This California Privacy Notice (California Notice) is for California residents only pursuant to the California Consumer Privacy Act (CCPA) and supplements information contained in the TIAA Privacy Notice or TIAA Bank Privacy Notice, which includes “TIAA” and “TIAA Companies” using the TIAA brand that share a common corporate identity and with which you have a relationship. This privacy notice should not be construed as establishing a contractual relationship.
Please review this California Notice carefully, as it applies to the personal information (as defined by the CCPA) we collect about you outside the financial relationship you may have with us, directly or through your employer. Specifically, if you are a current or former customer of our products and services, or if you are interested in our products and services and contact us, we collect, use and share information pursuant to the TIAA Privacy Notice for TIAA customers and the TIAA Bank Privacy Notice for TIAA Bank customers (referred to hereafter as the “Privacy Notice”). We encourage you to read those notices carefully together with this California Notice to have a full description of our online and offline practices.
Personal information includes information that relates to, is capable of being associated with, or could reasonably be linked to you, one of your devices and/or a member of your household outside of your financial relationship with us.
GLBA and CalFIPA exemptions
Personal Information that we have collected about you based on the financial relationship that you have with us is not subject to the CCPA, and such information’s collection, use, and disclosure is described in the Privacy Notice. The CCPA exempts from its scope Personal Information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act and its implementing regulations (GLBA), or the California Financial Information Privacy Act (CalFIPA). We rely on these exemptions when responding to your access and/or deletion requests, as we only collect Personal Information subject to the GLBA and CalFIPA. If you are a California resident, we encourage you to read the Privacy Notice, together with this California Notice, to have a full description of our practices with respect to your Personal Information.
We do not sell your Personal Information
We do not sell your Personal Information, which is why you will not find a “Do Not Sell My Personal Information” link on our website. We only use Personal Information for our own business purposes. We may share it with our affiliates and other third parties which have agreed to use such Personal Information only to render contracted services to us and keep it confidential. Information about how we may disclose your Personal Information and your ability to control such disclosures is set forth in the Privacy Notice.
Your rights under the CCPA
If you are a California resident, you have the following rights with respect to your Personal Information:
- Receive information on our privacy practices, including why we collect Personal Information about you, from whom and for what purpose;
- Request access to Personal Information that we have collected about you in the twelve months prior to your request;
- Have your Personal Information deleted under certain circumstances;
- Receive information about why we may disclose Personal Information and to whom;
- Receive information whether we sell your Personal Information and, if so, opt out; and
- Not be discriminated against for exercising these rights.
Categories of your Personal Information that TIAA may collect or generate
Categories of information we may collect or generate about you are:
- Contact details such as your names, email addresses, physical addresses, or phone numbers; we use these categories of information to stay in touch with you;
- Information about the devices you use to contact us, such as the Internet Protocol (IP) address of your computer browser or the device ID on your smartphone, and where you contact us from; we use these categories of information to ensure that TIAA’s websites continue to operate as necessary; deliver content specific to your interests; provide access to secure website functions; assist with website traffic reporting; provide client support; respond to client inquiries; measure the level of engagement with TIAA advertisements across digital channels and other websites; and to authenticate and/or remember user names upon login;
- Information about your professional background, stage in your life and personal characteristics;
- Information that helps us match you to new products and services, such as information about your interests and activities, including your purchases;
- Inferences or insights we may draw from such information.
We may obtain Personal Information:
- From you when you contact us via the internet or in person;
- From third parties such as data aggregators or companies with which we have business relationships;
- Using online tracking technologies (including cookies and similar technologies), which may be used, among other things, to provide you with advertisements tailored to your interests (also known as targeted or behavioral advertising);
- Through contests and sweepstakes offered by any of our affiliates and that you have entered; and through our online communities that you may have agreed to join.
Our products and services are not geared to minors and we do not knowingly collect Personal Information of minors under sixteen years of age outside your financial relationship with us (e.g. beneficiary information).
Use of your Personal Information
TIAA may also collect and use your Personal Information for one or more of the following reasons:
- To understand your interest in products or services you do not own;
- To provide you with information about, and market such products and services to you;
- To improve the website and present its contents to you; and
- For research, analysis and product development.
We only use such Personal Information for our own business purposes. We may share it with vendors which have agreed to use it only to render contracted services to us and keep it confidential. We do not sell your Personal Information.
We do not sell your Personal Information to third parties.We will notify you of an intended change in our use of your Personal Information and obtain your prior consent before implementing it.
Access to and deletion of Personal Information
You have the right to request that we disclose to you the categories and specific pieces of Personal Information that we have collected about you in the preceding 12 months. Additionally, you have the right to request that TIAA delete your Personal Information. As set forth above in this California Notice, we rely on the GLBA exemption when responding to access and deletion requests. Since we do not collect information that is subject to the CCPA, our response to a verifiable CCPA request may be limited. You are encouraged to review the Privacy Notice for information about our privacy practices. As we do not want your information to go to an unauthorized party. Once we have verified your request, we will provide information from our records for the preceding 12 months, including the business purpose for our collection. We will also direct our service providers to do the same if they are holding your Personal Information. Please note, we may decline your request if we are unable to verify your identity.
Verification & Response Process
We take protecting your Personal Information very seriously. When you make a request, we will first take steps to verify that it is really you who is making the request. Depending on the sensitivity of your Personal Information, we may request that you provide us with additional documentation to verify your identity and may decline your request if we are unable to verify your identity.
Once we have verified your identity and request, to the extent required by the CCPA, we will:
- For access requests: provide information from our records for the preceding 12 months from the date of the verification, including the business purpose for our collection. We will also direct our service providers to do the same if they are holding your Personal Information.
- For deletion requests: we will delete your Personal Information from our records, and will also direct our service providers to do the same, unless one of the below exceptions to your deletion request applies.
Data deletion exceptions
TIAA may deny your request to delete personal information if retaining the information is necessary for us or our service providers to:
- Complete a transaction for which the personal information was collected, provide a good or service requested by you, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract(s) with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act.
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- To enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
Appointing a designated agent
CCPA allows you to exercise your rights through a designated agent. Please submit to us at our address below a duly notarized California power of attorney appointing the individual whom you have designated to act on your behalf for this purpose. We will verify your identity and the identity of your attorney-in-fact.
|P.O. Box 2167
Jacksonville, FL 32232
Exercising access and deletion rights and verifiable requests
To exercise the access and deletion rights described above, please submit a request by either:
- Calling us at 877-554-1001 weekdays, 8 a.m. to 10 p.m. (ET); or
- Visiting TIAA.org/public/support/privacy
To provide a “verifiable request” you must provide enough information that allows us to reasonably confirm and verify you are the person about whom TIAA collected personal information or you are the attorney-in-fact of a CA resident.
If you have any questions about this California Notice, TIAA’s Privacy Notice, the ways in which TIAA collects and uses your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at 877-554-1001.
TIAA will not discriminate against you for exercising any of your CCPA rights as described in this California Notice. Unless permitted by the CCPA, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services; or
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Changes to this privacy notice
We reserve the right to amend this California Notice at our discretion and at any time. When we make substantive changes to this California Notice, we will inform you through a notice on our website.