U.S. STATE LAW PRIVACY NOTICE (CA, CO, CT, VA, UT)

Effective Date: January 1, 2020
Date Last Updated: August 2, 2023

This U.S. State Law Privacy Notice (“Notice”) describes how Evernorth Health, Inc. and its affiliate (“Evernorth” “we,” “us,” or “our”) collect Personal Information and our information practices related to Personal Information when you visit our website, use our mobile applications, or otherwise interact with us (collectively our “Services”), under the California Consumer Privacy Act, as amended by the California Privacy Rights Act of 2020, (“CCPA”); Colorado Privacy Act (“CPA”); Connecticut Data Protection Act (“CTDPA”); Virginia Consumer Data Protection Act (“VCDPA”); and the Utah Consumer Privacy Act (“UCPA”). To the extent applicable, these laws will be referred to as “applicable state laws” in this Notice. As described below, this Policy DOES NOT cover information that is exempted, including information that is protected by the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

1. Scope & Relation to Other Privacy Notices

This Notice supplements and is provided in addition to the Evernorth Privacy Policy. Please note, to the extent your information is patient or health plan member information provided to obtain pharmacy, medical, or health plan services, this information is governed by the applicable Notice of Privacy Practices and this Notice does not apply. If you are covered by an employer sponsored health plan that is self-funded, please ask your employer for your Notice of Privacy Practices. To the extent information is protected by the Gramm-Leach-Bliley Act (“GLBA”), please refer to our Gramm-Leach-Bliley Act Privacy Notice. If you are a Cigna employee or job applicant, please refer to the Cigna Employee Privacy Notice and Cigna Applicant Privacy Notice.

 

This Policy applies to the extent we process personal information on our own behalf, as a controller or business. Our information practices depend on how you interact with us and which of our websites you visit. For example, while most of our websites are intended for use by our business customers, some of our websites allow consumers to register an account with us, and purchase orders directly for delivery. This Notice applies to the Personal Information we collect from residents of California, Colorado, Connecticut, Virginia, or Utah where an applicable state law applies. If you are a resident of these states, please refer to the relevant Privacy Rights section for your jurisdiction.

2. Personal Information We Collect

We may collect information that describes or relates to you (“Personal Information” or “Personal Data” as defined under applicable state law). Personal Information does not include:

  • Publicly available information as defined under applicable state law.
  • Deidentified or aggregated information.
  • Information excluded from the applicable state laws, including but not limited to Personal Information governed by the Health Insurance Portability and Accountability act (“HIPAA”) or Gramm Leach Bliley Act (“GLBA”).

In the past 12 months, we may have collected the following categories of Personal Information from non-members/non-patients:

  • Identifiers such as name, contact information, online identifiers, and government- issued ID numbers;
  • Commercial Information related to services we provide such as medical information, insurance information, and financial information;
  • Characteristics of Protected Classifications under state or federal law such as age and medical conditions;
  • Commercial Information such as transaction information and purchase history;
  • Internet or Network Activity Information such as browsing history and interactions with our website (for more information, see Section 7 titled “How We Use Cookies” below);
  • Geolocation Data such as device location;
  • Audio, Electronic, Visual and Similar Information such as call and video recordings; and
  • Professional or Employment-Related Information such as place of employment and job title.

We may collect this Personal Information directly from you and automatically when you visit our websites. We also collect this Personal Information from our affiliates, vendors, joint marketing partners, social media platforms, and data aggregators.

3. How We Use Personal Information

We may use the Personal Information we collect for the following purposes:

  • Services and Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, process your payments and claims, communicate with you about the Services, and for similar service and support purposes.
  • Analytics and Improvement. To better understand how users access and use the Services, and our other products and offerings, and for other research and analytical purposes, such as to evaluate and improve our Services and business operations, to develop services and features, and for internal quality control and training purposes.
  • Customization and Personalization. To tailor content we may send or display on the Services, including to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
  • Marketing and Advertising. For marketing and advertising purposes. For example, to send you information about our Services, such as offers, promotions, newsletters and other marketing content, as well as any other information that you sign up to receive. We also may use certain information we collect to manage and improve our advertising campaigns so that we can better reach people with relevant content.
  • Research and Surveys. To administer surveys and questionnaires, such as for market research or member satisfaction purposes.
  • Infrastructure. To maintain our facilities and infrastructure and undertake quality and safety assurance measures.
  • Security and Protection of Rights. To protect the Services and our business operations; to protect our rights or those of our stakeholders; to prevent and detect fraud, unauthorized activities and access, and other misuse; conduct risk and security control and monitoring; where we believe necessary, to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party, or violations of our Terms of Use.
  • Compliance and Legal Process. To comply with the law and our legal obligations, to respond to legal process and related to legal proceedings.
  • General Business and Operational Support. To consider and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and related to the administration of our general business, accounting, auditing, compliance, recordkeeping, and legal functions.
  • Business Transfers. To consider and implement mergers, acquisitions, reorganizations, and other business transactions, and where necessary to the administration of our general business, accounting, recordkeeping, and legal functions.
  • Deidentification.  We may also aggregate or de-identify data by removing identifying details so it no longer identifies an individual. If we de-identify the data, we will not attempt to reidentify it.

We retain the personal information we collect only as reasonably necessary for the purposes described above or otherwise disclosed to you at the time of collection. For example, we will retain your account data for as long as you have an active account with us, as well as an additional period of time as necessary to protect, defend or establish our rights, defend against potential claims, comply with our legal obligations.

4. How We Disclose Personal Information

We may disclose Personal Information for the following purposes:

  • Operating Services and Sites and Providing Related Support. To provide and operate our Services, communicate with you about your use of the Services, provide troubleshooting and technical support, respond to your inquiries, fulfill your orders and requests, and for similar service and support purposes.
  • Business Transfers. If we or our affiliates are or may be acquired by, merged with, or invested in by another company, or if any of our assets are or may be transferred to another company, whether as part of a bankruptcy or insolvency proceeding or otherwise, we may transfer the information we have collected from you to the other company. As part of the business transfer process, we may share certain of your Personal Information with lenders, auditors, and third - party advisors, including attorneys and consultants.
  • In Response to Legal Process. We may disclose your Personal Information to comply with the law, a judicial proceeding, court order, or other legal process, such as in response to a court order or a subpoena.
  • To Protect You, Us, and Others. We disclose your Personal Information when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use or this Policy, or as evidence in litigation in which we are involved.

We may disclose the Personal Information that we collect for the purposes described above with the following parties:

  • Vendors. We may disclose Personal Information we collect to our service providers or agents who perform functions on our behalf. These may include, for example, IT service providers, help desk, payment processors, analytics providers, consultants, auditors, and legal counsel.
  • Our Affiliates. We may disclose Personal Information we collect to our affiliates or subsidiaries.
  • Our Business Customers. Any Personal Information that we collect and process on behalf of a business client will be disclosed as directed by that business customer.
  • Third-Party Ad Networks and Providers. We may disclose Personal Information to third-party ad network providers, sponsors and/or traffic measurement services. These third parties may use cookies, JavaScript, web beacons (including clear GIFs), and other tracking technologies to measure the effectiveness of their ads and to personalize advertising content to you. These third-party cookies and other technologies are governed by each third party's specific privacy policy, not this one. To exercise your choices about receiving third-party ads, see the “Ads and Tracking Choices” section below.
  • Government or Public Authorities. We may disclose Personal Information to a third party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process, or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of our Services, (d) to protect the property, rights, and safety of us, our users, or the public from harm or illegal activities, (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person, or (f) to investigate and defend ourselves against any third-party claims or allegations.

5. How We Use Cookies

We may use cookies and other tracking mechanisms to track your use of our Services. For more information on the types of Personal Information we collect through these technologies, please see the section above titled “The Personal Information We Collect”. For resources and instructions on how to disable tracking technologies, see the section below titled “Tracking and Advertising Choices.”

Cookies are alphanumeric identifiers that we transfer to your device’s hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Sites, while others are used to enable a faster log-in process or to allow us to track your activities on our Sites. There are two types of cookies: session and persistent cookies.

  • Session Cookies. Session cookies exist only during an online session. They disappear from your device when you close your browser or turn off your device. We use session cookies to allow our systems to uniquely identify you during a session or while you are logged in. This allows us to process your online transactions and requests and verify your identity after you have logged in, as you move through the website.
  • Persistent Cookies. Persistent cookies remain on your device after you have closed your browser or turned off your device.

6. Tracking and Advertising Choices

If you wish to prevent cookies from tracking your activity on our websites or visits across multiple websites, there are tools you can use to disable cookies and opt out of interest-based advertising. Note, your opt out may not be effective if your browser is configured to reject cookies.

  • Browser Solutions for Disabling Cookies. If you wish to prevent cookies from tracking your activity on our website or visits across multiple websites, you can set your browser to block certain cookies or notify you when a cookie is set. The Help portion of the toolbar on most browsers will tell you how to prevent your device from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Visitors to our Services who disable cookies will be able to browse the Site, but some features may not function.
  • Industry Solutions for Opting Out of Interest-Based Advertising. Notwithstanding the above, you may follow the steps provided by initiatives that educate users on how to set tracking preferences for most online advertising tools. These resources include the Network Advertising Initiative (https://thenai.org/about-online-advertising/) and the Digital Advertising Alliance (https://digitaladvertisingalliance.org/). The Digital Advertising Alliance also offers an application called AppChoices (https://youradchoices.com/appchoices) that helps users to control interest-based advertising on mobile apps.

7. California Privacy Rights

Under the CCPA, California residents have the right to receive certain disclosures regarding our information practices related to “Personal Information,” as defined under the CCPA. To the extent you are a resident of California, and we collect Personal Information subject to CCPA, the following applies:

Disclosures to Third Parties

This section relates to our third-party disclosures. We disclose the Personal Information we collect (as described in Section 2 above) to the following categories of third parties. We also disclose Personal Information to service providers, as described above in Section 4.

  • Third party analytics providers
  • Regulators, government entities, and law enforcement
  • Affiliates and subsidiaries

Additionally, CCPA defines a "sale" as disclosing or making available to a third-party Personal Information in exchange for monetary or other valuable consideration, and “sharing” broadly includes disclosing or making available Personal Information to a third party for purposes of cross- context behavioral advertising. While we do not disclose Personal Information to third parties in exchange for monetary compensation, we may “sell” or “share” (as defined by the CCPA) identifiers and internet and electronic network activity information to third parties. We do so in order to improve and evaluate our advertising campaigns and better reach customers and prospective customers with more relevant ads and content.

We do not have actual knowledge that we sell any Personal Information about individuals that are under sixteen (16) years old.

California Privacy Rights

To the extent you are a resident of California, you may have the following rights to your Personal Information:

  • Right to Access: With respect to the Personal Information we have collected about you in the prior 12 months, you have the right to request from us (up to twice per year and subject to certain exemptions): (i) categories of Personal Information about you we have collected; (ii) the sources from which we have collected that Personal Information; (iii) our business or commercial purposes for collecting, selling, or disclosing that Personal Information; (iv) the categories of third parties to whom we have disclosed that Personal Information; and (v) a copy of the specific pieces of your Personal Information we have collected.
  • Right to Correct: You have the right to request that we correct inaccuracies in your Personal Information.
  • Right to Delete: Subject to certain conditions and exceptions, you may have the right to request deletion of Personal Information that we have collected about you.
  • Right to Opt-Out of Sale/Sharing: You may have the right to opt-out of the “sale” or “sharing” of your Personal Information. Where applicable, to opt out from the sharing or sale of information described above, please click on the “Do Not Sell or Share My Personal Information” Link on the bottom of the website homepage.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of the rights described in this section.
  • Authorized Agent: You may designate someone as an authorized agent to submit requests and act on your behalf. To do so, you must provide us with written permission to allow the authorized agent to act on your behalf.

To make a request for the rights described above, please contact us at Privacy@Express-Scripts.com or by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate you are making a request pursuant to your “California Privacy Rights.” You must provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information in order to verify your request or, where necessary, to process your request. If we are unable to adequately verify a request, we will notify the requestor. In order to opt out of sharing information for targeted marketing, where applicable, please click on the Opt-Out Link titled “Do Not Sell or Share My Personal Information” on the bottom of the website homepage.

8. Colorado Privacy Rights (Effective July 1, 2023)

Under the CPA, Colorado residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Colorado, and we collect Personal Data subject to applicable Colorado law, the following applies.

  • Right to Access: You have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
  • Right to Correction: You have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
  • Right to Deletion: You have the right to delete the Personal Data provided to us by you.
  • Right to Data Portability: You have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
  • Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Colorado residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Cookie Preferences Link on the bottom of the website homepage.
  • Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. You have the right to contact the Colorado Attorney General if you have concerns about the result of the appeal.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@Express-Scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate that you are making a request pursuant to your “Colorado Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

9. Connecticut Privacy Rights (Effective July 1, 2023)

Under the CTDPA, Connecticut residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the CTDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a Connecticut resident, and we collect Personal Data subject to applicable Connecticut law, the following applies.

  • Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
  • Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
  • Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
  • Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.
  • Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of the CTDPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation or other valuable consideration. We do not “sell” Personal Information under this definition. Connecticut residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Cookie Preferences Link on the bottom of the website homepage.
  • Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@Express-Scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate that you are making a request pursuant to your “Connecticut Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

10. Virginia Privacy Rights (Effective January 1, 2023)

Under the VCDPA, Virginia residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under the VCDPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Virginia and we collect Personal Data subject to applicable Virginia law, the following applies.

  • Right to Access: To confirm whether or not we are processing your Personal Data and to access such Personal Data.
  • Right of Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller or business where the processing is carried out by automated means.
  • Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
  • Right to Deletion: You may have the right to delete Personal Data provided by or obtained about you.
  • Right to Opt-Out of Sale: Under the VCDPA, a “sale” includes disclosing or making available Personal Information to a third party in exchange for money. We do not “sell” Personal Information under this definition.
  • Right to Opt-Out of Targeted Ads and Significant Profiling: You may have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Cookie Preferences Link on the bottom of the website homepage.
  • Right to Appeal: If we decline to take action regarding your request, you have the right to appeal. We will notify you providing our reasons and instructions for how you can appeal the decision. If the appeal is denied, we will provide a way for you contact the Attorney General to submit a complaint.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@Express-Scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate that you are making a request pursuant to your “Virginia Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records. Please note, we may deny your request if (1) we are not reasonably capable of associating your request with the Personal Data or it would be unreasonably burdensome for us to associate your request with the Personal Data; (2) we do not use the Personal Data to recognize or respond to you specifically or associate the Personal Data with other Personal Data about you; and (3) we do not sell the Personal Data to any third party or otherwise voluntarily disclose the Personal Data to any third party other than a processor, except as otherwise permitted under Virginia law.

11. Utah Privacy Rights (Effective December 31, 2023)

Under the Utah Consumer Privacy Act (“UCPA”), Utah residents have the right to receive certain disclosures regarding a business’ processing of “Personal Data,” as defined under UCPA, as well as certain rights with respect to our processing of such Personal Data. To the extent you are a resident of Utah, and we collect Personal Data subject to applicable Utah law, the following applies.

  • Right to Access: You may have the right to confirm whether or not we are processing your Personal Data and to access such Personal Data.
  • Right to Correction: You may have the right to correct inaccuracies in your Personal Data, taking into account the nature of the Personal Data and the purposes of the processing of your Personal Data.
  • Right to Deletion: You may have the right to delete the Personal Data provided to us by you.
  • Right to Opt-Out of Sale, Targeted Advertising, and Profiling: For purposes of UCPA, a “sale” includes disclosing Personal Data to a third party in exchange for monetary compensation. We do not “sell” Personal Information under this definition. Utah residents have the right to opt out of the processing of your Personal Data by us for decisions that produce legal or similarly significant effects concerning you. We do not process Personal Data for such profiling. To opt out of targeted marketing, where applicable, please click on the Cookie Preferences Link on the bottom of the website homepage.
  • Right to Data Portability: You may have the right to obtain a copy of the Personal Data that you previously provided to us in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller without hindrance, where the processing is carried out by automated means.

If any of the rights described in the sections above apply to you, you may make a request by contacting us at Privacy@Express-Scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391. Please indicate that you are making a request pursuant to your “Utah Privacy Rights” and provide us with the following information: (1) first and last name; (2) email address; (3) physical address; and (4) date of birth. We will take steps to verify your request by matching the information provided by you with the information we have in our records.

12. Changes to this Notice

We may change or update this Notice from time to time. When we do, we will post the revised State Notice of Privacy Practices on this page with a new “Last Updated” date.

13. Questions & Contact Us

If you have questions about our privacy policy, you may contact us at Privacy@Express-Scripts.com, by mail at: P.O. Box 188014, Chattanooga, TN 37422 ATTN: Privacy Office, or contact us toll-free at the number on the back of your member ID card or customer service at 877-279-6391.