Mercer Privacy Notice
Effective: September 6, 2023
This Privacy Notice is intended to inform you of the ways in which Mercer (US) LLC and its US subsidiaries collect, use, and disclose personal information, and sets forth your rights. When we mention “Mercer,” "we," "us" or "our" in this Privacy Notice, we are referring to the relevant company in the Mercer group responsible for processing the information.
Categories of Personal Information Collected, Purpose for Collection, and Third-party Disclosures
We process the following categories of personal information, including sensitive personal information:
|Category of Personal Information
|Business or Commercial Purposes for Processing
|Categories of Third Parties to Whom We May Disclose
|Special Categories of Personal Information
|Internet & Other Electronic Network Activity
|Audio, video, or visual information
|Professional or employment-related Information
|Sensitive Personal Information
Additional collection, use and disclosure
On some webpages, we deploy session recording technology that tracks visitor interactions with the page, including clicks, mouse movements, keystrokes, and other activities. We may review these interactions to help us assess how to improve our user interface and experience on the relevant webpage. By accepting this Privacy Notice, you consent to our or our third-party service providers’ recording of interactions during your session on the webpages where this technology is deployed.
We may also process or disclose de-identified information that is not reasonably likely to identify you for commercially legitimate and lawful business purposes. Where we have de-identified data, we will maintain and use it without attempting to re-identify the data other than as permitted under law.
In addition, we may be required or compelled to produce any of the above categories of personal information that we have collected in response to valid legal process, subpoenas, or regulatory requests to authorized parties, including government entities, law enforcement, courts and tribunals, or litigants.
Please be aware that if you conduct a transaction through us, a third party (e.g., a service provider or insurer) may collect and process credit card or other personal information about you, including through the use of website cookies, in connection with such transaction. In those instances, we will identify the third party to you and we encourage you to read the third party’s privacy notice to learn more about how your information will be used and disclosed by them.
Sources of Personal Information
We collect personal information from the following categories of sources:
- Directly from you (e.g., when you visit a Site, enroll in benefits or call a service center)
- Your representative, employer, association sponsor, or benefit program sponsor, and other third parties that have roles in delivering our services
- Vetting and data validation agencies and other professional advisory service providers in connection with our marketing or business development activities.
- Third parties, including insurance companies, recordkeepers, plan administrators and service providers, brokers or agents, credit agencies, financial institutions, and government agencies or persons acting on behalf of such parties
If you supply us with personal information about other people (e.g., family members, beneficiaries or dependents), you represent that you have the authority to provide this information on their behalf and have obtained their consent where necessary. In these instances, you further represent that the individuals to whom this information relates have been informed of the information in this Privacy Notice and understand the reason(s) for obtaining the information, the manner in which this information will be used and disclosed, and have consented to such use and disclosure.
Sale of your Personal Information or Sharing for Cross-Context Advertising
We “sell” or “share” (as defined by the law) the following categories of personal information to third party online analytics and advertising providers: Personal Identifiers; Internet or other similar network activity; Geolocation data; Professional Information (to the extent it can be derived from your activity on our website). For the specific third parties that we “sell” or “share” online information with, please click on the “Manage Cookies” link below for the names of Analytics and Advertising providers.
You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross context behavioral advertising or targeting purposes. To opt out of disclosures of your personal information to third parties that may be considered selling or sharing under applicable law, please click on the “Manage Cookies” link at the bottom of this webpage and ensure the toggles for “Advertising” and “Analytics” trackers are set to “No”.
You may also implement a browser setting or extension to communicate your selling and sharing preferences automatically to the websites you visit. Our websites process such “opt out preference signals” in a frictionless manner. The current “opt out preference signal” with a defined protocol for companies to follow if they receive the signal is called the Global Privacy Control (GPC). GPC is available for an increasing number of browsers and browser extensions, listed here. If you want to use GPC, you can download and enable it via a participating browser or browser extension. More information about downloading GPC is available here.
Retention of Personal Information
Steps We Take to Protect Your Information
As part of our cybersecurity program, we have implemented commercially reasonable physical, administrative, and technical safeguards in an effort to protect your personal information from unauthorized access, use, alteration and deletion. These safeguards may vary depending on the sensitivity, format, location, amount, distribution and storage of the personal information, and include measures designed to keep personal information protected from unauthorized access.
Our cybersecurity program has policies and procedures for risk assessments to identify and assess cyber risks, as well as technical controls and processes to detect, respond to and recover from cybersecurity events.
As effective as our cybersecurity program is, no security system is impenetrable. We cannot guarantee the security of our systems, nor can we guarantee that information you supply will not be intercepted while being transmitted to us over the Internet.
Your Rights Under Certain US Privacy Laws
Under certain state privacy laws, residents of the applicable states may have the following rights regarding their personal information. These rights are subject to certain exceptions as described below.
Please note that, in many cases, we collect personal information on behalf of our commercial clients, pursuant to a contract. In such circumstances, we act as a “service provider” or “processor” to our clients under applicable privacy laws, and are thus obligated to process personal information in accordance with clients’ instructions. Accordingly, in any case where we are acting as a service provider or processor to a client, if you or your authorized agent wish to exercise any rights of the below rights, you should direct your request to our client, who is the party responsible for receiving, assessing, and responding to your requests. If you submit a request directly to us in a scenario where we only process your information as a service provider or processor, we may be required to deny your request. If you are not certain what our role is with respect to your personal information, please contact us through one of the methods described at the end of this Privacy Notice.
When required, we will respond to most requests within 45 days, unless it is reasonably necessary for us to extend our response time.
1. Right to Confirm or Access Information
You may have the right to confirm whether we process your personal information or what information we process, and to obtain a copy of that information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another business without hindrance. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction (with various exceptions):
- The categories of personal information we have collected about you.
- The categories of sources for the personal information we have collected about you.
- Our business or commercial purpose for collecting that personal information.
- The categories of third parties to whom we disclose that personal information.
- If we sold your personal information for a business purpose, a list of the personal information types that each category of recipient purchased.
- If we disclosed your personal information to a third party for a business purpose, a list of the personal information types that each category of recipient received.
- The specific pieces of personal information we collected about you.
2. Right to Delete Personal Information
You may have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will determine if retaining the information is permitted or required under law.
If no retention conditions apply, we will delete your personal information from our records and direct our service providers to do the same.
3. Right to Correct Personal Information
You may have the right to correct inaccuracies in your personal information, taking into account the nature of the personal information and the purposes of the processing of your personal information. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will use commercially reasonable efforts to correct the inaccurate information.
4. Right to Limit Processing of Sensitive Personal Information
We process sensitive personal information solely as necessary in performance of the Services, to ensure the security and integrity of the information, or as otherwise authorized under law or regulation. Because we do not process your Sensitive Personal Information for the purpose of inferring characteristics about you, we do not provide a mechanism for you to limit our processing of such information.
5. Rights related to Automated Decisions and Profiling
We do not independently engage in the automated processing of Personal Information to profile or make predictions, recommendations or decisions that produce a legal or other significant effect on our clients. Because we do not engage in such automated processing, we do not provide a mechanism for you to limit or opt out of our processing of Personal Information in such a manner. Decisions regarding insurance premiums, coverage limits and eligibility, however, may be determined by insurance carriers using automated means, including through one of our sites or applications interacting with such insurers’ systems. In those instances, we encourage you to review the applicable insurers’ privacy notices to obtain additional information regarding their automated decision-making practices, as well as any right to opt out of such processing or challenge a prediction, recommendation or decision that has impacted you.
6. Right to Non-Discrimination
You may exercise your rights under law without discrimination. For example, unless applicable law provides an exception, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
We may offer you financial incentives to provide us with personal information that is reasonably related to the information’s value. This could result in different prices, rates, or quality levels for our products or services. Any financial incentive we offer will be described in written terms that explain the material aspects of the financial incentive program. You must opt-in to any financial incentive program and may revoke your consent at any time by contacting us as indicated below.
7. Direct Marketing and Do Not Track Signals
Under California’s “Shine the Light” law, California residents may request and obtain a notice once a year about the personal information we disclosed to other businesses for their own direct marketing purposes. Such a notice will include a list of the categories of personal information that were disclosed (if any) and the names and addresses of all third parties with which the personal information was disclosed (if any). The notice will cover the preceding calendar year. To obtain such a notice, please contact us as described below.
In addition, under this law you are entitled to be advised how we handle “Do Not Track” browser signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not honor Do Not Track requests at this time.
How to exercise the above rights*
To exercise your rights described above, please submit a verifiable consumer request to us by visiting our online privacy rights portal by clicking here. Alternatively, you may call us at 1-855-518-4620.
*Please note that, as described above, in certain cases we may collect your personal information as a service provider pursuant to a contract we have with a commercial Client to provide the Service. In any case where we are acting as a service provider to a client, you should direct your requests to exercise your rights available under data privacy laws to our client, who is the party responsible for receiving, assessing, and responding to your requests.
Only you or a person legally authorized to act on your behalf may make a verifiable consumer request related to your personal information. To designate an authorized agent, we may require you to verify your identity or confirm with us directly that you have provided permission to your authorized agent, or we will rely on a power of attorney you have provided to your authorized agent.
You may make a verifiable consumer request for access or deletion no more than twice within a 12-month period. The verifiable request must:
- provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Depending on the nature of your request and the sensitivity of the information, we may ask you to confirm various data elements we already have on file such as your mailing address and phone number, or, in case of sensitive personal information, we may require you to submit a copy of a government issued identification;
- describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
You will not be required to create an account with us in order to submit a verifiable request, though we may communicate with you about your request via a pre-established account if applicable. However, in order to safeguard the personal information in our possession, if we cannot verify your identity or authority to act on another’s behalf, we will be unable to comply with your request. We will process and retain additional personal information you provide when submitting a verifiable request only to confirm your identity or authority, or to fulfill your request.
How to appeal an action we have taken with respect to your request to exercise a right
If we deny your privacy request in full or in part, please contact the email address for appeals provided in our written response to your request. Our privacy team will consider your request and applicable law, and either agree to honor your appeal request or deny it.
Calls and Text Messages
Changes to this Notice
Other Applicable Terms
Questions, Requests or Complaints
To submit general questions, requests, complaints, or appeals regarding this Privacy Notice or our privacy practices, you may contact our privacy office at:
Chief Privacy Officer – US/Canada
Marsh & McLennan Companies, Inc.
1166 Avenue of the Americas
New York, NY 10036