California privacy statement for suppliers


Effective January 2024

The California Consumer Privacy Act, as amended by the California Privacy Rights Act, and its implementing regulations (collectively, the “CCPA”), gives California residents certain rights and requires businesses to make certain disclosures regarding their Collection, use, and disclosure of Personal Information. This California Privacy Statement for Suppliers (the “Statement”) provides such notice to Cook’s (“we,” “us,” “our”) Service Providers, Third Parties, and their employees, independent contractors, or other individuals who interact with Cook in a commercial context (collectively, “Business Contacts”).

Please note that this Statement only addresses Cook’s Collection, use, and disclosure of Personal Information collected in a commercial context and only applies to residents of California. This Statement does not apply to individuals who are residents of other US states or other countries and/or who do not interact with Cook in a commercial context. For further details about our privacy practices pertaining to non-Business Contact Personal Information, please see our Privacy Statement.

As a Business Contact, you have the right to know what categories of Personal Information Cook Collects, uses, discloses, Sells, and Shares about you. This Statement provides that information and other disclosures required by California law.

A. Definitions

  • Personal Information: As used in this Statement, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Consumer or household. Personal Information includes Sensitive Personal Information.
  • Sensitive Personal Information: As used in this Statement, “Sensitive Personal Information” includes Personal Information that reveals, among other things, social security number, driver’s license number, state identification card number, passport number, racial or ethnic origin, union membership, or the contents of a Consumer’s mail, email, and text messages, unless Cook is the intended recipient of the communication. Sensitive Personal Information also includes information concerning the Business Contact’s health, sex life, or sexual orientation.
  • Other CCPA Definitions: As used in this Statement, the terms “Collect,” “Processing,” “Service Provider,” “Third Party,” “Sale,” “Share,” “Consumer,” and other terms defined in the CCPA and their conjugates, have the meanings afforded to them in the CCPA, whether or not such terms are capitalized herein, unless contrary to the meaning thereof.

B. Collection, Processing, and disclosure of Business Contact Personal Information

    • Collection and Processing of Personal Information

We, and our Service Providers, may have Collected and Processed the following categories of Personal Information from Business Contacts in the preceding 12 months:

      1. Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
      2. Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
      3. Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
      4. Commercial information, such as transaction information and purchase history;
      5. Biometric information;
      6. Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
      7. Geolocation data, such as device location;
      8. Audio, electronic, visual and similar information, such as call and video recordings;
      9. Professional or employment-related information, such as work history and prior employer;
      10. Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information;
      11. Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
      12. Sensitive Personal Information, including:
        1. Personal Information that reveals:
          1. Social security, driver’s license, state identification card, or passport number;
          2. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
          3. Precise geolocation;
          4. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
          5. Contents of a Consumer’s email and text messages, unless the business is the intended recipient thereof; or
          6. Genetic data.
        2. Biometric data processed for the purpose of uniquely identifying a Consumer;
        3. Personal Information Collected and analyzed concerning a Consumer’s health; and
        4. Personal Information Collected and analyzed concerning a Consumer’s sex life or sexual orientation.
    • Categories of Business Contact Personal Information we disclose to Service Providers and Third Parties

We disclose the following categories of Business Contact Personal Information to Service Providers and Third Parties:

      1. Identifiers, such as name, alias, online identifiers, account name, physical characteristics or description;
      2. Contact and financial information, including phone number, address, email address, financial information, medical information, health insurance information;
      3. Characteristics of protected classifications under state or federal law, such as age, gender, race, physical or mental health conditions, and marital status;
      4. Commercial information, such as transaction information and purchase history;
      5. Biometric information;
      6. Internet or other electronic network activity information, such as browsing history and interactions with our websites or advertisements;
      7. Geolocation data, such as device location;
      8. Audio, electronic, visual and similar information, such as call and video recordings;
      9. Professional or employment-related information, such as work history and prior employer;
      10. Education information, as defined in the federal Family Educational Rights and Privacy Act, such as student records and directory information;
      11. Inferences drawn from any of the Personal Information listed above to create a profile or summary about, for example, an individual’s preferences and characteristics; and
      12. Sensitive Personal Information, including:
        1. Personal Information that reveals:
          1. Social security, driver’s license, state identification card, or passport number;
          2. Account log-in, financial account number, debit card number, or credit card number in combination with any required security or access code, password, or credentials for allowing access to an account;
          3. Precise geolocation;
          4. Racial or ethnic origin, religious or philosophical beliefs, or union membership;
          5. Contents of a Consumer’s email and text messages, unless the business is the intended recipient thereof; or
          6. Genetic data.
        2. Biometric data processed for the purpose of uniquely identifying a Consumer;
        3. Personal Information Collected and analyzed concerning a Consumer’s health; and
        4. Personal Information Collected and analyzed concerning a Consumer’s sex life or sexual orientation.
    • Purposes for Processing Business Contact Personal Information

We, and our Service Providers, Collect and Process Business Contact Personal Information (excluding Sensitive Personal Information) described in this Statement to:

      • Manage our Service Providers throughout the supply chain;
      • Organize tenders, implement tasks in preparation of or to perform existing contracts;
      • Manage our IT resources, including infrastructure management and business continuity; and
      • Process billing and invoicing.

In addition to the purposes identified above, Cook may use and disclose any and all Business Contact Personal Information that we Collect as necessary or appropriate to:

    • Comply with laws and regulations, including, without limitation, applicable tax, health and safety, anti-discrimination, immigration, labor and employment, and social welfare laws;
    • Monitor, investigate, and enforce compliance with and potential breaches of Cook policies and procedures and legal and regulatory requirements;
    • Comply with civil, criminal, judicial, or regulatory inquiries, investigations, subpoenas, or summons; and
    • Exercise or defend the legal rights of Cook and its employees, affiliates, customers, contractors, and agents.

C. Processing Sensitive Personal Information
We, and our Service Providers, Collect and Process the Sensitive Personal Information described in this Statement only for:

  • Performing the services or providing the goods reasonably expected by an average Consumer who requests those goods or services;
  • Ensuring security and integrity to the extent the use of the Consumer’s Personal Information is reasonably necessary and proportionate for these purposes;
  • Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a Consumer’s current interaction with us; provided that we will not disclose the Consumer’s Personal Information to a Third Party and/or build a profile about the Consumer or otherwise alter the Consumer’s experience outside the current interaction with the business;
  • Performing services on our behalf, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on our behalf;
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us.

D. Sources from which we Collect Business Contact Personal Information
We Collect Personal Information directly from Business Contacts, as well as from joint marketing partners; public databases; providers of demographic data; publications; professional organizations; educational institutions; social media platforms; and Service Providers and Third Parties when they disclose information to us.

E. Categories of entities to whom we disclose Business Contact Personal Information

  • Affiliates and Service Providers. We may disclose Business Contact Personal Information to our affiliates and Service Providers for the purposes described in Section B of this Statement. Our Service Providers provide us with website services, as well as other products and services, such as web hosting, data analysis, customer service, infrastructure services, technology services, email delivery services, legal services, and other similar services. We grant our Service Providers access to Personal Information only to the extent needed for them to perform their functions, and require them to protect the confidentiality and security of such information.
  • Third Parties. We may disclose your Personal Information to the following categories of Third Parties:
    • At your direction. We may disclose your Personal Information to any Third Party with your consent or at your direction.
    • Business transfers or assignments. We may disclose your Personal Information to other entities as reasonably necessary to facilitate a merger, sale, joint venture or collaboration, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings).
    • Legal and regulatory. We may disclose your Personal Information to government authorities, including regulatory agencies and courts, as reasonably necessary for our business operational purposes, to assert and defend legal claims, and otherwise as permitted or required by law.

G. Data subject rights

  • Data subject rights available to you. As a Business Contact, you have the following rights regarding our Collection and use of your Personal Information, subject to certain exceptions:
    • Right to receive information on privacy practices: You have the right to receive the following information at or before the point of Collection:
      • The categories of Personal Information to be Collected;
      • The purposes for which the categories of Personal Information are Collected or used;
      • Whether or not that Personal Information is Sold or Shared;
      • If the business Collects Sensitive Personal Information, the categories of Sensitive Personal Information to be Collected, the purposes for which it is Collected or used, and whether that information is Sold or Shared; and
      • The length of time the business intends to retain each category of Personal Information, or if that is not possible, the criteria used to determine that period.

      We have provided such information in this Statement, and you may request further information about our privacy practices by contacting us as at the contact information provided below.

    • Right to deletion: You may request that we delete any Personal Information about you that we Collected from you.
    • Right to correction: You may request that we correct any inaccurate Personal Information we maintain about you.
    • Right to know: You may request that we provide you with the following information about how we have handled your Personal Information in the 12 months preceding your request:
      • The categories of Personal Information we Collected about you;
      • The categories of sources from which we Collected such Personal Information;
      • The business or commercial purpose for Collecting, Selling, or Sharing Personal Information about you;
      • The categories of Third Parties with whom we disclosed such Personal Information; and
      • The specific pieces of Personal Information we have Collected about you
    • Right to receive information about onward disclosures: You may request that we disclose to you:
      • The categories of Personal Information that we have Collected about you;
      • The categories of Personal Information that we have Sold or Shared about you and the categories of Third Parties to whom the Personal Information was Sold or Shared; and
      • The categories of Personal Information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
    • Right to non-discrimination: You have the right not to be discriminated against for exercising your data subject rights. We will not discriminate against you for exercising your data subject rights. For example, we will not make hiring, firing, promotion, or disciplinary decisions based on or in consideration of your exercise of your data subject rights. We also will not deny goods or services to you, charge you different prices or rates, or provide a different level of quality for products or services as a result of you exercising your data subject rights.
    • Rights to opt-out of the Sale and Sharing of your Personal Information and to limit the use of your Sensitive Personal Information: You have the right to opt-out of the Sale and Sharing of your Personal Information. You also have the right to limit the use of your Sensitive Personal Information to the purposes authorized by the CCPA. We do not Sell or Share Personal Information. Further, we do not use Sensitive Personal Information for purposes beyond those authorized by the CCPA. Relatedly, we do not have actual knowledge that we Sell or Share Personal Information of California Consumers under 16 years of age. For purposes of the CCPA, a “Sale” is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and a “Share” is the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.
  • How to exercise your rights. You may exercise your data subject rights by contacting our Privacy Office. If you submit a request by mail or email, include “Data Subject Rights Request” on the front of the envelope or in the subject line of your message and include your name and the type of data subject request you are making.

By mail:

    • Chief Privacy Officer

 

    • Cook Group Incorporated

 

    • P.O. Box 1608

 

    • Bloomington, Indiana 47402-1608 USA

Toll free in US: 800.457.4500
Phone: 812.331.1025
Fax: 812.331.8990
Email: Privacy@CookGroup.com

Verification Process:
Depending on the type of data subject request you submit, we may need to verify your identity in order to process your request. If so, within 10 business days of Cook receiving your request, you will be contacted and guided through a process to verify your identity and your request. We will confirm receipt of your request, but before responding, we will verify your request by comparing the information you submit with the request to the information we have in our systems. In some cases, we may ask you for additional information to confirm that we have identified the correct customer record. If you designate an agent to make a request your behalf, we may require the agent to provide proof of signed permission from you to submit the request, or we may require you to verify your own identity to us or confirm with us that you provided the agent with permission to submit the request. Subject to certain exceptions that may apply under the law, if we are able to verify your request, we will accommodate it.

H. Other disclosures

  • Retention of Personal Information: Cook retains Personal Data consistent with applicable data protection laws and regulations in order to meet our reasonable business needs. Cook disposes of Personal Data when it is no longer relevant and, in any case, upon expiration of the maximum storage term as set forth by applicable law, unless the Personal Data is required for a longer period, such as in the case of a claim, lawsuit or other regulatory investigation.

When assessing the data retention period, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the Supplier Personal Data, the purposes for which we process the Supplier Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

  • California residents under age 18. If you are a resident of California under the age of 18 and a registered user of our website, you may ask us to remove content or data that you have posted to the website by writing to Privacy@CookGroup.com. Please note that your request does not ensure complete or comprehensive removal of the content or data, as, for example, some of your content or data may have been reposted by another user.
  • Financial incentives for California Consumers. Under California law, we do not provide financial incentives to California Consumers who allow us to Collect, retain, Sell, or Share their Personal Information. We will describe such programs to you if and when we offer them to you.
  • Changes to this Statement. We reserve the right to amend this Statement at our discretion and at any time. When we make material changes to this Statement, we will notify you by posting an updated Statement on our website and listing the effective date of such updates.
  • Contact Us: More information about our privacy practices can be found in our Privacy Statement. If you have any questions regarding this Statement or Cook’s Collection and use of your Personal Information, please contact us at Privacy@CookGroup.com. If you are unable to review or access this notice due to a disability, you may contact us at Privacy@CookGroup.com to access this notice in an alternative format.