In the 12 months preceding the date of this Privacy Statement, we may have collected your PI in a number of ways, including:

•  when you provide it to us, including in connection with a Principal product or service you have purchased or are considering, such as a completed insurance or investment application form, or where you contact us in relation to a query you have;
•  from your employer or plan sponsor, if Principal provides them with recordkeeping and/or employee benefits services;
•  from financial professionals (e.g., brokers, agents, advisors, and distribution partners) associated with the products and services we offer you;
•  if you are a representative of an organization or entity that is a client or vendor of Principal, and that organization or entity provides us with your PI;
•  throughout the course of our relationship with you, including when you change your details, provide additional PI, or when the services we are providing to you change;
•  from public sources where you have manifestly chosen to make your PI public, including via public profiles on social media;
•  from third parties such as credit reference agencies, or third parties that you direct or authorize to share information with us;
•  from other third-party data services, for example to verify your identity and to better understand your product and service needs; and
•  from visits to our Site or use of the Services.

Please note that, where we receive your PI from a source other than directly from you, Principal cannot ensure the accuracy of such PI.

The categories of PI we may have collected from these sources during the 12 months preceding the date of this Privacy Statement, and will continue to collect, include the following:

• Personal identifiers: e.g., name, residential address, email address(es), social media handle, telephone number(s), government identification documentation and numbers, date of birth, nationality, gender, and signature.
• Professional information: e.g., name of current employer, job title, work address, work telephone number(s), work email address, and professional and academic history.
• Financial information: e.g., bank account number, account balance, income, assets, and liabilities.
• Profile information: details about your accounts that you have with us and other details of products and services you have purchased from us, such as your account or policy number, investments, and username, password, and email address for our online services that you have access to.
• Technical information: details on the devices and technology you use, including your IP address, browser type and version, browser plug in types and versions, and operating system, and on your use and interaction with our online services, such as information about the actions you take on our web site, through the use of cookies or other technologies. We may receive confirmation when you open an email from us. For more information about our use of cookies, please see relevant sections on Cookies and Other Technologies (below) in this Privacy Statement.
• Electronic monitoring information: to the extent permitted by law, we may record and monitor your electronic communications with us and visits to our premises via the use of CCTV recordings; and
• Sensitive Personal Information (“SPI”): In limited circumstances, and where allowed by law, SPI about you (e.g., medical and health information required to provide the products and services you request). Please note, you are prohibited from sending us SPI, or instructing others to do so on your behalf, that we did not request or is not needed for us to perform services for you.
• Demographic information: In some circumstances, we may collect demographic data about you (e.g., household information and marital status).

We may also collect any other PI from you to the extent that you voluntarily disclose such PI to us.

Unless we otherwise indicate that the provision of specific PI is optional, any PI we request from you, your organization, plan sponsor, or other associated entity will be related to the products and services requested by you or on your behalf. If you do not provide the PI requested, we may not be able to provide those products or services, accept or progress your submission of interest, fulfill your request, or respond to your communications more generally

We will only use your PI in accordance with applicable law and in the following circumstances:

If you are located in the EEA, the UK, or Switzerland: You have a right to object to the processing of your PI where that processing is carried out for our legitimate interests. Please note, however, that we may not be able to fulfill such requests in all instances.

We also automatically collect basic Technical information from all visitors to the Site through our automatic data collection tools, which may include cookies and other commonly used technologies. These tools collect certain standard information that your browser sends to the Site, such as your browser type and language, device type, operating system, access times, domain name, and the address of the website from which you came to the Site. They may also collect information about your IP address or click-stream data within our Site (i.e., the actions you take in connection with the Site). Among other things, this information helps us improve the functionality of the Site.

About cookies and how we use cookies

Cookies are small text files sent to your web browser and stored on your hard drive by a website. Cookies allow your web browser to “remember” specific pieces of information about your visits to our Site.

Cookies allow you to access secure information, conduct secured transactions, and take advantage of promotional opportunities. They are designed to help you have a better user experience within our Site, and we use the information to improve our Site content and Site functionality. Cookies allow our Site to remember your device, remember who you are, and help us to be more efficient. For example, we can learn about what content is important to you, and we can revise or remove web pages that are not of interest. You may set your web browser to notify you when you receive a cookie.

Types of cookies we use

Our Site uses both “session” and “persistent” cookies. Session cookies are temporary and expire when you leave our Site or are inactive for a specified length of time. Persistent cookies store your preferences for the Site and are read by your browser each time you visit the Site.

Our Site uses both first-party cookies, which are cookies set by us, and third-party cookies, which are cookies set by other companies to assist our advertising and marketing efforts.

The cookies used by our Site fall into the following four categories:

1. Strictly necessary cookies. These cookies are necessary for our Site to function and cannot be switched off in our systems. They’re set for you behind the scenes when you do things such as log in, fill out forms, make a request for products or services, or set your privacy preferences. You can set your browser to block or alert you about these cookies, but some parts of our Site won’t work without them.

2. Functional cookies. These cookies enable our Site to work smoothly and, in a manner personalized to you. They may be set by us or by third-party providers whose services we’ve added to our pages. For example: downloading a customer service form using PDF. If these cookies are blocked, then some or all of these services may not function.

3. Performance cookies. These cookies allow us to count how many times people visit our Site, and how they get here, so we can measure and improve its performance. They show us which pages are the most (and least) popular, and how visitors move around on the Site when they’re here. If these cookies are blocked, we have less information about how to improve our Sites that will be useful to you.

4. Marketing cookies. These cookies may be set through our Site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant advertisements on other websites. If these cookies are blocked, you will experience less targeted advertising.

Managing your cookie preferences

If you wish to make changes to your cookie preference please visit one of the links below:

• Principal.com cookie preference center
• Principalam.com cookie preference center
• SimplyRetirement.com cookie preference center

Most web browsers allow you to change your browser settings to limit or block certain cookies. Doing so, however, may limit your access to certain sections of our Site or otherwise compromise the functionality of the Site.

The following chart describes the categories of PI that we disclosed to third parties for a business purpose in the 12 months prior to the date of this Privacy Statement:

In addition to the above, we may also disclose your PI in any jurisdiction to:

• competent authorities (including national or international regulators, law enforcement authorities, tax authorities and courts or other tribunals) or their agents, where Principal is required or permitted by law or regulation to do so;
• any person to whom disclosure is allowed or required by local or foreign law, regulation, or any other applicable instrument; and/or
• comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property, or safety of others, including to law enforcement agencies and judicial and regulatory authorities.

We may contact you by email to provide information regarding events, products, services, and content that may be of interest to you, unless you inform us that you do not wish to receive marketing communications from us. If applicable law requires that we receive your consent before we send you certain types of marketing communications, we will only send you those types of communications after receiving your consent.

You can request that we stop processing your PI for marketing purposes at any time by clicking on marketing opt-out links in any electronic marketing materials we send you, by making a request to your usual Principal contact, or by using the contact details set out in the Contact Us section or the Annex of this Privacy Statement.

Our U.S.-based Services are generally hosted in the United States, although we may work with service providers in other jurisdictions from time to time. Therefore, when you disclose your PI to us, your PI may be transferred outside of the jurisdiction in which you reside. If you are located in the EEA, UK, or Switzerland, Principal may, for the purposes listed in Section II above, transfer your PI to recipients as referred to above that are located in countries outside the EEA, the UK, or Switzerland, including to the United States, and that are not currently considered by the European Commission, UK Government, and/or the Swiss Federal Data Protection and Information Commissioner (as applicable) to provide an adequate level of data protection. In these circumstances, Principal will take steps to ensure that the PI is transferred in accordance with relevant data protection laws, including by entering into Standard Contractual Clauses or similar (“SCCs”) with the recipient, seeking assurances from the recipient that they have Binding Corporate Rules in place, or otherwise relying on a derogation for the transfer (e.g., where the transfer is necessary for the defense of legal claims).

You can request further information on the data transfer solutions relied upon, including a copy of the SCCs, by using the contact details in Section XIII or the Annex below.

In accordance with applicable law, you may have certain privacy rights based on the jurisdiction in which you reside. However, please note that the below rights are not absolute and may be subject to exceptions and/or limitations. The exceptions may relate to the types of PI we collect or the nature of our business.

Some privacy laws, such as the California Consumer Privacy Act or the EU’s and UK’s General Data Privacy Regulation, give certain individuals the right to submit certain requests, subject to applicable exemptions or limitations.

You may submit such requests online via our form for California residents and our form for EU and UK residents, and we will process such requests in accordance with applicable privacy law. You may also submit requests by contacting us at +1-800-986-3343 (please inform our customer service representative of the type of request you wish to submit). The types of requests provided for by applicable privacy law may include:

• Right of access: This type of request is to confirm what data is being processed, obtain information about the processing activities, and to receive a copy of your PI;
• Right to rectification: This type of request is to seek rectification/correction of your PI where it is inaccurate or incomplete;
• Right to erasure: This type of request is to seek deletion of your PI;
• Right to restriction: This type of request is to ask that we restrict or suppress the processing of your PI, which means that while we are permitted to store the PI, we cannot otherwise process it;
• Right to data portability: This type of request is to seek the transfer of certain PI to a third party in machine-readable format;
• Right to object: This type of request is to object to the processing of your PI, including for any direct marketing purposes; and
• Right to Withdraw Consent: This type of request is to withdraw your consent, at any time, without hindrance or cost, to prevent further processing of your PI. Please note that withdrawing your consent does not affect the lawfulness of our processing of your PI based on such consent before the withdrawal.

In addition, you may also have the right to lodge a complaint with your local data protection authority.

To protect your privacy, we take steps to verify your identity before fulfilling your request.

California consumer privacy act

The California Consumer Privacy Act (CCPA) gives California residents rights with respect to their PI. Such rights are limited to PI that is not exempt under the CCPA. The CCPA exempts, for example, non-public personal information that is subject to the Gramm-Leach-Bliley Act, a federal financial privacy law.

California residents are granted the right by law to opt out of the sale or sharing of their Personal Information. We do not sell PI within the meaning of the CCPA. If you wish to opt out of the sharing of your personal information within the meaning of CCPA, please use our form for California residents privacy rights requests.

CCPA: Data subject request rights

As mentioned above in Section VII, the CCPA may grant you the right to submit certain data subject requests. For requests for access or deletion, we will first acknowledge receipt of your request within 10 business days of receipt of your request. We will provide a substantive response to your request as soon as we can, generally within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances.

If we expect your request is going to take us longer than normal to fulfill, we will let you know.

We usually act on requests and provide information free of charge, but we may charge a reasonable fee to cover our administrative costs of providing the information in certain situations. In some cases, the law may allow us to refuse to act on certain requests. When this is the case, we will explain why.

When we receive a data subject request, we will ask you for identifying information and attempt to match it to information that we maintain about you.

If we are unable to verify your identity with the degree of certainty required, we will not be able to respond to your request. We will notify you to explain the basis of the denial.

Our commitment to allowing you to exercise your rights – Non-discrimination

If you exercise any of the rights explained in this Privacy Statement, we will continue to treat you fairly. If you exercise your rights under this Privacy Statement, you will not be denied or charged different prices or rates for goods or services or provided a different level or quality of goods or services than others.

CCPA: Authorized agents

You may designate an agent to submit data subject requests on your behalf. The agent must be a natural person or a business entity that is registered with the California Secretary of State.

If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process. Specifically, if the agent submits requests to access, know, or delete your PI, the agent will need to provide us with your signed permission indicating the agent has been authorized to submit the opt-out request on your behalf. We will also require that you verify your identity directly with us or confirm with us that you provided the agent with permission to submit the request.

Please note that this subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney. Any such requests will be processed in accordance with California law pertaining to powers of attorney.

California Shine the Light

California Civil Code Section 1798.83, also known as the “Shine the Light” law, permits California residents who have an established business relationship with a business to annually request, free of charge, information about certain categories of PI a business has disclosed to third parties for those parties’ direct marketing purposes in the preceding calendar year. Except when your financial professional requests to retain your information after changing their affiliation and leaving Principal, we do not share PI with third parties for their marketing purposes.

Do not track

Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. We respond to the Global Privacy Control signal. At this time, we do not respond to browsers’ other browser “do not track” signals or other browser mechanisms that allow you to tell websites you do not want to have online activities tracked.

We retain PI for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period, the amount, nature, and sensitivity of the PI are considered, together with the necessity and purposes for the processing (including whether such purposes can be achieved through other means) and the potential risk of harm from unauthorized use or disclosure of the PI. In exceptional cases (e.g., in pending litigation matters or where the law requires us to) your PI may need to be kept for longer periods of time.

We take reasonable steps, consistent with generally accepted industry standards, including physical, technical, organizational, operational and management controls to ensure a level of security appropriate to the risk of PI processing. For more details, please see our Security Policies page.

The Services are not directed to children under 16 (or other age as required by local law), and we do not knowingly collect PI from children. We do not sell the PI of minors. If you learn that your child has provided us with PI without your consent, you may contact us as set forth below. If we learn that we have collected any PI in violation of applicable law, we will promptly take steps to delete such information and terminate the child’s account.

Changes to our Privacy statement

We reserve the right to modify this Privacy Statement at any time, so please review it frequently. If we make changes that materially affect our use of PI or your privacy rights, we will announce the changes by providing a notice on this Site and/or, if deemed appropriate, by email.

Third-Party websites

Our Services may contain links to websites and services that are owned or operated by third parties (each, a “Third-Party Service”) which may include features that collect your IP address and information about which page you are visiting on our Services, and which may set up a cookie to enable the links to function properly. Any information that you provide on such websites is provided directly to the Third-Party Service, and we are not responsible for their respective content or privacy and security practices and policies. To protect your information, including PI, we recommend that you carefully review the privacy policies of all Third-Party Services that you access. Our Services may include access to publicly accessible blogs, forums, or social media pages. PI you voluntarily transmit or publish online in such publicly accessible blog, forum, or social media pages may be viewed and used by others without any restrictions. Your interactions with these platforms are governed by the privacy policy of the company providing them.

If you have any questions about our privacy practices or this Privacy Statement, please contact us at:

Principal Financial Group
P.O. Box 14582
Des Moines, IA 50306-3582
+1-800-986-3343
CorpPrivacy@exchange.principal.com

Depending on your location, you may also wish to contact us as per the contact details according to the relevant Principal affiliate in the Annex.

List of principal subsidiaries and affiliates