US Privacy Notice

Scope of this Privacy Notice

Oliver Wyman (“We”) strive to protect the privacy and confidentiality of the personal information with which we are entrusted.  This US Privacy Notice explains the personal information we collect or process about residents in certain US states connection with the site, application, product, or service that links to this Privacy Notice (the “Service”), how we use, share, and protect that personal information, and what your rights are with respect to your personal information that we gather and process.

What Personal Information Do We Collect?

Categories of PI Description Categories of Sources of PI
Internet & Technical Information

This data is collected in the course of the consumer’s use of the business’ websites and platforms, including, for example:

  • Data from cookies, web beacons, and pixels
  • Geolocation data
Indirectly from you (e.g., when you interact with our website)
Contact and information provided through Internet-based forms or other online interactions

Data elements that allow the business to address or contact a consumer, including:

  • Name 
  • Honorifics 
  • Company or employer name 
  • Title 
  • Alias 
  • Mailing address 
  • Email address 
  • Telephone and fax numbers 
Directly from you (e.g., when you submit an online form or make an inquiry online to Oliver Wyman)
Contact and information provided through non- Internet-based forms or other interactions that are not online

Data elements that allow the business to address or contact a consumer, including:

  • Name 
  • Honorifics 
  • Company or employer name 
  • Title 
  • Alias 
  • Mailing address 
  • Email address 
  • Telephone and fax numbers 
Directly from you (e.g., when you submit a hard copy form, register in person for a hosted event through a method that is not online, or make an inquiry via non-electronic means to Oliver Wyman)

Note that the California Consumer Privacy Act requires us to describe the personal information we collect (see table above) by reference to certain statutory categories of personal information described in Section 1798.140(v)(1) of the California Civil Code. All of the personal information we collect may include “identifiers” and “personal information” (as described in Section 1798.80 of the California Civil Code); the profile data we collect may include “characteristics of protected classifications” and “visual information” (if you use a profile photo); the marketing data and transaction data we collect includes “commercial information”; the online activity data we collect may include “internet activity information” and “geolocation data”; your account credentials and your device’s precise geolocation are “sensitive personal information”; and we may derive inferences from all of the foregoing.

What are our Business Purposes for Collecting and Disclosing Personal Information?

Categories of PI Business or Commercial Purpose for Collection of PI Categories of third parties with whom we share the PI
Internet & Technical Information To operate, assess activity on, and improve our websites and the services they support, including the Service; Our affiliates, and vendors who help us operate, assess, and improve the performance of our website. For more details, please visit our cookie policy.
Contact and information provided through forms or other interactions (whether or not Internet-based) For marketing and client communications Our affiliates, and vendors who help us manage our contact databases and vendors who help us distribute communications.

We may also process or disclose de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified data, we will maintain and use it without attempting to re-identify the data other than as permitted under law.

How Long Do We Keep Personal Information?  

Our products, services, and regulatory obligations are complex, and thus our retention periods for personal information vary.  We consider the following obligations when setting retention periods for personal information and the records we maintain: the need to retain information to accomplish the business purposes or contractual obligations for which it was collected; our duties to effectuate our clients’ instructions with respect to personal information we process on their behalf; our duties to comply with mandatory legal and regulatory record-keeping requirements; and other legal impacts such as applicable statute of limitations periods. We may also retain personal information for other purposes delineated in applicable privacy laws.

Sale of your Personal Information or Sharing for Cross-Context Advertising  

We allow certain third parties to use cookies and other online tracking technologies to collect personal information of visitors on our websites, such as IP addresses and identifiers.  These third parties help us to personalize ads and content based on your interests, measure the performance of our ads and content, and derive insights about the audiences who saw our ads and content.  Certain of these third parties may have also collected your information from your activity on other companies’ websites, or through your direct relationship with them (e.g., Google), and they use that collective information to share de-identified insights about website visitors with companies like ours.  Others may offer free services or enhanced add on services to our company, and they may use your personal information for purposes beyond the services they provide to our company (for example, building consumer profiles to help other clients with their targeted advertising).  California law considers this exchange and processing of personal information to be a “sale” or “sharing” of personal information in some cases. 

For the names of specific third parties that we sell or share information with, please click on the “Manage Cookies” link below.

You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross context behavioral advertising or targeting purposes. To opt out of disclosures of your personal information to third parties that may be considered selling or sharing under applicable law, please click on the “Manage Cookies” link at the bottom of this webpage and ensure the toggles for “Advertising” and “Analytics” trackers are set to “No”.

You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit.  Our websites process such “opt out preference signals” in a frictionless manner.  The current “opt out preference signal” with a defined protocol for companies to follow if they receive the signal is called the Global Privacy Control (GPC). GPC is available for an increasing number of browsers and browser extensions, listed here. If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.

Your Rights Under Certain US State Privacy Laws

Under certain state privacy laws, residents of the applicable states may have the following rights regarding their personal information.  These rights are subject to certain exceptions as described below. 

Please note that, in many cases, we collect personal information on behalf of our commercial clients, pursuant to a contract.  In such circumstances, we act as a “service provider” or “processor” to our clients under applicable privacy laws, and are thus obligated to process personal information in accordance with clients instructions. Accordingly, in any case where we are acting as a service provider or processor to a Client, if you or your authorized agent wish to exercise any rights of the below rights, you should direct your request to our Client, who is the party responsible for receiving, assessing, and responding to your requests.  If you submit a request directly to us in a scenario where we only process your information as a service provider or processor, we may be required to deny your request.  If you are not certain what our role is with respect to your personal information, please contact us through one of the methods described at the end of this Privacy Notice. 

When required, we will respond to most requests within 45 days, unless it is reasonably necessary for us to extend our response time.

1. Right to Confirm or Access Information
 

You may have the right to confirm whether we process your personal information or what information we process, and to obtain a copy of that information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another business without hindrance. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction (with various exceptions):

  • The categories of personal information we have collected about you.
  • The categories of sources for the personal information we have collected about you.
  • Our business or commercial purpose for collecting that personal information.
  • The categories of third parties to whom we disclose that personal information.
  • If we sold your personal information for a business purpose, a list of the personal information types that each category of recipient purchased.
  • If we disclosed your personal information to a third party for a business purpose, a list of the personal information types that each category of recipient received.
  • The specific pieces of personal information we collected about you.
2. Right to Delete Personal Information
 

You may have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions.  If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will determine if retaining the information is permitted or required under law.

If no retention conditions apply, we will delete your personal information from our records and direct our service providers to do the same.

3. Right to Correct Personal Information
 

You may have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of the processing of your personal information.  If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will use commercially reasonable efforts to correct the inaccurate information.

4. Right to Limit Processing of SPI
 

We process sensitive personal information solely as necessary in performance of the Services, to ensure the security and integrity of the information, or as otherwise authorized under law or regulation.  Because we do not process your Sensitive Personal Information for other purposes, we do not provide any mechanism for you to limit our processing of such information.

5. Right to Opt-out of Profiling
 

We do not engage in automated processing of personal Information to make decisions that produce a legal or other significant effect. Because we do not engage in such automated processing, we do not provide a mechanism for you to limit our processing of personal information in such a manner.

6. Right to Non-Discrimination
 

You may exercise your rights under law without discrimination.  For example, unless applicable law provides an exception, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

We may offer you financial incentives to provide us with personal information that is reasonably related to the information’s value.  This could result in different prices, rates, or quality levels for our products or services.  Any financial incentive we offer will be described in written terms that explain the material aspects of the financial incentive program.  You must opt-in to any financial incentive program and may revoke your consent at any time by contacting us as indicated below.

7. Direct Marketing and Do Not Track Signals
 

Under California’s “Shine the Light” law, California residents may request and obtain a notice once a year about the personal information we disclosed to other businesses for their own direct marketing purposes.  Such a notice will include a list of the categories of personal information that were disclosed (if any) and the names and addresses of all third parties with which the personal information was disclosed (if any).  The notice will cover the preceding calendar year.  To obtain such a notice, please contact us as described below. 

In addition, under this law you are entitled to be advised how we handle “Do Not Track” browser signals.  Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not honor Do Not Track requests at this time.

 

How to exercise the above rights

To exercise your rights to disclosure or deletion described above, please submit a verifiable consumer request to us by visiting our online privacy rights portal by clicking here.  Alternatively, you may call us at 855-246-3836.

*Please note that, as described above, in certain cases we may collect your personal information as a service provider pursuant to a contract we have with a commercial Client to provide the Service.  In any case where we are acting as a service provider to a Client, you should direct your requests to exercise your rights available under data privacy laws to our Client, who is the party responsible for receiving, assessing, and responding to your requests.   

Only you or a person legally authorized to act on your behalf may make a verifiable consumer request related to your personal information.  To designate an authorized agent, we may require you to verify your identity or confirm with us directly that you have provided permission to your authorized agent, or we will rely on a power of attorney you have provided to your authorized agent.

You may make a verifiable consumer request for access or deletion no more than twice within a 12-month period. The verifiable request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.  Depending on the nature of your request and the sensitivity of the information, we may ask you to confirm various data elements we already have on file, such as your mailing address and phone number, or, in the event you request access to sensitive personal information, we may require you to submit a copy of a government-issued form of identification.

and

  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

You will not be required to create an account with us in order to submit a verifiable request, though we may communicate with you about your request via a pre-established account if applicable.  However, in order to safeguard the personal information in our possession, if we cannot verify your identity or authority to act on another’s behalf, we will be unable to comply with your request.  We will process and retain personal information you provide when submitting a verifiable request only to confirm your identity or authority, or to fulfill your request.

 

How to appeal an action we have taken with respect to your request to exercise a right

In order to appeal a decision or denial we have made with respect to your personal information and a right you have requested to exercise in relation thereto, please contact the email address for appeals provided in our written response to your request. Our privacy team will consider your request and applicable law, and either agree to honor your appeal request or deny it.

 

Minors

We do not knowingly collect personal information from children under 13.  If we learn that we have collected any personal information from a child under the age of 13 without verifiable parental consent, we will delete that information from our files as quickly as possible.  If you believe that we may have collected information from a child under 13, please contact us at the email address provided below.

If you are 16 years of age or older, you have the right to direct us to not sell your personal information at any time (the “right to opt-out”).  However, we never knowingly sell or share the personal information of minors under 16 years of age, and would not do so in the future without affirmative authorization of the consumer if between 13 to 16 years of age, or the parent or guardian of a consumer less than 13 years of age.

Questions, Requests or Complaints

To submit general questions, requests, complaints, or appeals regarding this Privacy Notice or our privacy practices, please contact us at  owglegalandcompliance@oliverwyman.com.

Last Updated: April 30, 2023