Skip to content
Effective date of this notice: 08/06/2025

Privacy Notice

THIS NOTICE DESCRIBES HOW CLINICAL REFENCE LABORATORY, INC. AND THE AFFILIATED BUSINESSES IT MANAGES (“CRL,” “we,” “our,” or “us”) COLLECTS PERSONAL INFORMATION FROM OR ABOUT YOU when you RECEIVE SERVICES from us or use our websites, applications, social media networks, interactive features, and other services that link to this Notice (our “Platforms”), HOW SUCH INFORMATION MAY BE USED AND DISCLOSED, AND YOUR RIGHTS WITH RESPECT TO SUCH INFORMATION. PLEASE REVIEW THIS NOTICE CAREFULLY.

This Notice DOES NOT apply to:

In connection with HIPAA covered services, in the event of conflict between this Notice and our HIPAA Notice of Privacy Practices, our HIPAA Notice of Privacy Practices will prevail.

Residents of certain jurisdictions or states may have specific rights under laws of those jurisdictions. Please click on the links below to see information that is specific to the following jurisdictions:

WHY DO WE COLLECT INFORMATION ABOUT YOU?

We provide laboratory testing and related services in the United States, including, without limitation, testing for health and wellness, toxicology, and risk assessment purposes. We collect information about you to provide our services.

WHAT INFORMATION DO WE COLLECT ABOUT YOU?

We receive Personal Information on your consent form or chain of custody when you provide blood, urine, or saliva sample(s) for laboratory testing or when you request laboratory testing from us.

“Personal Information” is data which identifies, describes, is associated with, or could be used to identify you either on its own or in combinations with other readily available data such as your name, birthdate, postal address, email address, telephone number, driver’s license, SSN or government issued identification number, as well as your computer’s IP address, photographs, biometric or geolocation information, or the like.

Type of Information

Categories of Sources

Business or commercial purposes for collection

Disclosed Business Purpose?

Third parties to whom Disclosed for Business Purpose

Identifiers such as a real name, postal address, unique personal identifier, online identifier, Internet Protocol address, signature, email address, account name, or other similar identifiers.

Direct contact with users through the Platforms, phone, email, web form and social media.

As described below, e.g., to provide you with products and services and for internal purposes.

Yes

Service providers, marketing and promotional partners, other entities that provide a service directly to you.

Financial information such as credit card number or debit card number and address or other information related to a billing or payment transaction.

Direct contact with users through the Platforms, phone, email and social media; from subsidiaries and affiliates and third parties.

As described below, e.g., to provide you with products, schedule an appointment, or complete transactions, and for internal purposes.

Yes

Service providers and affiliates.

Commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Platforms, cookies and other tracking technologies, third parties and affiliates such as service providers.

As described below, e.g., for internal and marketing purposes.

Yes

Service providers, analytics, marketing, and promotional partners.

Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, form submissions, email unsubscribes and subscribes, email engagement or advertisement.

Platforms.

As described below regarding cookies, e.g., for internal purposes and for marketing purposes, as described in our Cookie Notice.

Yes

Service providers, analytics, marketing, and promotional partners.

Geolocation data.

Platforms; e.g. to provide nearby collection locations.

As described below regarding cookies, e.g., for internal, marketing, and other operational and business purposes.

Yes

Service providers, marketing and promotional partners.

Inferences drawn from any Personal Information collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Direct contact with users through the Platforms, phone, email and social media; cookies and other tracking technologies, third parties and affiliates such as service providers.

As described below, in order to facilitate more targeted marketing, as well as for internal reporting and analytics purposes.

Yes

Service providers, marketing and promotional partners, third parties for operational purposes.

Sensitive Personal Information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sex life, precise geolocation, information concerning your health, and genetic information.

Direct contact with users

Internal reporting and analytics purposes, and to facilitate more targeted marketing.

Yes

Service providers, analytics, marketing, and promotional partners, and third parties for operational purposes.

 

Personal Information does not include anonymous or aggregated data that can no longer be used to identify a specific person, even if combined with other data. We also do not consider business information, such as a person’s business title, employer’s name, work email, work phone number, work address, and other similar information to be Personal Information.

Additionally, the following types of information are not considered Personal Information:

  • publicly available information from government records; or
  • information excluded from the applicable data privacy law’s scope, including but not limited to PHI covered by HIPAA, information derived from PHI that is de-identified in accordance with HIPAA, and Personal Information we handle in our capacity as a service provider to a business.

If we combine non-personally identifiable information with Personal Information, we will treat such information appropriately, but not all rights may apply to the non-personally identifiable information portion.

HOW WILL WE USE INFORMATION ABOUT YOU?

We may use your information as permitted or required by law. Some of the contexts in which we may use your information include in connection with:

  • to fulfill the purposes for which the information was provided (e.g., to provide a service or perform on a contract);
  • to identify you in order to respond to requests, provide services or products, personalize information we provide to you, or otherwise as described below;
  • to communicate with you about your account or our relationship, such as making announcements about the Platforms or our privacy policies and terms;
  • to send push notifications and other information through our Platforms;
  • to design, improve and administer our Platforms
  • to audit and measure user interaction with our Platforms, so we can improve the relevancy or effectiveness of our content and messaging;
  • to develop and carry out marketing, advertising and analytics;
  • to provide texts or emails containing information about our products or services, or events or news, that may be of interest to recipients, as permitted by law;
  • to deliver content and products or services relevant to your interests, including targeted ads on third party sites;
  • to detect security incidents or monitor for fraudulent or illegal activity;
  • to enable security measures (such as, to protect our Platforms, customers, and business partners);
  • debugging to identify and repair errors;
  • to protect our rights and to protect your safety or the safety of others;
  • to investigate fraud or respond to government inquiries;
  • to complete corporate transactions (from time to time, we sell, buy, merge or otherwise reorganize our businesses, and these corporate restructurings may involve disclosure of Personal Information to prospective or actual purchasers, or the receipt of it from sellers);
  • to comply with laws, regulations or other legal process; or
  • otherwise use your Personal Information with your consent.

We may also use your Personal Information to:

  • provide you with the services and products you request or that have been ordered and/or requested by your healthcare provider;
  • process or collect payments for our services; or
  • respond to your questions and otherwise provide support you request.

We may use Precise Location Data from your device in accordance with the device’s consent process on some of our Platforms to help us improve your user experience and provide information that is relevant to you, such as nearby collection locations.

When you choose to print or email one of your results from within one of our Platforms, the result file is temporarily stored on your mobile device to aid in more efficient delivery of your result.  The result file will be deleted from your mobile device storage once the action of printing or emailing is complete.

We will only disclose as much information as is necessary to accomplish the described purpose.

You may revoke any authorization you sign at any time. If you revoke your authorization, we will no longer use or disclose your Information except to the extent we have already taken action based on your authorization.

RETENTION OF INFORMATION 

CRL retains your Personal Information only for as long as is necessary for our legitimate business purposes. We will retain and use your Personal Information to the extent necessary to comply with our legal, accounting, or reporting obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes and enforce our legal agreements and policies. Additionally, we may continue to store your Personal Information contained in our standard back-ups. We may maintain your information on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your jurisdiction. This applies to all categories of Personal Information in use by us.

SELLING/SHARING YOUR INFORMATION 

We do not sell Personal Information. We may disclose your information for the purpose of providing services to you or for the purpose of targeted or cross-context advertising (under California law, this is called “Sharing”):

We may provide your information to our partners to assist us in operating this site, transacting business, and communicating with you. When we do so, we will exercise reasonable care to ensure such partners are prohibited from using information for any other reason and it is maintained securely and privately.

We may disclose your information if we determine disclosure is reasonably necessary to enforce our contracts, this notice, or to otherwise protect our operations, clients, or users.

We may release your information to others (including law enforcement) if we believe such release is reasonably necessary to comply with the law or legal process; enforce or apply the terms of applicable terms of use; detect, prevent, or otherwise address fraud, security, or technical issues; or otherwise protect the rights, property, or safety of others.

We may sell, transfer, and/or disclose your information for lawful purposes, including as part of a business divestiture, sale, merger, or acquisition of all or a part of our business. If another company acquires our company, business, or assets, that company will possess the Personal Information collected by us and will assume the rights and obligations regarding your information as described in this notice. In the event of our insolvency, bankruptcy, or receivership, your Personal Information may also be transferred as a business asset.

SECURING YOUR INFORMATION

CRL takes appropriate measures to protect Personal Information in its possession to ensure a level of security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and destruction. These measures take into account the nature of the Personal Information and the risks involved in its processing, as well as best practices in the industry for security and data protection.

CRL has adopted physical, technical, and administrative measures that are designed to prevent unauthorized access or disclosure, maintain data accuracy, and ensure appropriate use of Personal Information.

You can help ensure the security of your Information by: 1) logging out of the Platform and closing your browser window, and 2) not divulging your password to anyone. We will never ask you for your password in an unsolicited phone call or in an unsolicited email.

RIGHTS REGARDING YOUR INFORMATION

Depending on where you live, you may have certain rights with respect to your Personal Information that we have collected and used under certain circumstances. This section generally describes these rights and explains how to exercise those rights. The availability of these rights is dependent on your jurisdiction’s privacy laws. Please review your jurisdiction’s privacy laws to determine which rights are available to you.

1)

Right to Know

You may have the right to request CRL disclose the types/categories of Personal Information it collects, uses, discloses, and sells. For further details about this information, please visit the What Information Do We Collection About You section above.

2)

Right to Access / Data Portability

You may have the right to request CRL provide you a portable copy of your Personal Information. For further details about this information, please visit the What Information Do We Collection About You section above.

3)

Right to Request Deletion

Right to Erasure

Right to be Forgotten

You may have the right to request the deletion of their Personal Information collected or maintained by CRL by emailing Privacy@crlcorp.com.

4)

Right to Correct/Amend

Right to Rectification

You may have the right to request a correction of any inaccurate Personal Information. CRL will use commercially reasonable efforts to correct inaccurate Personal Information.

5)

Right to Limit/Restrict

You may have the right to request CRL restrict how we use or disclose your Personal Information. We will consider your request. If we do agree, we will comply with the request unless the information is needed to provide you with emergency treatment. We cannot agree to restrict disclosures that are required by law. You have the right to request information not be provided to your health plan if you have paid for services in full.

You may ask us to limit the use or disclosure of sensitive Personal Information, including one’s precise geolocation and health-related information.

6)

Right to Object

Right to Opt-out of Sale or Marketing related emails

 

We do not sell your Personal Information.

However, when you visit our websites, we may share information about your use of our website with our advertising and analytics partners. Please view our cookie notice here.

You may opt-out of receiving marketing-related emails by clicking the "unsubscribe" link at the bottom of any email you receive from us or emailing us at Privacy@crlcorp.com. If you are having difficulty unsubscribing from our marketing communications, please contact us at compliance@crlcorp.com or 866-924-5267.

If you opt-out from receiving marketing emails or text messages, we may still need to send you communications about your account, orders, customer service inquiries, and other matters.

If you agreed to receive future marketing communications directly from a third party through our site, you will need to contact that party to opt-out of such communications. This process may be outlined in that party's privacy or similar policy.

7)

Right to Appeal a Business or Controller’s Refusal to Take Action

You may have the right to appeal if the consumer’s privacy rights-related request is denied in whole or in part.

8)

Right Not to be Subject to Automated Decision-Making

You may have the right not to be subject to automated decision-making, including profiling, which produces legal effects. We and our affiliates do not currently engage in the foregoing on our websites or in our products and services.

9)

Authorized Agent

 

You may have the right to designate an authorized agent to make a request on your behalf. We will deny requests from agents that do not submit proof of authorization from you. To verify that an authorized agent has authority to act for you, we may require a copy of a power of attorney or require that you provide the authorized agent with written permission and verify your own identity with us.

 

Should you make a request pursuant to your Rights listed above, you can expect the following:

  • We will ask to verify your identity. You will need to provide us with certain information such as your name, email address, physical address, or other information, as relevant, so that we can verify that you are who you say you are. Such information may depend on the type and sensitivity of information requested.
  • We will confirm our receipt of your request within 10 days. If you have not received a response within a few days after that, please let us know by contacting us at the webpage or phone number listed below.
  • We will respond to your request within 45 days. If necessary, we may need additional time to respond, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
  • In certain cases, a Request may be denied. For example, if we cannot verify your identity or if providing you the information could create an unreasonable risk to someone’s security (for example, we do not want very sensitive information disclosed inappropriately). If we deny your request, we will explain why we denied it. If we deny a request, we will still try to provide you as much of the information as we can, but we will withhold the information subject to denial.

FILE A COMPLAINT OR CONTACT US

For more information about this notice, our privacy policies, to exercise any of your rights, as listed on this notice, or if you want to request a hardcopy of our current notice of privacy practices, contact:

Clinical Reference Laboratory, Inc.
Attn: Privacy Officer
8433 Quivira Road
Lenexa, KS 66215
Call (866) 924-5267
privacy@crlcorp.com

CHANGES TO OUR PRIVACY POLICY

We reserve the right to change our privacy practices, as described in this notice, at any time. We reserve the right to apply these changes to any Personal Information which we already have, as well as to Personal Information we receive in the future. Before we make any change in the privacy practices described in this notice, we will post a new notice with the changes at https://www.crlcorp.com/notice-of-privacy-practices. The new notice will include an effective date.

EFFECTIVE DATE AND NOTIFICATION OF CHANGES

This Privacy Policy is effective as of August 6, 2025, and is reviewed periodically. We reserve the right to change this Privacy Policy at any time. If we materially change this Privacy Policy, we will post a prominent notice on this Website. Changes are effective as of the date we post them on the Privacy Policy page of this Website. We encourage you to periodically review this Privacy Policy.

CALIFORNIA CONSUMER PRIVACY ACT AND CALIFORNIA PRIVACY RIGHTS ACT 

The California Consumer Privacy Act (CCPA), which has been amended by the California Privacy Rights Act (CPRA), is a law intended to enhance privacy rights and consumer protection for residents of the state of California. The CCPA and CPRA apply to certain business entities that do business in California. For further details on the types of Personal Information we have collected about you, the sources of that information, how we use the information (e.g., our business or commercial purposes for collecting or selling Personal Information), other individuals and business with whom we share Personal Information, and the specific pieces of Personal Information that we have collected about you, please visit the Information We Collect section above.

The following rights apply to all California residents (but not including legal entities, such as companies):

If you are a California resident, you have certain rights regarding your Personal Information that is covered under the CCPA. Please review each of the rights, below, and the section that follows for more information applicable to these rights.

  • The Right to Know
  • The Right to receive (“access”) a copy of your Personal Information
  • The Right to Correct
  • The Right to request deletion of your Personal Information
  • The Right to opt out of certain disclosures (“sharing”) of your Personal Information (for more information about your right to opt-out, please see our notice of Right to Opt-Out)
  • The Right to limit the use or disclosure of your sensitive Personal Information. We collect sensitive Personal Information either (i) when we collect your IP address when you visit a website related to your health information or (ii) if you are an employee or contractor of CRL. Please view our cookie notice With regard to subsection (ii), we do not use your sensitive Personal Information for any purpose that is subject to limitation. In addition, we may collect sensitive Personal Information as part of protected health information. Please note that such sensitive Personal Information is subject to our HIPAA Notice of Privacy Practices and not subject to the CPRA. For more information on how we use and disclose your protected health information, please visit CRL’s Notice of Privacy Practices.

These rights will not apply, however, if CRL does not collect any Personal Information about you or if all of the information we collect is exempt from the statute (for example, the CCPA and CPRA do not protect information that is already protected by certain other privacy laws such as HIPAA and do not protect information that is already publicly available).

Requests under CPRA

To make a request under the CPRA you may:

Use the applicable online forms above or Contact Us

“Shine the Light” Law

Under California Civil Code Section 1798.83, California residents with whom we have an established business relationship are entitled to request and receive, free of charge, once per calendar year, information about the Personal Information we shared, if any, with other businesses for their own direct marketing uses during the prior year.

EUROPEAN PRIVACY RIGHTS – DATA PRIVACY FRAMEWORK FOR EU-U.S. AND UK EXTENTION 

CRL complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce (collectively, the “Frameworks”). CRL has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. The U.S. Department of Commerce Data Privacy Framework List is available https://www.dataprivacyframework.gov/s/participant-search.

Rights

Individuals whose Personal Information is covered by the EU Data Privacy Framework policy have the right to access the Personal Information that CRL maintains about them as specified in the EU-U.S. DPF Principles. Individuals may contact us to correct, amend or delete such Personal Information if it is inaccurate or has been processed in violation of the EU-U.S. DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the individual’s privacy, or where the rights of persons other than the individual would be violated). Individuals may also have the right to limit the use and disclosure of their Personal Information (opt out) under certain circumstances, such as marketing. Requests to access, correct, amend, delete, or limit the use and disclosure of Personal Information (opt out) may be submitted as set forth in the RIGHTS REGARDING YOUR INFORMATION section above.

Accountability for Onward Transfers

Under the Frameworks, we are responsible for the processing of Personal Information that we receive from our customers and subsequently transfer to a third party acting as an agent on our behalf. We comply with the EU-U.S. DPF Principles for all onward transfers of Personal Information from the EU and United Kingdom (UK), including the onward transfer liability provisions.

ARBITRATION AND ENFORCEMENT

With respect to Personal Information received or transferred pursuant to the Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the DPF Principles, CRL commits to resolve DPF Principles related complaints about our collection or use of your Personal Information. Individuals with inquiries or complaints regarding our DPF Policy should first contact CRL's US Privacy Office. CRL has a policy of responding to individuals within forty-five (45) days of an inquiry or complaint.

 

If you do not receive timely acknowledgement of your DPF Principles related complaint from us, or if we have not addressed your DPF principles related complaint to your satisfaction you may contact our U.S. based third party dispute resolution provider (free of charge), JAMS.

 

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may be able to invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf for further information.