This California Privacy Notice (California Notice) is for California residents only pursuant to the California Consumer Privacy Act (CCPA) and supplements information contained in the TIAA Privacy Notice or TIAA Bank Privacy Notice, which includes “TIAA” and “TIAA Companies” using the TIAA brand that share a common corporate identity. The rights of California residents under this California Notice go into effect on January 1, 2020.
If you are a California resident, please review this California Notice carefully, as it applies to the personal information we collect about you outside the financial relationship you may have with us, directly or through your employer. Specifically, if you are a current or former customer of our products and services, or if you are interested in our products and services and contact us, we collect, use and share information pursuant to the TIAA Privacy Notice and the TIAA Bank Privacy Notice. We encourage you to read those notices together with this California Notice to have a full description of our online and offline practices.
The CCPA defines personal information more expansively to include information that identifies and describes who you are or can be linked to you with respect to your financial relationship with us. It also includes information that relates to, is capable of being associated with, or could reasonably linked to you, one of your devices and/or a member of your household outside such financial relationship. In this California Notice, we refer to the information subject to the CCPA as “Personal Information.”
Your rights under the CCPA
If you are a California resident, you have the following rights with respect to your Personal Information:
- Receive information on our privacy practices, including why we collect Personal Information about you, from whom and for what purpose;
- Request access to Personal Information that we have collected about you in the twelve months prior to your request;
- Have your Personal Information deleted under certain circumstances;
- Receive information about why we may disclose Personal Information and to whom;
- Receive information whether we sell your Personal Information and, if so, opt out; and
- Not be discriminated against for exercising these rights.
Categories of your Personal Information that TIAA may collect or generate
TIAA may collect or generate Personal Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you or a member of your household. The categories of information we may collect or generate about you are:
- Contact details such as your names, email addresses, physical addresses, or phone numbers; we use these categories of information to stay in touch with you;
- Information about the devices you use to contact us, such as the Internet Protocol (IP) address of your computer browser or the device ID on your smartphone, and where you contact us from; we use these categories of information to ensure that TIAA’s websites continue to operate as necessary; deliver content specific to your interests; provide access to secure website functions; assist with website traffic reporting; provide client support; respond to client inquiries; measure the level of engagement with TIAA advertisements across digital channels and other websites; and to authenticate and/or remember user names upon login;
- Information about your professional background, stage in your life and personal characteristics;
- Information that helps us match you to new products and services, such as information about your interests and activities, including your purchases;
- Inferences or insights we may draw from such information.
We may obtain Personal Information:
- From you when you contact us via the internet or in person;
- From third parties such as data aggregators or companies with which we have business relationships;
- Using online tracking technologies (including cookies and similar technologies), which may be used, among other things, to provide you with advertisements tailored to your interests (also known as targeted or behavioral advertising);
- Through contests and sweepstakes offered by any of our affiliates and that you have entered; and through online communities that you may have agreed to join.
Our products and services are not geared to minors and we do not knowingly collect Personal Information of minors under sixteen years of age outside your financial relationship with us.
Use of your Personal Information
TIAA may also collect and use your Personal Information for one or more of the following reasons:
- To understand your interest in products or services you do not own;
- To provide you with information and market such products and services to you;
- To improve the website and present its contents to you; and
- For research, analysis and product development.
We only use such Personal Information for our own business purposes. We may share it with vendors which have agreed to use it only to render contracted services to us and keep it confidential. We do not sell your Personal Information to, or receive any valuable consideration from, third parties. We do not sell your Personal Information to third parties.
We will notify you of an intended change in our use of your Personal Information and obtain your prior consent before implementing it.
Access to Personal Information
You have the right to request that we disclose to you the categories and specific pieces of Personal Information that we have collected about you. When you make a request, we will first take steps to verify that it is really you making the request, as we do not want your information to go to an unauthorized party. Once we have verified your request, we will provide information from our records for the preceding 12 months, including the business purpose for our collection. We will also direct our service providers to do the same if they are holding your Personal Information. Please note, we may decline your request if we are unable to verify your identity.
Data deletion rights
You have the right to request that TIAA delete your Personal Information, provided you first provide a verifiable request. Once we have received a verifiable request from you, unless an exception to your deletion request applies, we will delete your Personal information from our records, and will also direct our service providers to do the same.
Data deletion exceptions
TIAA may deny your request to delete personal information if retaining the information is necessary for us or our service providers to:
- Complete a transaction for which the personal information was collected, provide a good or service requested by you, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract(s) with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- To enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Appointing a designated agent
CCPA allows you to exercise your rights through a designated agent. Please submit to us at our address below a duly notarized California power of attorney appointing the individual whom you have designated to act on your behalf for this purpose. We will verify your identity and the identity of your attorney-in-fact.
P.O. Box 1259
Charlotte, NC 28201
P.O. Box 2167
Jacksonville, FL 32232
Exercising access and deletion rights and verifiable requests
To exercise the access and deletion rights described above, please submit a request by either:
- Calling us at 877-554-1001 weekdays, 8 a.m. to 10 p.m. (ET); or
- Visiting TIAA.org/public/support/privacy
To provide a “verifiable request” you must provide enough information that allows us to reasonably confirm and verify you are the person about whom TIAA collected personal information or you are the attorney-in-fact of a CA resident.
If you have any questions about this California Notice, TIAA’s Privacy Notice, the ways in which TIAA collects and uses your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at 877-554-1001.
TIAA will not discriminate against you for exercising any of your CCPA rights as described in this California Notice. Unless permitted by the CCPA, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Changes to this privacy notice
We reserve the right to amend this California Notice at our discretion and at any time. When we make substantive changes to this California Notice, we will inform you through a notice on our website homepage.