Effective: December 07, 2022
(Last updated: August 22, 2023)
This California Consumer Privacy Act Notice ("Notice") is provided by the Wells Fargo companies described below. These companies are referred to in this Notice as "we" or "us."
This Notice explains how we collect, use, retain, and disclose personal information about California residents. The Notice also explains certain rights that California residents have under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the "CCPA").
The CCPA only applies to information about residents of California. If you are not a resident of California, you may submit a request and we may process it, as described in this Notice, even though the CCPA does not require us to do so. In accepting, processing, and responding to requests by individuals who are not California residents, we will apply all the same limitations and exceptions under the CCPA to those requests as apply to requests made by California residents. We reserve the right to change or stop the practice of accepting requests from U.S. individuals who are not California residents.
Under the CCPA, "personal information" is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. This information is referred to in this Notice as "Personal Data."
Categories of Personal Data that We Collect
We collect Personal Data in a variety of contexts. For example, we collect Personal Data to provide financial products and services, for our human resource, and vendor management purposes.
The Personal Data that we collect about a specific California resident will depend on, for example, our relationship or interaction with that individual.
During the past 12 months, we have collected the following categories of Personal Data.
- Personal Identifiers — Personal unique identifiers, such as full name and federal or state issued identification numbers including Social Security number, driver’s license number, and passport number
- Personal Information — Personal information, including contact details (e.g., telephone number and address), financial information (e.g., account number and balance), payment card details (e.g., credit and debit card numbers), and medical and health insurance information
- Characteristics of Protected Classes — Characteristics of protected classes or groups under state or federal law, such as sex, disability, citizenship, primary language, immigration status and marital status
- Purchase Information — Purchase information, such as products and services obtained and transaction histories
- Biometric Information — Biometric information, such as fingerprints and voiceprint
- Internet or Online Information — Internet or online information (e.g., browsing history) and information regarding interaction with our websites, applications, or advertisements
- Geolocation Data — Geolocation data, such as device location
- Audio and Visual Information — Audio, electronic, visual, thermal, olfactory, or similar information, such as call and video recording
- Employment Information — Professional or employment-related information, such as work history and prior employer, information from background checks, resumes, and personnel files
- Education Information — Education information subject to the federal Family Educational Rights and Privacy Act, such as student records and confirmation of graduation; and
- Inferences — Inferences based on information about an individual to create a summary about, for example, an individual’s preferences and characteristics; and
-
Sensitive Personal Information
—
- Social Security number, driver’s license, state identification card, or passport number;
- Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- Precise geolocation;
- Racial or ethnic origin, religious or philosophical beliefs, citizenship, or immigration status;
- The contents of mail, email, and text messages unless we are the intended recipient of the communication;
- Biometric information processed to uniquely identify an individual; and
- Health information, sexual orientation.
Sources of Personal Data
The sources from which we collect Personal Data depend on, among other things, our relationship or interaction with a specific California resident. The information below lists the categories of sources from which we collect Personal Data in different contexts.
- From California residents directly, or other individuals acting on their behalf, through, for example, physical (e.g., paper application), audible (e.g., phone), and electronic (e.g., website, social media) sources.
- Public records or widely available sources, including information from the media, and other records and information that are made available by federal, state, and local government entities.
- Outside companies or organizations that provide data to support activities such as fraud prevention, underwriting, and marketing. Examples may include internet service providers, social networks, operating systems and platforms, data brokers, advertising networks, and data analytics providers.
- Outside companies or organizations from whom we collect Personal Data to support human resource and workforce management activities. Examples may include operating systems and platforms, and social networks.
- Outside companies or organizations from whom we collect Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development. Examples include companies or organizations to whom we provide products or services; other parties, partners, and financial institutions; and parties involved with mergers, acquisitions, and other transactions involving transfers of all or part of a business, or a set of assets.
Why We Collect Personal Data and How We Use and Disclose It
The purposes for which we collect, use, and disclose Personal Data depend on, among other things, our relationship or interaction with a specific California resident. The table below lists the purposes for which we collect, use, and disclose Personal Data in different contexts.
Purposes for Collection, Use and Disclosure
|
Examples
|
---|---|
Provide and manage products and services
|
|
Support our everyday operations, including to meet risk, legal, and compliance requirements
|
|
Manage, improve, and develop our business
|
|
Support employment, infrastructure, and human resource management
|
|
Sensitive Personal Information as permitted by law |
|
Categories of Third Parties and Our Disclosure of Personal Data
The categories of third parties to whom we disclose Personal Data about a specific individual depend on, among other things, our relationship or interaction with a specific California resident. Such third parties include:
- Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we disclose Personal Data as part of providing products and services, completing transactions, supporting our everyday operations, or business management and development. Examples may include internet service providers, social networks, operating systems and platforms, data brokers, advertising networks, and data analytics providers; companies or organizations to whom we provide products or services; other parties, partners, and financial institutions; and parties involved with mergers, acquisitions, and other transactions involving transfers of all or part of a business, or a set of assets.
- Companies or individuals that represent California residents such as an accountant, financial advisor, or person holding power of attorney on behalf of a California resident
- Government agencies including to support regulatory and legal requirements
- Outside companies or organizations, including service providers subject to appropriate confidentiality and use restrictions, to whom we provide Personal Data to support human resource activities and workforce management. Examples may include operating systems and platforms and data analytics providers
- Outside companies or organizations, in connection with routine or required reporting, including consumer reporting agencies and other parties
- Outside companies, in connection with online advertising activities prior to January 1, 2023
The table below shows, for each Personal Data category we have collected, the categories of third parties to whom we disclosed for our business purposes information from that Personal Data category during the preceding 12 months. The table below contains briefer descriptions of the categories of Personal Data and third parties. The full descriptions of the categories of Personal Data and third parties are available above.
Personal Data Type
|
Third Party Category to Whom We Disclosed Personal Data for Business Purposes
|
---|---|
Personal Identifiers
|
|
Personal Information
|
|
Characteristics of Protected Classes
|
|
Purchase Information
|
|
Biometric Information
|
|
Internet or Online Information |
|
Geolocation Data
|
|
Audio and Visual Information |
|
Employment Information |
|
Education Information |
|
Inferences |
|
Sensitive Personal Information |
|
In the preceding 12 months, we shared the following types of Personal Data with outside companies for cross-context behavioral advertising: Personal Identifiers, Personal Information, Purchase Information, Internet or Online Information, Geolocation Data, Inferences. This practice ended prior to January 1, 2023.
Data Retention
We will keep Personal Data no longer than necessary to fulfil the purposes described in this Notice. Under our record retention policy, we are required to destroy Personal Data after we no longer need it according to specific retention periods. However, we may need to hold Personal Data beyond these retention periods due to regulatory requirements or in response to a regulatory audit, investigation, or other legal matter. These requirements also apply to our third-party service providers.
Requests Under the CCPA
The CCPA defines a "sale" as the disclosure of Personal Data for monetary or other valuable consideration. Wells Fargo does not sell and has not, within at least the last 12 months, sold Personal Data, including Sensitive Personal Data that is subject to the CCPA’s sale limitation. As of January 1, 2023, we do not share Personal Data for cross-context behavioral advertising within the scope of CCPA. We have no actual knowledge that we sell or share Personal Data of California residents 16 years of age and younger.
If you are a California resident, you have the right to request that we:
- Disclose to you the following information covering the 12-month period prior to your request ("Request to know"):
- The categories of Personal Data we collected about you and the categories of sources from which we collected the Personal Data;
- The business or commercial purpose for collecting Personal Data about you;
- The categories of third parties to whom we disclosed Personal Data about you, and the categories of Personal Data disclosed; and
- The specific pieces of Personal Data we collected about you;
- Delete Personal Data we collected from you ("Request to Delete").
- Correct inaccurate personal information that we maintain about you ("Request to Correct").
In addition, you have the right to be free from discrimination by a business for exercising your CCPA privacy rights, including the right as an employee, applicant, or independent contractor not to be retaliated against for exercising your CCPA privacy rights.
View Wells Fargo's CCPA record-keeping details in the annual disclosure.
How to Make Requests
If you are a California resident, you can make a Request to Know, Delete, or Correct by:
- Contacting us at 1-844-774-9229; or
- Submitting your request at www.wellsfargo.com/privacycenter/.
Wells Fargo Online® customers and Wells Fargo employees: you can make a request by using your existing Wells Fargo log in credentials.
For all other individuals, we will ask you to provide the following information to identify yourself:
- Name, contact information, social security or individual taxpayer identification number, date of birth; and
- A copy of government issued photo ID. We accept your Driver’s license, State ID, or Matricula Card.
When you make a Request to Know, Delete, or Correct, we will attempt to verify that you are who you say you are. For example, we will attempt to match information that you provide in making your Request with other sources of similar information to reasonably verify identity.
Responding to Requests
Privacy and data protection laws, other than the CCPA, apply to much of the Personal Data that we collect, use, and disclose. When these other laws apply, Personal Data may be exempt from, or outside the scope of, a request to Know, Delete, or Correct. For example, information subject to certain federal privacy laws, such as the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability, is exempt from CCPA Requests. As a result, we may decline all, or part of your Request related to exempt Personal Data. This means that we may not provide some, or all, of this Personal Data when you make a Request to Know. Also, we may not delete or correct some, or all, of this Personal Data when you make a Request to Delete or Correct.
As examples, our processing of or response to a Request to Know, Delete, or Correct may not include some or all of the following Personal Data:
- Consumer Accounts. Personal Data connected with consumer accounts used for personal, family, or household purposes. We have other privacy notices providing certain information on use and sharing of this data, for example, the Wells Fargo U.S. Consumer Privacy Notice, available at www.wellsfargo.com/privacy-security .
The types of Personal Data described above are examples. We have not listed all types of Personal Data that may not be included when we respond to or process Requests to Know, Delete, or Correct.
In addition to the above examples, we may not include Personal Data when we respond to or process Requests to Know, Delete, or Correct when the CCPA recognizes another exception. For example, we will not provide the Personal Data about another individual when doing so would adversely affect the data privacy rights of that individual. As another example, we will not delete Personal Data when it is necessary to maintain that Personal Data to comply with a legal obligation.
We will verify and respond to your request consistent with applicable law, taking into account the type and sensitivity of the Personal Data subject to the request.
Authorized Agents
If you are a California resident, you may authorize an agent to make a request on your behalf. A California resident’s authorized agent may make a request on behalf of the California resident by using the submission methods listed above under "How To Make Requests." As part of our verification process, we may request that you provide, as applicable:
- For an individual ("requestor") making a request on behalf of a California resident:
- The requesto's name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License, State ID, or Matricula Card.
- The name; contact information; social security or individual taxpayer identification number; date of birth; and Driver’s License, State ID, or Matricula Card of the California resident on whose behalf the request is being made.
- A document to confirm that the requestor is authorized to make the request. We may accept, as applicable, a signed permission by the California resident on whose behalf the request is made, copy of a power of attorney, legal guardianship or conservatorship order, or a birth certificate of a minor if the requestor is the custodial parent.
- For a company or organization ("legal entity requestor") making a request on behalf of a California resident:
- The legal entity requestor’s active registration with the California Secretary of State.
- Proof that the California resident has authorized the legal entity requestor to make the request. We accept as applicable, a signed permission by the California resident on whose behalf the request is made, copy of power of attorney, or legal guardianship or conservatorship order.
- The name; contact information; Social Security or individual taxpayer identification number; data of birth; and driver’s license, state ID, or matricula card of the California resident on whose behalf the request is being made. From the individual who is acting on behalf of the legal entity requestor, proof that the individual is authorized by the legal entity requestor to make the request. We accept a letter on the legal entity requestor’s letterhead, signed by an officer of the organization. We provide a template to use via the URL provided above for making requests.
Deidentified Information
Where we maintain or use deidentified information, we will continue to maintain and use the deidentified information only in a deidentified fashion and will not attempt to re-identify the information.
Changes to this Notice
We may change or update this Notice periodically. When we do, we will post the revised Notice on this webpage indicating when the Notice was "Last Updated."
Wells Fargo Companies Providing this Notice
This Notice is provided by Wells Fargo and Company and its subsidiaries that either: (1) act as a business within the meaning of the CCPA, or (2) are controlled by Wells Fargo and Company and use the Wells Fargo name. As an example, companies providing this Notice include Wells Fargo Bank, N.A.
Contact Us
If you have any questions or concerns about Wells Fargo’s privacy policies and practices, please contact us at PrivacyCenter@wellsfargo.com. Please do not use this email address to send sensitive information or account-specific questions; instead call 1-800-TO-WELLS (1-800-869-3557) with any account-specific questions.