Privacy notice for Virginia consumers
Last updated: January 1, 2023
Maximus, Inc. and its subsidiaries (we, us, our) provide this privacy notice for Virginia consumers (notice). This notice only applies to persons who live in the Commonwealth of Virginia (consumer, you, your). This notice is to comply with the Virginia Consumer Data Protection Act (VCDPA) and other Virginia privacy laws. Terms defined in the VCDPA have the same meaning in this notice.
Categories of personal data we process
Business reasons we process personal data
Personal data we share with third parties
Personal data we use or sell for targeted advertising
Your rights regarding your personal data
How to exercise your consumer rights
- How to make a request
- How we respond to your request
- How to appeal a decision on your consumer rights request
Changes to this notice
How to contact us
Categories of personal data we process
We process the data categories below that are linked or could reasonably be linked to an identified or identifiable natural person (personal data):
Category | Examples |
Personal data | Unique identifiers such as name, alias, postal address, Internet Protocol (IP) address, email address, Social Security number, telephone number, or other such identifiers |
Sensitive data | Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status, genetic or biometric data |
Personal data does not include:
- Publicly available information
- De-identified consumer information
- Information excluded from the VCDPA's scope, such as:
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) protected health information
- Data processed or kept when a person applies to, is employed by, or is acting as an agent or independent contractor of a controller, processor, or third party, to the extent the data is collected and used in the context of that role, including emergency contact information and information needed for benefit administration
- Personal information covered by certain privacy laws including the Fair Credit Reporting Act (FCRA) and the Driver's Privacy Protection Act of 1994
- Information and data excluded by the VCDPA scope exception for entities including, but not limited to:
- Body, authority, board, bureau, commission, district, or agency of the Commonwealth or any political subdivision of the Commonwealth
- HIPAA-covered entities and their business associates
- Non-profit organizations
- Financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act (GLBA)
Business reasons we process personal data
We process consumer personal data for one or more of these business reasons (not a complete list):
Business reason | Examples |
Support our everyday operations, including to meet risk, legal, and compliance requirements |
|
Manage, improve, and develop our business |
|
Provide information to consumers |
|
Personal data we share with third parties
“Third party” means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or affiliate (50% or more control) of the processor or the controller.
We do not disclose consumer personal data to third parties. When we disclose personal data for a business purpose, we enter into a contract that describes the business purpose. The contract requires the receiver to keep that personal information confidential and not use it for any purpose except to perform the contract.
Personal data we use or sell for targeted advertising
We do not use or sell personal data for targeted advertising.
Your rights regarding your personal data
The VCDPA gives you these rights regarding your personal data:
Right to | Description |
Confirm | Whether or not a controller is processing your data and to access your personal data |
Correct | Inaccurate personal data, considering the nature of the personal data and the purposes for processing your data |
Delete | Personal data you provide, or we get that is about you |
Data portability | Get a copy of your personal data that you gave the controller in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another controller without obstruction, where processing is automated |
Opt-Out | Processing your personal data for purposes of (i) targeted advertising, (ii) sale of personal data, or (iii) profiling to further decisions that produce legal or similarly significant effects concerning you |
How to exercise your consumer rights
How to make a request
If you are a Virginia consumer and want to exercise your rights, send your request using How to contact us below. To act on your request, we must verify your identity. Give us enough information to identify you, such as your:
- Name
- Email address
- Mailing address
- Business name
- Business email address
- Business address name
- Date of last contact
- Reason you gave Maximus the personal data
Do not give us your Social Security number.
If you are a parent or legal guardian submitting a request for a minor child, please include your relationship to the minor child.
How we respond to your request
We will respond to your request without unreasonable delay. We will always respond no later than 45 calendar days after we get the request. If we cannot verify your identity in that time, we may deny your request. We will notify you during that time if we need more time (up to 45 calendar days) to respond to your request.
Some information is exempt from VCDPA. This includes employment information and information subject to certain federal privacy laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).
Other laws may also affect our ability to comply with your request. State or federal laws requiring that we keep certain information may prevent us from granting your request to delete it. We may decline all or part of your request.
We will respond to your verifiable request free of charge up to twice a year. We may deny your request or charge a reasonable fee for clearly unfounded, excessive, or repeated requests. If we decide your request requires a fee, we will tell you why. We will give you a cost estimate before we complete your request.
How to appeal a decision on your consumer rights request
If we decide not to act on your request, we will explain why. You may appeal that decision using How to contact us below. Within 60 days of the date we get your appeal, we will tell you our appeal decision in writing. We will include the reasons for the decisions.
If we deny your appeal, you may:
- File an online complaint with the Attorney General of the Commonwealth of Virginia at www.oag.state.va.us/consumercomplaintform/form/start
Or
- Send a written complaint to:
Office of the Attorney General
202 North Ninth Street
Richmond, VA 23219
We reserve the right to change this notice at any time. When we do, we will post the revised notice on this webpage with the date of last update.
If you have questions or comments about this notice, contact us at:
Phone: 1-833-953-3696
Email: Privacy@maximus.com