Supplemental Website Privacy Notice for California, Virginia, Utah, and Connecticut consumers


Effective January 2023

This Supplemental Website Privacy Notice (“Supplemental Notice”) applies only to information collected about California, Colorado, Virginia, Utah, and Connecticut consumers. It provides information required under the California Consumer Privacy Act of 2018 and California Privacy Rights Act of 2020 (collectively, the “CPRA”), the Colorado Privacy Act of 2021 (the “CPA”), the Virginia Consumer Data Protection Act of 2021 (the “VCDPA”), the Utah Consumer Privacy Act of 2022 (the “UCPA”), and the Connecticut Data Privacy Act of 2022 (“CDPA”). We also provide a brief paragraph regarding information collected about Nevada consumers under the heading “Privacy Notice for Nevada Residents” at the end of this Supplemental Notice. The other portions of this Supplemental Notice do not apply to Nevada consumers.

This Supplemental Notice describes Cook Medical Holdings LLC (“we,” “us,” “our”) practices regarding the collection, use, and disclosure of Personal Information and provides instructions for submitting data subject requests. This Supplemental Notice is parallel in scope to our Privacy Statement.

Some portions of this Supplemental Notice apply only to consumers of particular states. In those instances, we have indicated that such language applies only to those consumers.

Definitions specific to this statement

“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with, directly or indirectly, a particular consumer or household. Personal Information includes “personal data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA. Personal Information also includes “Sensitive Personal Information,” as defined below, except where otherwise noted.

“Sensitive Personal Information” means Personal Information that reveals a consumer’s social security, driver’s license, state identification card, or passport number; account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; precise geolocation; racial or ethnic origin, religious beliefs, or union membership; contents of email or text messages; or genetic data. Sensitive Personal Information also includes processing of biometric information for the purpose of uniquely identifying a consumer and Personal Information collected and analyzed concerning a consumer’s health, sexual activity, or sexual orientation. Sensitive Personal Information also includes “sensitive data” as that term is defined in the CPA, VCDPA, UCPA, and CDPA.

“Third Party” has the meanings afforded to it in the CPRA, CPA, VCDPA, UCPA, and CDPA.

“Vendor” means a service provider, contractor, or processor as those terms are defined in the CPRA, CPA, VCDPA, UCPA, and CDPA.

To the extent other terms used in this Supplemental Notice are defined terms under the CPRA, CPA, VCDPA, UCPA, or CDPA, they shall have the meanings afforded to them in those statutes, whether or not capitalized herein. As there are some variations between such definitions in each of the five statutes, the definitions applicable to you are those provided in the statute for the state in which you are a consumer. For example, if you are a Virginia consumer, terms used in this Supplemental Notice that are defined terms in the VCDPA shall have the meanings afforded to them in the VCDPA as this Supplemental Notice applies to you.

The Personal Information we collect and process

We and our Vendors collect Personal Information directly from California, Colorado, Virginia, Utah, and Connecticut consumers, as well as from joint marketing partners, public databases, providers of demographic data, publications, professional organizations, social media platforms, people with whom you are connected on social media platforms, caregivers, Vendors and Third Parties that help us screen and onboard individuals for hiring purposes, and Vendors and Third Parties when they share the information with us.

A. Information we collect
We, and our Vendors, may have collected and processed the following categories of Personal Information about you in the preceding 12 months that we may also disclose to Vendors and Third Parties:

  • Identifiers, such as name, signatures, alias, online identifiers, internet protocol (IP) address, account name, physical characteristics or description.
  • Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information.
  • Commercial information, such as transaction information and purchase history.
  • Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements.
  • Geolocation data, such as device location.
  • Audio, electronic, visual, olfactory and similar information, such as call and video recordings.
  • Professional or employment-related information, such as work history and prior employer.
  • Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information.
  • Purchase history, such as commercial information, including products or services purchased, obtained, or considered or other purchasing or commercial histories or tendencies.
  • Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

B. Why we process this information
We, and our Vendors, collect and process the Personal Information (excluding Sensitive Personal Information) described in this Supplemental Notice to:

  • Operate, manage, and maintain our business
  • Provide, develop, improve, repair, and maintain our products and services
  • Hire and manage our employees, as well as for related employment purposes
  • Personalize, advertise, and market our products and services
  • Conduct research, clinical studies, analytics, and data analysis
  • Conduct investigations
  • Maintain our facilities and infrastructure
  • Undertake quality and safety assurance measures
  • Conduct risk and security controls and monitoring
  • Detect and prevent fraud
  • Perform identity verification
  • Service accounts
  • Perform accounting, audit, and other internal functions, such as internal investigations
  • Comply with law, legal process, and internal policies
  • Fulfill contracts
  • Maintain records
  • Process orders and transactions and payment
  • Provide customer service
  • Maintain, process, or fulfill insurance and workers’ compensation claims
  • Provide analytic services
  • Exercise and defend legal claims
  • Otherwise accomplish our business purposes and objectives

Sensitive Personal Information

We, and our Vendors, may have collected and processed Sensitive Personal Information about you in the preceding 12 months that we may also disclose to Vendors and Third Parties for the specified purposes outlined below.

A. Sensitive Personal Information we process
Personal Information that reveals:

  • Government Identification such as social security, driver’s license, state identification card, or passport number
  • Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account
  • Financial information such as bank account number, credit card number, debit card number, or any other financial information
  • Precise geolocation
  • Characteristics of protected classifications under law, such as age (40 years or older), gender, marital status, sex, sexual activity, sexual orientation, race, ethnic or national origin, religious or philosophical beliefs, union membership, physical or mental health conditions, disability, genetics, and veteran or military status
  • Contents of a consumer’s email and text messages, unless the business is the intended recipient thereof
  • Biometric data processed for the purpose of uniquely identifying a consumer such as Imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, faceprint, voiceprint, and sleep, health, or exercise data
  • Personally identifiable education information that is not publicly available such as grades and financial aid
  • Personal Information collected and analyzed concerning a consumer’s medical information or health insurance information

B. Why we process sensitive personal information
We, and our Vendors, collect and process and share the sensitive personal information described above only for:

  • Performing the services or providing the goods reasonably expected by an average consumer who requests those goods or services, such as fulfilling medical device orders, providing customer service, and processing or fulfilling insurance claims
  • Ensuring security and integrity to the extent the use of the consumer’s Personal Information is reasonably necessary and proportionate for these purposes
  • Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a consumer’s current interaction with us, provided that we will not disclose the consumer’s Personal Information to a Third Party and or build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with us
  • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing grants to charitable foundations, hosting events, providing analytic services, providing storage, or providing similar services on our behalf
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Hiring and managing our employees, as well as for related employment purposes

Categories of entities to whom we disclose Personal Information

A. Affiliates and Vendors
We may disclose your Personal Information to our affiliated companies, if required, and Vendors for the purposes described above in this Supplemental Notice. Our Vendors provide us with services for our websites, as well as other products and services, such as web hosting, data analysis, payment processing, order fulfillment, software, customer service, infrastructure, technology services, email delivery services, credit card processing, legal services, study sites, experts helping us with a clinical project and other similar services. We grant our Vendors access to Personal Information only to the extent needed for them to perform their functions and require them to protect the confidentiality and security of such information.

B. Third Parties
We may disclose your Personal Information to Third Parties in the following circumstances:

  • At your direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
  • Where it is required by law for safety and security.
  • Business transfers or assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).

C. Legal and regulatory
We may disclose your Personal Information to government authorities, including regulatory agencies, health authorities and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

Retention of Personal Information

We retain your Personal Information for the period reasonably necessary to provide goods and services to you and for the period reasonably necessary to support our business operational purposes listed in this notice.

Selling Personal Information

We do not sell Personal Information, including that of minors. We may, however, engage in the following activities:

  • Disclose a consumer’s Personal Information upon the consumer’s instruction
  • Interact with a Third Party upon the consumers instruction
  • Use or share consumers’ Personal Information pursuant to a written contract with a service provider that is necessary to perform a business purpose, where our contract prevents the provider from using, keeping, or disclosing consumers’ Personal Information for any purpose other than the reason supplied in the contract
  • Transfer a consumers’ Personal Information as part of a transaction in which the Third Party assumes control of all or part of our business

A. Disclosure for California consumers:
We have not sold or shared Personal Information about California consumers in the past twelve months. Relatedly, we do not have actual knowledge that we sell or share Personal Information of California consumers under 16 years of age. For purposes of the CPRA, a “sale” is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and a “share” is the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

B. Disclosure for Colorado, Virginia, Utah, and Connecticut consumers:
We do not sell or share Personal Information to Third Parties or process Personal Information for purposes of targeted advertising, as the terms “sell,” “share,” “process,” and “targeted advertising” are defined in the CPA, VCDPA, UCPA, and CDPA.

Your data subject rights

California, Colorado, Virginia, Utah, and Connecticut consumers have certain rights with respect to the collection and use of their Personal Information. Those rights vary by state. As required by the CPRA, we provide detailed information below regarding the data subject rights available to California consumers. Colorado, Virginia, Utah, and Connecticut consumers have similar rights and can find more detail by referencing the CPA, VCDPA, UCPA, or CDPA, as applicable.

Data subject rights disclosure for California consumers: California consumers have the following rights regarding our collection and use of their Personal Information, subject to certain exceptions.

Right to receive information on privacy practices: You have the right to receive the following information at or before the point of collection:

  • The categories of Personal Information to be collected
  • The purposes for which the categories of Personal Information are collected or used
  • Whether or not that Personal Information is sold or shared
  • If the business collects Sensitive Personal Information, the categories of Sensitive Personal Information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared
  • The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period

We have provided such information in this Supplemental Notice, and you may request further information about our privacy practices by contacting us as at the contact information provided below.

Right to deletion: You may request that we delete any Personal Information about you we that we collected from you.

Right to correction: You may request that we correct any inaccurate Personal Information we maintain about you.

Right to know: You may request that we provide you with the following information about how we have handled your Personal Information in the 12 months preceding your request:

  • The categories of Personal Information we collected about you
  • The categories of sources from which we collected such Personal Information
  • The business or commercial purpose for collecting Personal Information about you
  • The categories of Personal Information about you that we shared or disclosed and the categories of Third Parties with whom we shared or disclosed such Personal Information
  • The specific pieces of Personal Information we have collected about you

Right to receive information about onward disclosures: You may request that we disclose to you:

  • The categories of Personal Information that we have collected about you
  • The categories of Personal Information that we have sold or shared about you and the categories of Third Parties to whom the Personal Information was sold or shared
  • The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose

California residents under age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to Privacy@CookGroup.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.

Disclosure about direct marketing for California residents. California Civil Code § 1798.83 permits California residents to annually request certain information regarding our disclosure of Personal Information to other entities for their direct marketing purposes in the preceding calendar year. We do not distribute your Personal Information to other entities for their own direct marketing purposes.

Privacy notice for Nevada residents. We do not sell Covered Information as defined under Nevada law, and we generally do not disclose or share personal information as defined under Nevada law for commercial purposes. Under Nevada law, you have the right to direct us to not sell or license your personal information to Third Parties. To exercise this right, if applicable, you or your authorized representative may contact our Privacy Office at Privacy@CookGroup.com.

Changes to our Supplemental Notice. We reserve the right to amend this Supplemental Notice at our discretion and at any time. When we make material changes to this Supplemental Notice, we will notify you by posting an updated Supplemental Notice on our website and listing the effective date of such updates.

Right to non-discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights. For example, we will not deny goods or services to you, or charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.

You may exercise data subject rights applicable to you under the CPRA, CPA, VCDPA, UCPA, or CDPA by contacting our Privacy Office. If you submit a request by mail or email, include “Data Subject Rights Request” and your state of record on the front of the envelope or in the subject line of your message and include your name and whether your request is a “request for access” or a “request to delete.” If you submit a request via phone, you will be asked to provide the same information.

By mail:
Chief Privacy Officer
Cook Group Incorporated
P.O. Box 1608
Bloomington, Indiana 47402-1608 USA

Toll free in US: 800.457.4500
Phone: 812.331.1025
Fax: 812.331.8990
Email: Privacy@CookGroup.com

Verification process
Within 10 business days of Cook receiving your request, you will be contacted and guided through a process to verify your identity and your request. We will confirm receipt of your request, but before responding, we will verify your request by comparing the information you submit with the request to the information we have in our systems. In some cases, we may ask you for additional information to confirm that we have identified the correct consumer record. If you designate an agent to make a request your behalf, we may require the agent to provide proof of signed permission from you to submit the request, or we may require you to verify your own identity to us or confirm with us that you provided the agent with permission to submit the request. Subject to certain exceptions that may apply under the law, if we are able to verify your request, we will accommodate it.

Appeals for Virginia, Colorado, and Connecticut consumers
Virginia, Colorado, and Connecticut consumers have the right to appeal our decisions on their data subject requests. This section does not apply to California or Utah consumers. To appeal our decision on your data subject requests, you may contact our Privacy Office at Privacy@CookGroup.com or by calling 812.331.1025. Please enclose a copy of or otherwise specifically reference our decision on your data subject request, so that we may adequately address your appeal. We will respond to your appeal in accordance with applicable law.

Changes to our Privacy Statement
We reserve the right to amend this Privacy Statement at our discretion and at any time. When we make changes to this Privacy Statement, we will post an updated notice on this webpage with an updated “last revised” date.