Staff Privacy Notice (CCPA Addendum)

Owner:  Privacy Department
Approver:  Global Privacy Officer
Version:  January 2024
Last Review:  January 2024

California Addendum to the Global Staff/Supplier Privacy Notice (CPRA Notice)

• Introduction
• Categories of Personal Information We collect
• Categories of Sensitive Personal Information We collect
• Criteria for determining retention period for Personal Information
• What rights do you have over your personal information?
• Other California Privacy Rights

We are disclosing information about our data processing practices as required by the California Consumer Privacy Act of 2018, the California Privacy Rights Act 2020 and accompanying Regulations (“CPRA”). This CPRA Notice supplements the information contained in the Bright Horizons Global Staff and Supplier Privacy Notice. This CPRA Notice applies exclusively to California residents.

Information Subject to this CPRA Notice

California residents are protected by the CPRA with respect to personal information. A number of statutory exceptions apply under the CCPA. As a result, this CPRA Notice does not apply to personal information that is:

• during a business relationship between businesses;
• ‘aggregate consumer information’ defined as data ‘not linked or reasonably linkable to any consumer or household, including via a device;’
• publicly available from federal, state, or local government records;
• covered by the Health Insurance Portability and Accountability Act of 1996, the California Confidentiality of Medical Information Act or clinical trial data; and
• covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act or California Financial Information Privacy Act, and the Driver's Privacy Protection Act 1994.

A separate Global Consumer Privacy Notice applies to prospective, current and former consumers.

Information We Collect

The Global Privacy Notices provide information on the categories of sources from which we collect personal data click here.

In addition, the Global Privacy Notices provide information on the business/commercial purposes for which we collect personal data click here.

Below we have set out for California residents the categories of personal information we collect about them and the categories of third parties with whom we share this personal information with.  The table covers the last twelve months.  The services you provided, websites and application you visited/used or requests you made together determine which categories and types of personal information are applicable to you (and if relevant, your dependent).

Categories of Personal Information we Collected	Categories of Third Parties with whom we Shared (including Service Providers and Exempt Third Parties)
Identifiers such as name, alias, postal address, email address, driver’s license number, unique personal identifier, online identifier, Internet Protocol address, or other similar identifiers. Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.	Operating systems and platforms, IT developers, internet service providers, credit card/payment providers / financial institutions, insurers and professional advisers, government entities and/or our business partners.
Personal information categories listed in the California Customer Records statute such as name, signature, physical characteristics or description, address, telephone number, driver’s license or state identification card number, education, employment, bank account number, credit card number, debit card number, or medical information.   Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.
Your dependent's or other individual's information as necessary for them to access any benefits we provide to you in relation to your employment, such as their full name, address, date of birth, and Social Security numbers (SSN).   Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.
Protected classification characteristics under California/federal law being age, ethnicity, hair/eye color, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, pregnancy or childbirth and related medical conditions).   Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.	Operating systems and platforms, IT developers, insurers and professional advisers, government entities and/or our business partners.
Internet or other similar network activity such as browsing history, search history, information on a consumer's interaction with our website, application, or advertisement.	Advertising networks, internet service providers, data analytics providers, operating systems and platforms, IT developers and social networks. Information in this category may be shared with these categories of third parties by cookies placed on your device when you interact with our websites and applications. Learn more about how we use cookies and similar technologies by clicking here.
Geolocation data - physical location   Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.	Internet service providers, IT developers, data analytics providers, operating systems and platforms.
Professional or employment-related information such as current job role, job history or performance evaluations, disciplinary records, leave records, background check information such as references and / or criminal record information as applicable.	Operating systems and platforms, IT developers, insurers and professional advisers, government entities, and / or our business partners.
Education records such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	Operating systems and platforms, IT developers, insurers and professional advisers, government entities and/or our business partners.
Inferences drawn from other personal information (profile reflecting a person's preferences, characteristics, behavior, attitudes, intelligence, abilities, and aptitudes.)	Operating systems and platforms, IT developers, insurers and/or professional advisers, government entities.
Thermal information such as temperature records.	Operating systems and platforms, IT developers, insurers and professional advisors, and/or government entities.
Biometric data such as fingerprints   Click here for more information on the specific types of sensitive information which we collect / process and the purposes for which we process that sensitive personal information.	Operating systems and platforms, IT developers, insurers and professional advisors, and/or government entities.
Audio information such as call recordings.	Operating systems and platforms, IT developers, professional advisors, and/or government entities.

 

Categories of sensitive personal information

We may need to process and share the following categories of sensitive personal information for the purposes outlined:

• Complete account access credentials: such as usernames together with passwords are collected to create, maintain and secure your online account with us.
  (Complete account access credentials are not shared with Third Parties.)
• Government Identifiers: such as Social Security Number, Driver's license, state ID card, passport number and visa information, and immigration status and documentation are collected in order to: process your job application including verifying your eligibility for employment and suitability for the role; administer your compensation and benefits entitlements, and providing human resources management services; comply with applicable state and federal labor, employment, tax benefits, workers' compensation, disability, equal employment opportunity, workplace safety, and related laws; prevent unauthorized access to or use of Bright Horizons’ property, including information systems, electronic devices, network, and data.

  Government identifier information may be shared with the following Third Parties:

  Operating systems and platforms, IT developers, internet service providers, financial institutions, insurers and professional advisers, government entities.

• Precise geolocation: such as physical access to a Bright Horizons’ location, is collected to improve safety of our employees, consumers and visitors, regarding use of Bright Horizons’ property and equipment and to prevent unauthorized access, use, or loss of the Bright Horizons’ property.

  Precise geolocation information may be shared with the following Third Parties:

  Operating systems and platforms, IT developers, internet service providers, data analytics providers,  insurers and professional advisers, government entities.

• The contents mail, email, text or other application messages not directed (sent) to Bright Horizons: these contents may be collected if sent using Bright Horizons devices and / or accounts, and may be processed to conduct internal audits and investigate complaints, grievances, and suspected violations of Bright Horizons’ policies or legal obligations; and / or to exercise or defend the legal rights of Bright Horizons and its employees, affiliates, contractors, agents and consumers (and their dependents).

  These contents may be shared with the following Third Parties:

  Operating systems and platforms, IT developers, internet service providers, insurers and professional advisers, government entities.

• Unique identifying biometric information: such as fingerprinting (for a criminal background check after an initial offer of employment is made: to protect Bright Horizons’ consumers (and their dependents in our care), to protect Bright Horizons’ confidential information and property, and to mitigate risk; to ensure accurate time records; and / or to exercise or defend the legal rights of Bright Horizons and its employees, affiliates, contractors, agents and consumers (and their dependents).

  These contents may be shared with the following Third Parties:

  Insurers and professional advisers, government entities.

   

• Health information: that you or your medical provider or an occupational health advisor provides to us that you or your medical provider or an occupational health advisor provides to us to comply with health and safety obligations in the workplace including: making appropriate workplace accommodations, as part of sickness absence monitoring, to administer benefits and to manage insurance claims.

  Health information may be shared with the following Third Parties:

  Operating systems and platforms, IT developers, internet service providers, insurers and professional advisers, government entities and/or our benefits providers who may provide services you have requested.

• Race/ethnic origin /religious or philosophical beliefs / sexual orientation information: that you voluntarily provide to us for meaningful equal opportunity monitoring purposes and to inform us about your dietary/holiday/celebration requirements or a relationship for your emergency contact.

Race/ethnicity/religious beliefs/sexual orientation information may be shared with the following Third Parties:

Operating systems and platforms, IT developers, internet service providers, insurers and professional advisers, government entities.

Criteria for determining retention period for Personal Information

All categories of Personal Information will be retained as long as is necessary for (1) the purpose for which it was collected; (2) as required under law; and (3) to defend legal claims.

What rights do you have over your personal information?

Do we sell / share your Personal Information?

Bright Horizons does not sell your or your dependent’s personal information to third parties. We also do not “share” your personal information as defined in the CRPA.

When you visit our websites, apps, and social media, we use tracking technologies (such as cookies) as permitted by law, including for targeting / behavioral advertising if you direct us to do so via our Cookie banner. Bright Horizons recognizes Global Privacy Control and Do Not Track for Social Media and Targeting cookies and other similar technologies.  Our Cookies and Similar Technologies Notice provides details about this collection and sharing, including how you are able to set your tracking preferences.

How to Opt-Out of sale / sharing of your Personal Information

We do not sell or “share” (as defined in the CPRA) your personal information - but you can click here to access our Cookies and Similar Technologies Notice which explains how you are able to set your tracking preferences.

What other rights do you have in relation to your personal information?

You also have the right to request:

• that we confirm the following personal information we have collected over the past 12 months:
• categories of personal information we collected about you; categories of sources for the personal information we collected about you;
• §our business/commercial purpose for collecting that personal information;
• categories of third parties with whom we share that personal information;
• where we disclosed personal information for a business purpose, the categories of personal information that each category of recipient obtained from us; and
• specific pieces of personal information we collected about you.
• that we provide a copy of your personal information to you in a portable and ready-to-use format. This right applies when we collect personal information from you in an electronic format and it is technically feasible for us to provide it to you in a portable, ready-to-use format
• that we delete your personal information (subject to certain exemptions).

How do you make a request about your personal information?

To read about how to amend your information or update your email list preferences, click here.

Bright Horizons provides the following two ways for you to make a request under the CPRA:

1. Complete our Webform to make a request to access / receive a copy of your personal information or for us to correct or delete your personal information.
2. You can also call our dedicated Toll free number: +1 855-687-7640 (Pacific Standard Time 8:00 AM -5:00 PM, Monday-Friday).

Please note:

• Only you, or a person that you authorize to act on your behalf, may make a verifiable request related to your personal information.
• A person who states they are authorized on your behalf to make a request will be required to produce appropriate signed permission / authority from you that they are authorized on your behalf for the purposes of the request.
• You may only make a verifiable request for access or data portability twice within a 12 month period.
• In order for us to verify your request, you will need to:
• provide sufficient information that allows us to reasonably verify you are the person about whom we processed personal information or a legally authorized representative; and
• describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
• We will not be able to respond to your request if we cannot verify your identity or legal authority to make the request and confirm the personal information relates to you or the subject of the request.
• We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

When and how will Bright Horizons respond to your request?

We will endeavor to respond to your verified request within 45 days. If we require more time (up to 90 days) or are unable to comply with your request, we will inform you in writing of the reason and extension period. 

Will we charge you a fee?

We do not charge a fee to respond to your authenticated request unless in exceptional circumstances we deem it to be excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will advise you in writing why we made that decision and provide you with a cost estimate before completing your request.

What happens if we decline your request?

We will endeavour to inform you of this within 45 days. We will provide our justification for declining to take action in connection with your request.

Non-discrimination

We will not discriminate against you for exercising any of your CPRA rights.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our Websites that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please contact our Global Privacy Officer at [email protected].