CCPA Privacy Notice for California Residents
Your Rights under the California Consumer Privacy Act as Amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”)
If you are a California resident, you have the following rights under the CCPA:
- The right to know what personal information we have collected about you, including:
- The categories of personal information we have collected;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose(s) for collecting, selling, or sharing your personal information; and
- The specific pieces of personal information that we have collected about you;
- The right to delete personal information that we have collected from you, subject to some exceptions;
- The right to correct inaccurate personal information that we maintain about you;
- If we sell or share your personal information with third parties, the right to opt-out of the sale or sharing of your personal information by the Bank;
- If we use or disclose your sensitive personal information other than for reasons set forth in Section 7027(m) of the Regulations implementing the CCPA, you have the right to limit our use or disclosure of your sensitive personal information; and
- The right not to receive discriminatory treatment by the Bank for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.
However, as a financial institution, the CCPA is not applicable if the information we collect, share, or sell is subject to the federal Gramm-Leach-Bliley Act and its implementing regulations and/or the California Financial Information Privacy Act. Generally speaking, this means that we are not required to comply with the CCPA if the information we collected is information that:
- You provided to us to obtain a product or service from the Bank;
- We collected about you resulting from any transaction involving a product or service between you and the Bank; or
- The Bank otherwise obtained about you in connection with providing a product or service to you.
The Categories of Personal Information That We Have Collected About California Consumers in the Preceding 12 Months
|A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
|A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some personal information included in this category may overlap with other categories.
|Protected classification characteristics under California or federal law.
|Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
|Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
|Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
|Internet or other similar network activity.
|Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
|Physical location or movements.
|Audio, electronic, visual, thermal, olfactory, or similar information.
|Professional or employment-related information.
|Current or past job history or performance evaluations.
|Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
|Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
|Inferences drawn from other personal information.
|Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
The Categories of Sources From Which We Collect Personal Information About California Consumers
We obtain the categories of personal information listed in the Table above from the following categories of sources:
- Directly from you. For example, from forms you complete, when you purchase products or services, and when you perform transactions.
- Indirectly from you. For example, from observing your actions on our Website and your use of applications on your mobile device (such as when and how you have connected to our Website, and your device and/or browser may automatically disclose information such as device type, operating system, browser type, IP address, Internet service provider, pages that you visit before and after visiting our Website, the date and time of your visit, information about the links you click and pages you view on our Website, other standard server log information, and we may also collect your mobile device’s GPS signal or other information about nearby Wi-Fi access points and cell towers), when you use your debit or credit card, when you make deposits or withdrawals to/from your accounts, or when you pay your bills.
- From third parties. We also receive information from third parties, such as credit reporting agencies, government agencies, law enforcement authorities, or service providers.
- Business Purpose for Collecting Such Information.
- To identify you or communicate with you
- To cash a check or assist you in another one‐time financial transaction
- To take and process an application for a requested product or service
- To offer, provide, and service your financial products or services
- To consider you for an employment opportunity as permitted by law
- To ensure proper operation and security protocols necessary to protect against fraud or illegal activities
- To detect, prevent, and respond to security incidents
- To meet our legal and regulatory obligations
- Nano Banc collects personal information directly from consumers and other individuals, and from other sources, including the following:
- Credit bureaus
- State and federal bureaus, agencies, and departments
- Public websites and social media
- Vendors and service providers
- Other financial institutions
- Transactional counterparties
- Employee and customer referrals
The Specific Business or Commercial Purposes For Which We Collect Personal Information About California Consumers
- To fulfill or meet the reason the consumer provided the information. For example, if you share your name and contact information with us to request a rate quote, to ask a question about our products or services, or to process a transaction, we will use that personal information to respond to your request or question and to process your transactions, accordingly. We may also save your information to facilitate new transactions in the future. We also use your information for customer service and collections purposes and for ongoing account maintenance purposes, such as providing account statements, providing access to online banking, and providing account notifications.
- To provide, support, personalize, and develop our Website, products, and services.
- To offer products and/or services that we believe may be of interest.
- To create, maintain, customize, and secure accounts with us.
- To process requests, purchases, transactions, and payments, and to prevent transactional fraud.
- To provide support and to respond to inquiries, including to investigate and address concerns and monitor and improve our responses.
- To personalize Website experiences and to deliver content and product and service offerings relevant to consumer’s interests, including targeted offers and ads through our Website, third-party sites, and via email or text message (with consent, where required by law).
- To help maintain the safety, security, and integrity of our Website, our products and services, our databases and other technology assets, and the Bank.
- To prevent fraud by monitoring activity to detect, investigate, and prevent potentially fraudulent transactions and other illegal activities, as well as to protect the rights and property of the Bank and our customers.
- For testing, research, analysis, and product development, including to develop and improve our Website, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described when we collect personal information or as otherwise set forth in the CCPA.
- For our business purposes, such as to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of a liquidation or similar proceeding, in which personal information held by us about our customers and Website users/consumers is among the assets transferred.
- To support our operations and to comply with applicable legal or regulatory requirements.
- To communicate with consumers via any means (including email, telephone, text message, or in person) about products, services, and events offered by the Bank and others, as well as to provide news and information we think will be of interest.
- To respond to consumers’ comments, questions, and customer service requests, as well as to send customers support notices, updates, security alerts, and administrative messages (such as changes to our terms, conditions, and policies).
- To monitor and analyze trends, usage, and activities in connection with our products and services.
- To audit the quality and efficacy of our work for compliance, controls, and other risk management.
- To improve our products and services by identifying issues with existing products and services, enhancing existing products and services, and creating new products and services.
We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
The Categories of Personal Information, if Any, That We Have Sold or Shared to Third Parties in the Preceding 12 Months
Please note that the CCPA defines “selling” and “sharing” personal information differently than you might expect. Under the CCPA, (1) “selling” and “sharing” personal information means selling or sharing personal information to a “third party” and (2) the term “third party” does not include our service providers or contractors when we have a written contract in place with such service providers or contractors that meets certain requirements set forth in the CCPA. This means that our service providers and contractors are not considered “third parties” for CCPA purposes.
With the above in mind, we have not sold or shared consumers’ personal information with third parties (other than our service providers or contractors) in the previous 12 months.
The Categories of Personal Information, if Any, That We Have Disclosed for a Business Purpose to Third Parties in the Preceding 12 Months
We have not disclosed consumers’ personal information to third parties (other than our service providers or contractors) for a business purpose in the preceding 12 months.
Additional Required Disclosures We Are Required to Make to You Under the CCPA
We have no actual knowledge that we sell or share the personal information of consumers under 16 years of age. The Bank does not use or disclose sensitive personal information for purposes other than specified in Section 7027(m) of the CCPA Regulations.
The Role of Cookies and Other Online Tracking Technologies
The browsers of most computers, smartphones, and other internet access devices are set up to accept cookies. You can refuse to accept these cookies through your browser settings. You will need to manage your cookie settings for each device and browser you use. If you choose to reject cookies, you may not be able to use the full functionality of our Website. For example, if we are not able to recognize your device, you will need to answer a challenge question each time you log on. You also may not receive customized advertising or other offers from us that may be relevant to your interests and needs.
Clear GIFs, pixel tags, or web beacons – which are typically one-pixel, transparent images located on a webpage or in an email or other message – or similar technologies may be used on our sites and in some of our digital communications (such as email or other marketing messages). They may also be used when you are served advertisements, or you otherwise interact with advertisements outside of our online services. These are principally used to help recognize users, assess traffic patterns, and measure site or campaign engagement.
“First party” cookies are stored by the domain (Website) you are visiting directly. They allow the Website’s owner to collect analytics data, remember language settings, and perform useful functions that help provide a good experience. “Third-party” cookies are created by domains other than the one you are visiting directly, hence the name “third-party.” They may be used for cross-site tracking, retargeting, and ad-serving. We also believe that cookies fall into the following general categories:
- Essential Cookies: These cookies are technically necessary to provide Website functionality. They are a Website’s basic form of memory, used to store the preferences selected by a user on a given site. As the name implies, they are essential to a Website’s functionality and cannot be disabled by users. For example, an essential cookie may be used to prevent users from having to log in each time they visit a new page in the same session.
- Performance and Function Cookies: These cookies are used to enhance the performance and functionality of a Website, but are not essential to its use. However, without these cookies, certain functions (like videos) may become unavailable.
- Analytics and Customization Cookies: Analytics and customization cookies track user activity, so that Website owners can better understand how their site is being accessed and used.
- Advertising Cookies: Advertising cookies are used to customize a user’s ad experience on a Website. Using the data collected from these cookies, Websites can prevent the same ad from appearing again and again, remember user ad preferences, and tailor which ads appear based on a user’s online activities.
An Explanation of How You Can Exercise Your Rights and What to Expect from the Process
How to Submit a Request:
You can exercise your rights under the CCPA by:
- Clicking this link: https://www.nanobanc.com/privacy/; or
- Emailing us at: [email protected] or
- Calling us at (844) 626-0262; or
- Writing to us at:
7755 Irvine Center Drive
Irvine CA 92618
Attention: Compliance Department
For All Requests, You Must Provide the Following Information:
To submit a request to know the information we have collected about you, to request that we delete information we have about you, or to request that we correct information we have that you believe is inaccurate, you must provide the following information to us:
- Your full name
- Any alias or other name you may have used with us;
- Your address;
- How you have interacted with us (i.e., as a customer or if you are not a member, explain how you interacted with us);
- Any other information you feel will help us identify any records we have collected about you.
Please also see the sections below for additional information.
Requests to Know:
If you wish to submit a request to know the information we have collected about you, you may request that we tell you:
- The categories of personal information we have collected;
- The categories of sources from which the personal information is collected;
- The business or commercial purpose(s) for collecting, selling, or sharing your personal information;
- If applicable, the categories of third parties with whom we share personal information;
- If applicable, the categories of personal information that we sold, and for each category identified, the categories of third parties to whom we sold that particular category of personal information; and
- If applicable, the categories of personal information that we disclosed for a business purpose, and for each category identified, the categories of third parties to whom it disclosed that particular category of personal information.
In response to a request to know, we will provide all the personal information we have collected and maintain about you on or after January 1, 2022, including beyond the 12-month period preceding our receipt of the request, unless doing so proves impossible or would involve disproportionate effort, or you request data for a specific time period. The information we provide will include any personal information that our service providers or contractors collected pursuant to their written contract with us. If we claim that providing personal information beyond the 12-month period would be impossible or would involve disproportionate effort, we will provide you with a detailed explanation that includes enough facts to give you a meaningful understanding as to why we cannot provide personal information beyond the 12-month period. We will not simply state that it is impossible or would require disproportionate effort.
If you want us to disclose the specific pieces of personal information that we have collected about you, you must specify that you want to know this information at the time you submit your request. For requests that seek the disclosure of specific pieces of information, if we cannot verify your identity, we will not disclose any specific pieces of personal information to you and we will inform you that we cannot verify your identity. If the request is denied in whole or in part, we will also evaluate your request as if it is seeking the disclosure of categories of personal information about you.
We are not required to search for personal information if all of the following conditions are met:
- We do not maintain the personal information in a searchable or reasonably accessible format;
- We maintain the personal information solely for legal or compliance purposes;
- We do not sell the personal information and do not use it for any commercial purpose; and
- We describe to you the categories of records that may contain personal information that we did not search because we meet the conditions stated above.
We will not disclose in response to a request to know your Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. We will, however, inform you with sufficient particularity that we have collected the type of information. For example, we may respond that we collect “unique biometric data including a fingerprint scan” without disclosing the actual fingerprint scan data.
If we deny your verified request to know specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or an exception to the CCPA, we will inform you and explain the basis for the denial, unless prohibited from doing so by law. If the request is denied only in part, we will disclose the other information you requested.
We will use reasonable security measures when transmitting personal information to you.
Requests to Delete:
In addition to the general information you must provide in connection with your request (see “For All Requests, You Must Provide the Following Information” above), to request that information be deleted, you must identify the information you would like us to delete.
If we cannot verify your identity, we may deny the request to delete. We will inform you that your identity cannot be verified.
As set forth in the CCPA regulations, we will comply with a verified request to delete your personal information by:
- Permanently and completely erasing the personal information on from our existing systems with the exception of archived or back-up systems, deidentifying the personal information, or aggregating your information;
- Notifying our service providers or contractors to delete your personal information from their records which they collected pursuant to their written contract with us, or if enabled to do so by the service provider or contractor, we will delete the personal information that the service provider or contractor collected pursuant to their written contract with us; and
- Notifying all third parties to whom we have sold or shared the personal information (if applicable) to delete your personal information unless this proves impossible or involves disproportionate effort.
If we, a service provider, or a contractor stores any personal information on archived or backup systems, we/it may delay compliance with your request to delete, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.
In responding to a request to delete, we will inform you whether or not we have complied with your request. We will maintain a record of the request as required by regulation. We, our service providers, contractors, or third parties may retain a record of the request for the purpose of ensuring that your personal information remains deleted.
In cases where we deny your request to delete in whole or in part, we will do all of the following:
- Provide you with a detailed explanation of the basis for the denial, including any conflict with federal or state law, or exception to the CCPA, or factual basis for contending that compliance would be impossible or involve disproportionate effort, unless prohibited from doing so by law;
- Delete your personal information that is not subject to the exception;
- Not use your personal information retained for any other purpose than provided for by that exception; and
- Instruct our service providers and contractors to delete your personal information that is not subject to the exception and to not use your personal information retained for any purpose other than the purpose provided for by that exception.
In responding to a request to delete, we may present you with the choice to delete select portions of your personal information as long as a single option to delete all personal information is also offered and more prominently presented than the other choices. If we provide California consumers the ability to delete select categories of personal information (e.g., browsing history, voice recordings, etc.) in other contexts, however, we must inform you of your ability to do so and direct you how you can do so.
Requests to Correct:
In addition to the general information you must provide in connection with your request (see “For All Requests, You Must Provide the Following Information” above), to request that information be corrected, you must identify the information you would like us to correct.
If we cannot verify your identity, we may deny the request to correct. We will inform you that your identity cannot be verified.
In determining the accuracy of the personal information that is the subject of your request to correct, we will consider the totality of the circumstances relating to the contested personal information. We may deny your request to correct if we determine that the contested personal information is more likely than not accurate based on the totality of the circumstances. Considering the totality of the circumstances includes, but is not limited to, considering:
- The nature of the personal information (e.g., whether it is objective, subjective, unstructured, sensitive, etc.);
- How we obtained the contested information; and
- Documentation relating to the accuracy of the information whether provided by you, available to us, or obtained via another source.
If we are not the source of the personal information and we have no documentation to support of the accuracy of the information, your assertion of inaccuracy may be sufficient to establish that the personal information is inaccurate.
If we comply with your request to correct, we will correct the personal information at issue on our existing systems and implement measures to ensure that the information remains corrected. We will also instruct our service providers and contractors that maintain the personal information at issue pursuant to their written contract with us to make the necessary corrections in their respective systems. Service providers and contractors must comply with our instructions to correct the personal information or enable us to make the corrections and must also ensure that the information remains corrected.
If we, a service provider, or a contractor store any personal information that is the subject of your request to correct on archived or backup systems, we/it may delay compliance with your request to correct, with respect to data stored on the archived or backup system, until the archived or backup system relating to that data is restored to an active system or is next accessed or used.
We will accept, review, and consider any documentation that you provide in connection with your request to correct whether provided voluntarily or as required by us. You should make a good-faith effort to provide us with all necessary information available at the time of your request.
We may require you to provide documentation if necessary to rebut our own documentation that the personal information is accurate. In determining the necessity of the documentation requested, we will consider the following:
- The nature of the personal information at issue (e.g., whether it is objective, subjective, unstructured, sensitive, etc.).
- The nature of the documentation upon which we consider the personal information to be accurate (e.g., whether the documentation is from a trusted source, whether the documentation is verifiable, etc.)
- The purpose for which we collect, maintain, or use the personal information. For example, if the personal information is essential to the functioning of the Bank, we may require more documentation.
- The impact on you. For example, if the personal information has a negative impact on you, we may require less documentation.
Any documentation provided by you in connection with your request to correct shall only be used and/or maintained by us for the purpose of correcting your personal information and to comply with the record-keeping obligations under the CCPA regulations.
We will implement and maintain reasonable security procedures and practices in maintaining any documentation relating to your request to correct.
We may delete the contested personal information as an alternative to correcting the information if the deletion of the personal information does not negatively impact you, or if you consent to the deletion. For example, if deleting instead of correcting inaccurate personal information would make it harder for you to obtain a job, housing, credit, education, or other type of opportunity, we will process the request to correct or obtain your consent to delete the information.
In responding to a request to correct, we will inform you whether or not we have complied with your request. If we deny your request to correct in whole or in part, we will do the following:
- Explain the basis for the denial, including any conflict with federal or state law, exception to the CCPA, inadequacy in the required documentation, or contention that compliance proves impossible or involves disproportionate effort.
- If we claim that complying with your request to correct would be impossible or would involve disproportionate effort, we will provide you with a detailed explanation that includes enough facts to give you a meaningful understanding as to why we cannot comply with the request. We will not simply state that it is impossible or would require disproportionate effort.
- If we deny your request to correct personal information collected and analyzed concerning your health, you may provide a written statement to us to be made part of your record per Civil Code section 1798.185, subdivision (a)(8)(D). The written statement is limited to 250 words per alleged inaccurate piece of personal information and you must request that the statement be made part of your record. Upon receipt of such a statement, we will include it with your record and make it available to any person with whom we disclose, share, or sell the personal information that is the subject of the request to correct.
If the personal information at issue can be deleted pursuant to a request to delete, you can make a request to delete the personal information. See “How to Submit a Request,” “For All Requests, You Must Provide the Following Information”,” and “Requests to Delete” above.
We may deny your request to correct if we have denied your request to correct the same alleged inaccuracy within the past six months of receiving the request. However, we must treat the request to correct as new if you provide new or additional documentation to prove that the information at issue is inaccurate.
We may deny a request to correct if we have a good-faith, reasonable, and documented belief that a request to correct is fraudulent or abusive. We will inform you that we will not comply with the request and will provide an explanation why we believe the request is fraudulent or abusive.
Where we are not the source of the information that you contend is inaccurate, in addition to processing your request, we may, but we are not required to, provide you with the name of the source from which we received the alleged inaccurate information.
Upon request, we will disclose all the specific pieces of personal information that we maintain and have collected about you to allow you to confirm that we have corrected the inaccurate information that was the subject of your request to correct. This disclosure will not be considered a response to a request to know that is counted towards the limitation of two requests within a 12-month period as set forth in Civil Code section 1798.130, subdivision (b). With regard to a correction to your Social Security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or medical identification number, an account password, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics, we will not disclose this information, but we may provide a way to confirm that the personal information we maintain is the same as what you have provided.
The Following is a General Description of the Process We Use to Verify Your Identity When Submitting a Request to Know, a Request to Delete, or a Request to Correct:
By law and regulation, we are required to positively verify your identity prior to responding to your requests.
- You will need to provide a valid identification card (i.e., a state-issued driver’s license, ID card, or US or other government-issued passport) plus the address portion of a utility bill, bank, investment, or credit card statement (number redacted) that contains the name and address that matches your ID and information request.
- If making a request by phone, we may require you to answer specific questions based on information we have or can obtain about you or we may ask you to otherwise verify your identity.
- If you are requesting to know specific pieces of information, a higher degree of verification may be required. We will also require, pursuant to CCPA regulations, that you submit a signed declaration under penalty of perjury that you are the consumer to whom the information relates.
- If we are unable to positively identify the person making the request is the consumer to whom the information relates, we may ask for additional verification or we may deny the request.
If you use an authorized agent to submit a request to know information under CCPA, you must verify your own identity with us and provide the agent written permission to submit the request on your behalf unless the agent holds a valid Power of Attorney or Conservatorship of the Person or the Estate for you. An agent’s failure to provide proof of authorization will result in a denial of the request.
Your Rights to Opt-Out and to Limit Use or Sharing of your Sensitive Personal Information
The CCPA gives you the right to tell us not to sell or share your personal information with third parties by opting-out of such information sales or sharing. However, the CCPA also states that we are not required to provide you with the right to opt-out if we only sell or share your personal information with our service providers or contractors pursuant to a written contract that meets specific requirements, such as the requirement that we only sell or share your personal information to the extent that is reasonably necessary for the service provider or contractor to carry-out the contracted for business purpose and provided that the service provider or contractor agrees only to use your personal information for that purpose. You do not have the right to opt-out because we do not sell or share your personal information outside of an exception that allows us to do so.
In addition, the CCPA gives you the right to limit our use or sharing of your sensitive personal information. However, the CCPA also states that we are not required to provide you with the right to limit our use or sharing of your sensitive personal information so long as we only share it for the specific purposes set forth in Section 7027(m) of the regulations implementing the California Privacy Rights Act. We are not required to provide you with the right to limit our use or disclosure of your sensitive personal information because we only use or disclose such sensitive personal information for the following purpose(s):
- To perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services. For example, a consumer’s precise geolocation may be used by a mobile application that is providing the consumer with directions on how to get to specific location. A consumer’s precise geolocation may not, however, be used by a gaming application where the average consumer would not expect the application to need this piece of sensitive personal information.
- To prevent, detect, and investigate security incidents that compromise the availability, authenticity, integrity, or confidentiality of stored or transmitted personal information, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For example, a business may disclose a consumer’s log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that consumer’s account.
- To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For example, a business may use information about a consumer’s ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.
- To ensure the physical safety of natural persons, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For example, a business may disclose a consumer’s geolocation information to law enforcement to investigate an alleged kidnapping.
- For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business. For example, a business that sells religious books can use information about its customers’ interest in its religious content to serve contextual advertising for other kinds of religious merchandise within its store or on its website, so long as the business does not use sensitive personal information to create a profile about an individual consumer or disclose personal information that reveals consumers’ religious beliefs to third parties.
- To perform services on behalf of the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For example, a business may use information for maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
- To verify or maintain the quality or safety of a product, service, or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by the business, provided that the use of the consumer’s personal information is reasonably necessary and proportionate for this purpose. For example, a car rental business may use a consumer’s driver’s license for the purpose of testing that its internal text recognition software accurately captures license information used in car rental transactions.
- For purposes that do not infer characteristics about the consumer. For example, a business that includes a search box on their website by which consumers can search for articles related to their health condition may use the information provided by the consumer for the purpose of providing the search feature without inferring characteristics about the consumer.
Questions or Concerns?
- Emailing us at: [email protected]; or
- Calling us at (844) 626-0262; or
- Writing to us at:
7755 Irvine Center Drive #300
Irvine CA 92618
Attention: Compliance Department