European Union General Data Protection Regulation Privacy Notice

The following terms and conditions govern your use of the website and the MyBlue portal.

Last updated: May ­22, 2018

BCBSA respects your right to privacy.  This Privacy Notice explains who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights.  This Privacy Notice only applies to personal information that we collect through our website at and the MyBlue portal. For personal information that we collect when you use or interact with our services, please see our Privacy Policy. If you have any questions or concerns about our use of your personal information, please contact us using the contact details provided at the bottom of this GDPR Privacy Notice.

What personal information does BCBSA collect and why?

The personal information that we may collect about you broadly falls into the following categories:

  • Information that we collect

    When you visit our Website, we may collect certain information automatically from your device.  In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws.

    Specifically, the information we collect may include information like the IP address of the web page from which you enter our site; the browser name, full version (major and minor), and plugins; the resolution (width/height) and color depth; the operating system; the pages you visit on our site; and the amount of time you spend here.  We do not collect any information that can reveal your personal identity unless you consent to voluntarily provide it when you register to use interactive features of the site. We do not collect and save any Protected Health Information (PHI) on the public section of this site. 

    Collecting this information enables us to better understand the visitors who come to our Website, where they come from, and what content on our Website is of interest to them.  We use this information for our internal analytics purposes and to improve the quality and relevance of our Website to our visitors. For a full list please see our Privacy Policy.

    Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Cookies and spyware”.

  • Information that we obtain from third party sources

    From time to time, we may receive personal information about you from third party sources, but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us. 

    The types of information we collect can be found in our policies here.

Who does BCBSA share my personal information with?

We may disclose your personal information to the following categories of recipients:

  • To our Blue Cross Blue Shield Plans, third party services providers and partners who provide data processing services to us (for example, to support the delivery of, provide functionality on, or help to enhance the security of our Website), or who otherwise process or use personal information for purposes that are described in our Notice of Privacy Practices.
  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
  • To any other person with your consent to the disclosure.

Legal basis for processing personal information (EEA visitors only)

If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. 

We will normally collect personal information from you only where you have voluntarily consented to provide the information, where we need the personal information to provide health insurance, or where the processing is in our legitimate business interests, such as improving the quality and accessibility of our website, accessing our consumer tools, or meeting our contractual requirements with OPM.  In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests, such as meeting our HIPAA compliance obligations or working with law enforcement.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.

Cookies and similar tracking technology

We use cookies and similar tracking technology (collectively, “Cookies”) to collect and use personal information about you.  For further information about the types of Cookies we use, why, and how you can control Cookies, please see our Cookie Notice.

International data transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident.  These countries may have data protection laws that are different to the laws of your country.  However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with our Notice of Privacy Practices.

Data retention

We retain personal information we collect from you where we have a legal obligation or an ongoing legitimate business need to do so.

When we have no ongoing legal obligation or legitimate business need to retain your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in a claims data warehouse), then we will securely store your personal information.

Your data protection rights

You have the following data protection rights:

  • If you wish to access, correct, update or request deletion of certain types of your personal information, you can do so by contacting us using the contact details provided under the “How to contact us” heading below.
  • In addition, if you are a resident of the European Union, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.  You can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.  Please, note, however, that if you choose to exercise some of these rights, in most cases we will not be able to provide you with our products or services, process your claims or respond to any queries you may have.
  • You have the right to complain to a data protection authority about our collection and use of your personal information.  For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.)

We will respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

Updates to this Privacy Notice

We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. When we update our Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.

You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice. 

How to contact us

If you have any questions or concerns about our use of your personal information, please contact our Data Protection Officer at