (“Verifiable Consumer Request”) as described in the “Verifying Your Request” section below. We will not fulfill your request unless you have provided sufficient information for us to reasonably verify you are the Consumer about whom we collected personal information.

To make a request (other than opt-out of Sale or Sharing), consult the information below. For instructions on how to submit a request to opt-out of Sale or Sharing, visit the “Opt-out of Sale and Sharing” section above.

Some information we maintain about Consumers that is technically considered personal information may, nonetheless, not be sufficiently associated with information that you provide when making your request. For example, if you provide your name and email address when making a request, we may be unable to associate that with certain data collected on the Site, such as clickstream data tied only to a pseudonymous browser ID. Where we are unable to associate such information with the information you provide, we do not include such information in response to those requests. If we cannot comply with a request, we will explain the reasons in our response. We will use personal information provided in a Verifiable Consumer Request only to verify your identity or authority to make the request and to track and document request responses unless you also gave it to us for another purpose.

We will make commercially reasonable efforts to identify personal information that we collect, process, store, disclose, and otherwise use and to respond to your privacy requests. We will typically not charge a fee to fully respond to your requests; provided, however, that we may charge a reasonable fee, or refuse to act upon a request, if your request is excessive, repetitive, unfounded, or overly burdensome. If we determine that the request warrants a fee, or that we may refuse it, we will give you notice explaining why we made that decision. You will be provided a cost estimate and the opportunity to accept such fees before we will charge you for responding to your request.

Verifying your request

When you make a request, we will verify that you are the person you say you are, or, if you are seeking information on behalf of another person, that you are authorized to make the request on their behalf (see our “Authorizing an Agent” section immediately below). In addition, we will compare the information you have provided to ensure that we maintain personal information about you in our systems. As an initial matter, we ask that you provide us with, at a minimum, your full name and email address. Depending on the nature of the request and whether we have the information you have provided in our systems, we may request further information from you to verify that you are, in fact, the Consumer making the request. We will review the information provided as part of your request and may ask you to provide additional information via email or other means to complete the verification process. We will not fulfill your Right to Know (Categories), Right to Know (Specific Pieces), Right to Delete, or Right to Correction request unless you have provided sufficient information for us to reasonably verify you are the Consumer that is the subject of the request.  The same verification process does not apply to opt-outs of Sale or Sharing requests, but we may apply authentication measures if we suspect fraud (such as verifying access to the email address or phone number provided when making the request). We may apply authentication measures to opt-out requests as a fraud avoidance measure (such as verifying access to the email address provided in connection with the request).

The verification standards we are required to apply for each type of request vary. We verify your categories requests and certain deletion and correction requests (e.g., those that are less sensitive in nature) to a reasonable degree of certainty, which may include matching at least two data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you. For certain deletion and correction requests (such as those that relate to personal information that is more sensitive in nature) and for specific pieces requests, we apply a verification standard of reasonably high degree of certainty. This standard includes matching at least three data points provided by you with data points maintained by us, which we have determined to be reliable for the purpose of verifying you, and may include obtaining a signed declaration from you, under penalty of perjury, that you are the individual whose personal information is the subject of the request. 

If we cannot verify you in respect of certain requests, such as if you do not provide the requested information, we will still take certain action as required by certain U.S. Privacy Laws. For example, if you are a California Consumer:

  • If we cannot verify your deletion request, we will refer you to this U.S. State Privacy Notice for a general description of our data practices.
  • If we cannot verify your specific pieces request, we will treat it as a categories request.

Authorizing an agent

You may designate an authorized agent to submit a request on your behalf using the submission methods described above. If you are an authorized agent who would like to make a request, the U.S. Privacy Laws require that we ensure that a request made by an agent is a Verifiable Consumer Request (except requests to opt-out of Sale or Sharing) and allows us to request further information to ensure that the Consumer has authorized the agent to make the request on their behalf. Generally, we will request that an agent provide proof that the Consumer gave the agent signed permission to submit the request, and, as permitted under the state privacy laws, we also may require the Consumer to either verify their own identity or directly confirm with us that they provided the agent permission to submit the request.

Return to Contents

Shine the Light law

The California “Shine the Light” law gives California residents the right, under certain circumstances, to opt out of the disclosure of certain categories of personal information, as defined in the Shine the Light law, with third parties for their direct marketing purposes, or that we provide a cost-free way for consumers to opt out of any such disclosure. We do not currently disclose your personal information to third parties for their own direct marketing purposes.

Return to Contents

Changes to this Notice

This California Notice is effective as of the Effective date above.  We reserve the right to change this California Notice at any time.  We will take reasonable steps to advise you of any changes to this California Notice, including by posting the revised Notice on our website.  We recommend that you review this California Notice from time to time to obtain the current version.  You may contact us at the email address or telephone number listed below to obtain a current copy of this California Notice. 

Return to Contents

How to contact us

If you have any questions or concerns in connection with this California Notice, or for further information on our personal information processing practices, please contact us via:

Telephone: 1-833-953-3696

Email: Privacy@maximus.com

Return to Contents