California Consumer Privacy Act Disclosure
Revision Date: January 1, 2023
Applicability
This California Consumer Privacy Act Disclosure explains how Regions Bank (and other companies with the Regions name) (“Company,” “we,” or “us”) collect, use, disclose, sell, share, and retain personal information relating to California residents covered by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (“CCPA”). This notice is provided pursuant to the CCPA.
Introduction
Under the CCPA, ‘Personal Information’ is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident. The CCPA, however, does not apply to certain information, such as information subject to the Gramm-Leach- Bliley Act (“GLBA”) in addition to other types of information as set forth in the CCPA.
The specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Disclosure does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes. For more information about how we collect, disclose, and secure information relating to these customers, please refer to our Privacy Pledge.
Please also refer to our Online Privacy Notice. In the event of a conflict between the terms of this Disclosure and the terms of the Online Privacy Notice, the terms of this Disclosure will govern and control as to California residents.
Keeping Personal Information secure is one of our most important priorities. Consistent with our obligations under applicable laws and regulations, we maintain physical, technical, electronic, procedural and organizational safeguards and security measures that are designed to protect personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access, whether it is processed by us or elsewhere.
Collection and Disclosure of Personal Information
In the past 12 months, we have collected, and disclosed to third parties for our business or commercial purposes, the following categories of Personal Information relating to California residents covered by this disclosure:
- Identifiers, such as name and government-issued identifier (e.g., Social Security number);
- Personal information, as defined in the California safeguards law, such as contact information and financial information;
- Characteristics of protected classifications under California or federal law, such as sex and marital status;
- Commercial information, such as transaction information and purchase history;
- Internet or network activity information, such as browsing history and interactions with our website;
- Geolocation data, such as device location and Internet Protocol (IP) location; behavioral biometrics relating to your use of your device for identity verification, fraud avoidance, and security purposes;
- Biometric information, such as voiceprints;
- Audio, electronic, visual and similar information, such as call and video recordings;
- Professional or employment-related information, such as work history and prior employer;
- Education information, such as student records and directory information; and
- Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual’s preferences and characteristics.
- Sensitive personal information. This may include a Social Security, driver's license, state identification card, or passport number. This term, as used in this California Privacy Statement, also refers to geolocation data and characteristics of protected classifications under California or federal law.
The categories of sources from whom we collected this Personal Information are:
- Directly from a California resident or the individual’s representatives
- Service Providers, Consumer Data Resellers and other third parties
- Public Record Sources (Federal, State or Local Government Sources)
- Information from our Affiliates
- Website/Mobile App Activity/Social Media
- Information from Client Directed Third Parties or Institutions representing a Client/Prospect
- Information from Corporate Clients about individuals associated with the Clients (e.g., an employee or board member)
The categories of third parties to whom we disclosed Personal Information for our business or commercial purposes described in this privacy disclosure are:
- Affiliates and Subsidiaries of Regions
- Vendors and Service Providers who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure, customer service, email delivery, auditing, marketing and marketing research activities
- Partners and Third Parties who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, notaries and auditors, who promote the bank and its financial services and products to customers and other prospective buyers
- Other Third Parties who enable customers to conduct transactions online and via mobile devices, support mortgage and fulfillment services, vehicle loan processes and aggregators (at the direction of the customer)
- Government Agencies as required by laws and regulations
Business or Commercial Purpose of Collecting and Disclosing Personal Information
In the past 12 months, we have collected and disclosed Personal Information relating to California residents to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business ad commercial purposes and objectives, including the following:
- Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services.
- Helping to ensure security and integrity where the personal information is reasonably necessary and proportionate for these purposes.
- Short-term, transient use where the information is not disclosed to a third party and is not used to build a profile or otherwise alter an individual consumer’s experience outside the current interaction.
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
- Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance the service controlled by the business.
- Debugging to identify and repair errors that impair existing intended functionality.
- Undertaking internal research for technological development and demonstration.
- Providing advertising and marketing services but not cross contextual behavioral advertising.
- As part of a merger, acquisition, bankruptcy, or other transaction where a third party assumes control of us.
- To advance our commercial or economic interests.
- Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions)
Sale and Sharing of Personal Information and Disclosure of Sensitive Personal Information
In the past 12 months, we have not “sold” or “shared” Personal Information subject to the CCPA, including Personal Information of minors under the age of 16, nor do we intend to do so in the future. We do not and will not sell or share your personal information. For purposes of this Disclosure, “sold” means the disclosure of Personal Information to a third-party for monetary or other valuable consideration, and "shared" means the disclosure of Personal Information to a third-party for cross contextual behavioral advertising.
We also have not used or disclosed Sensitive Personal Information outside of the exceptions allowed for in the CCPA and its implementing regulations.
How Long We Retain Your Personal Information
We store personal information for as long as we believe is reasonably necessary or appropriate to fulfill our business purposes or to comply with applicable law, audit requirements, regulatory requests, or orders from competent courts.
Rights under the CCPA
If you are a California resident, you have the right to:
- Know at or before the time of collection:
- The categories of personal information to be collected, the purposes for which the categories of personal information are collected or sued, and whether that information is sold or shared;
- The categories of sensitive personal information to be collected, the purposes for which the categories of sensitive personal information are collected or sued, and whether that information is sold or shared; and
- The length of time the business intends to retain each category of personal information, including sensitive personal information.
- Request we disclose to you free of charge the following information collected and maintained since January 1, 2022:
- the categories of Personal Information about you that we collected;
- the categories of sources from which the Personal Information was collected;
- the business or commercial purpose for collecting Personal Information about you;
- the categories of personal information that we disclosed about you for a business or commercial purpose
- the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that was disclosed (if applicable);
- the specific pieces of Personal Information we collected about you; and
- Request we delete Personal Information we collected from you or your household, unless the CCPA recognizes an exception
- Request we correct any inaccurate personal information that we have collected from you and/or maintained about you; and
- Be free from unlawful discrimination and retaliation for exercising your rights under the CCPA
You also have the right to opt out of the sale/sharing of your Personal Information and to limit the use or disclosure of any Sensitive Personal Information. Regions does not sell or share Personal Information or use or disclose any Sensitive Personal Information other than as allowed by the CCPA and its implementing regulations.
We will acknowledge receipt of your request within 10 business days and advise you how long we expect it will take to respond if we are able to verify your identity. We will verify your identity by matching the information you provide us with information in our systems. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for your account and we will also require you to re-authenticate yourself before we disclose your personal information. Requests for specific pieces of Personal Information will require additional information to verify your identity. We will delete any new personal information we collect to verify your identity as soon as practical after processing your request unless otherwise required by law.
If you submit a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom you are submitting a request.
In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer or where the Personal Information that we maintain about you is not subject to the CCPA’s access, correction, or deletion rights.
We will advise you in our response if we are not able to honor your request and the reasons why. We will not provide social security numbers, driver’s license numbers or government issued identification numbers, financial account numbers, health insurance or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information.
We will work to process all verified requests within 45 calendar days pursuant to the CCPA. If we need an extension for up to an additional 45 calendar days in order to process your request, we will provide you with an explanation for the delay.
How to Exercise Your Rights
If you are a California resident, you may submit a request by:
- Completing an online Data Request Form
- For yourself: Access the request form here.
- On behalf of another individual: Access the request form here.
In accordance with Regions Privacy notices, Regions has engaged DocuSign as its service provider to process Data Subject Access Requests (DSAR). DSAR email communications will be provided by DocuSign on behalf of Regions.
- Contacting us at 1-800-986-2462
Questions or Concerns
For further information about this disclosure or our practices, please call 1-800-986-2462 or email us at PrivacyCompliance@regions.com.
Change Notice
Regions may change or update this Disclosure from time to time. When we do, we will post the revised Disclosure on this page with a new revision date.