California Privacy Rights Act (CPRA)

What is the California Privacy Rights Act (CPRA)?

The California Privacy Rights Act (CPRA) was passed by the state’s legislature in 2020 and will be effective on January 1, 2023. The CPRA amends the California Consumer Privacy Act (CCPA) and includes additional privacy protections for consumers and requires businesses to be transparent about how they collect, share and use consumers’ personal data.

• The CPRA applies to businesses that do business in California, collect consumer information and determine how that information is processed, and if one or more of the following apply:
  
  • Has annual gross revenues in excess of $25 million in the preceding calendar year
  • Derives 50% or more of its annual revenues from selling consumers' personal information or sharing personal information for cross-context behavioral marketing purposes
  • Alone, or in combination, annually buys sells, or shares the personal information of 100,000 or more consumers or households
• The CPRA is intended to supplement federal and state law, if permissible, but shall not apply if the application is pre-empted by, or conflicts with, federal law or the U.S. or California Constitution. There are limitations in the CPRA for consumer- and certain business-related information held by financial institutions that are regulated by federal laws and regulations.
  

California Consumer Rights under the CPRA include the following:
Disclosure. A business must disclose the personal information collected, sold, or disclosed for a business purpose about a consumer.

• A business that collects personal information needs to disclose the following Information Collection Practices in response to a verified consumer request:
  • Categories of personal information the business has collected about the consumer
  • Categories of sources from which the personal information is collected
  • Business or commercial purpose for collecting personal information
  • Categories of third parties with which the business shares personal information
  • Specific personal information the business has collected about the consumer
• A business that sells or shares a consumer's personal information or discloses a consumer's personal information for a business purpose needs to disclose the following Information Disclosure Practices in response to a verified consumer request:
  • Categories of personal information the business has collected about the consumer
  • Categories of personal information the business has sold or shared about the consumer
  • Categories of third parties to which the personal information was sold or shared
  • Categories of personal information sold or shared to each third party (if the business has not sold consumers' personal information, it shall disclose that fact)
  • Categories of personal information the business has disclosed about the consumer for a business purpose (if the business has not disclosed consumers' personal information for a business purpose, it shall disclose that fact)

Right to know. A business that collects a consumer's personal information must, disclose and deliver a copy of the specific personal information collected about the consumer in response to a verifiable consumer request.

Deletion. A business must delete the personal information collected about a consumer and direct service providers and contractors to delete the consumer's personal information in response to a verified consumer request, subject to certain exceptions.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities and to help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes.
• Debug products to identify and repair errors that impair existing intended functionality.
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
• Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s ability to complete such research, if you previously provided informed consent.
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which you provided the information.
• Comply with a legal obligation.
•  Make other internal and lawful uses of that information that are compatible with the context in which you provided it

Correction. A business must use commercially reasonable efforts to correct inaccurate personal information in response to a verified consumer request.

Antidiscrimination. A business must not discriminate against a consumer who exercises any of the consumer's rights under the CPRA. However, a business may charge different prices or provide a different quality of goods or services if the difference is reasonably related to the value provided to the consumer by the consumer's data and may offer financial incentives to a consumer for the collection, sale, or deletion of personal information on a prior opt-in consent basis.

Opt Out and Website Requirements. A business that sells consumers' personal information to third parties or shares consumers’ personal information to third parties for cross-context behavioral marketing purposes needs to notify consumers thereof and that the consumers have the right to opt out of the sale or sharing of their personal information. A business must provide a "Do Not Sell or Share My Personal Information" link on its internet homepage that links to a webpage that allows a consumer to opt out of the sale or sharing of their personal information. A business must not sell or share a consumer’s personal information if the business has actual knowledge that the consumer is less than age 16, unless the consumer between ages 13 and 16, or the consumer's parent or guardian for a consumer who is younger than 13, has authorized the sale or sharing of the consumer's personal information. A business that collects sensitive personal information must stop using or disclosing the consumer’s sensitive personal information for any purpose other than the purpose for which it was originally collected in response to a consumer opt-out request.

Privacy Policy Requirements. A business must describe in its online privacy policy or in any California-specific description of consumer privacy rights the following, which must be updated at least once every 12 months:

• Consumers' rights under the CPRA, including the consumer opt out rights
• The methods for submitting consumer requests
• A list of the categories of personal information that the business has collected about consumers, sold or shared about consumers, and disclosed about consumers for a business purpose.

California Privacy Rights Act Statement

This STATEMENT supplements the information contained in the Privacy Notice of Comerica Bank and its subsidiaries and affiliates (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this statement to comply with the California Consumer Privacy Act (“CPRA”) and other California privacy laws. Any terms defined in the CPRA have the same meaning when used in this statement.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers:

Personal information does not include:

• Publicly available information from government records.
• De-identified or aggregated consumer information.
• Information excluded from the CCPA's scope, like:
  • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
  • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994

We obtain the categories of personal information listed above from the following categories of sources:

• Directly from our clients or their agents. For example, from documents that our clients provide to us related to the services for which they engage us
• Indirectly from our clients or their agents. For example, through information we collect from our clients in the course of providing services to them
• Directly and indirectly from activity on our website (www.comerica.com). For example, from submissions through our website portal or website usage details collected automatically
• From third-parties that interact with us in connection with the services we perform

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

• To fulfill or meet the reason for which the information is provided
• To provide you with information, products or services that you request from us
• To provide you with email alerts and other notices concerning our products or services, that may be of interest to you
• To improve our website and present its contents to you
• For testing, research, analysis and product development
• As necessary or appropriate to protect the rights, property or safety of us, our clients or others
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations
• As described to you when collecting your personal information or as otherwise set forth in the CPRA

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Processing Sensitive Personal Information. We collect and process Sensitive Personal Information for the purposes disclosed at the time we collect this information. We do not process this information for purposes other than the purpose for which it was originally collected unless required by law. We use and process Sensitive Personal Information collected from California employees, job applicants or vendors (including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status) to comply with laws including anti-discrimination laws and disability accommodation laws. We use Sensitive Personal Information from other consumers (including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status) to provide disability accommodations. We also use sensitive personal information for the purposes listed in this notice.

Disclosing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.
We disclose your personal information for a business purpose to the following categories of third parties:

• Our affiliates
• Service providers
• Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you

Selling Personal Information. We do not sell personal information for monetary or other consideration as defined by CPRA.

Sharing Personal Information. Sharing your personal information means making it available to a third party so that they can use it to display targeted or cross-context behavioral advertisement to you. Cross-context behavioral or targeted advertising means that we display an advertisement to you that is selected based on personal information about you that we obtained or inferred over time from your activities across other companies’ websites, applications or online services that we use to predict your preferences or interests. Targeted advertising does not include using your interactions with us or information that you provide to us to select advertisements to show you. In the preceding twelve (12) months, we have not shared personal information for cross context behavioral marketing purposes.

Your Rights and Choices
The CPRA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CPRA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Right
You have the right to request that we disclose certain information to you about our collection and use of your personal information. You may make these requests up to twice in a twelve (12) month period. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you
• The categories of sources for the personal information we collected about you
• Our business or commercial purpose for collecting or selling that personal information
• The categories of third parties with whom we share that personal information
• The specific pieces of personal information we collected about you (also called a data portability request)
• If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
  • sales, identifying the personal information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete your personal information from our records, unless an exception applies. Exceptions include:

• If data is already regulated by Gramm-Leach-Bliley-Act (GLBA)
• If data is required to complete a transaction for which personal information is collected to provide a good or service requested by the consumer.
• If data is required for legal obligations or regulatory reasons.
• If data is required to detect security incidents; protect against malicious, deceptive, fraudulent, illegal activity; to prosecute those who are responsible for that activity.
• If data enables solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer relationship with the business.

Correction Request Rights
You have the right to correct any of your personal information that we have collected and maintain by contacting our customer service center. We will correct your personal information from our records, unless an exception applies.

Opt Out Rights

• Do Not Sell My Personal Information. If you are 16 years of age or older, you have the right, at any time, to direct us to not sell your personal information. We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the "right to opt-in") from either the consumer who is at least 13 but not yet 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales at any time.
• Do Not Share My Personal Information. You have the right to opt out of having your personal information shared with others for cross-context or behavioral advertising purposes. This does not include using your interactions with us or information that you provide to us to select advertisements to show you.
• Limit Processing of Sensitive Personal Information. You have the right to tell us not to process Sensitive Personal Information for any purpose other than the purpose for which we originally collected it. We only process Sensitive Personal Information for the purpose for which we originally collected it.]

Exercising your Rights

• Access, Correction and Deletion. To exercise the access, correction, and deletion rights California residents may visit our online CPRA Request Page by clicking the link at the top or bottom of this page or by calling us toll free at 1-800-522-2265 . We will ask you for information that allows us to reasonably verify your identity (that you are the person about whom we collected personal information) and will use that information only for that purpose. We may request that you submit a signed statement under penalty of perjury that you are the individual you claim to be. Any disclosures we provide will only cover the 12-month period preceding receipt of your request, but you may request that expand the 12-month period to cover information collected since January 1, 2022, and we will honor that expanded request unless doing so would involve a disproportionate effort.
• Opt-Out Rights. To opt out of the sale of your personal information or the sharing of your personal information you may submit a request to us by clicking the link at the top or bottom of this page and selecting Opt Out Request or by calling us toll free at 1-800-522-2265. You do not need to tell us to limit processing of Sensitive Personal Information because we already limit such processing.

You may also opt out by activating a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicates or signals your choice to opt-out of the sale and sharing of personal information. When we receive such a signal we will stop setting third party, analytics, or advertising partner cookies on your browser. This will prevent the sale or sharing of information relating to that specific device through cookies to our advertising or analytics partners. This option does not stop all sales or sharing of your information because we cannot match your device’s identification or internet protocol address with your personally identifiable information like your name, phone number, email address or ZIP Code. If you delete cookies on your browser, any prior do not sell or do not share signal is also deleted and you should make sure that your user-enabled setting is always activated.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

Response Timing and Format
We will acknowledge receipt of your request for access, correction or deletion within 10 business days and will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to a total of 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

For requests that we not sell or share your information or limit processing of Sensitive Personal Information we will comply with your request promptly, and at least within 15 business days. Once we receive your request, we will wait at least 12 months before asking you to reauthorize personal information sales or sharing.

Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Statement
We reserve the right to amend this privacy statement at our discretion and at any time. Any changes made to this privacy statement will be available on our website.

Contact Information
If you have any questions or comments about this statement, our Privacy Notice, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please call 1-800-522-2265.