This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS is provided by Columbia Banking System, Inc. and its subsidiaries and affiliates (collectively, “Columbia”, “we”, “us”, or “our”), to provide additional information about our processing of personal information subject to the California Consumer Privacy Act (“CCPA”). Except as otherwise specified, “residents” or “you” when used throughout this notice refers to any individual residing in California, including those acting as a job applicant, employee, independent contractor, owner, director, or officer of Columbia and those we interact with in our business-to-business relationships.
This notice explains how we collect, use, disclose, and otherwise process information that relates to you (“personal information”). If you have a disability that prevents or limits your ability to access this notice, please contact us at 1-833-427-5227 (employees and job applicants, contact Human Resources); we will work with you to provide this notice in an alternative format.
YOUR RIGHTS
Subject to certain limitations, California residents have the following rights regarding their personal information:
• the right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information (as may be applicable), the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you.
• the right to request deletion of your personal information that we collected.
• the right to request the correction of your inaccurate personal information we may maintain.
• the right to request that we limit the use and/or disclosure of your sensitive personal information, except for the purposes that you would reasonably expect are necessary to provide our services and products, and as otherwise authorized by law. We only use sensitive personal information for these purposes. Because our use and disclosure of sensitive personal information is already limited in accordance with applicable law, you do not need to take any further action to limit the disclosure or use of your sensitive personal information. Please note that we do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
• the right not to be discriminated against for exercising any of these rights.
• the right to opt out of the “Selling” or “Sharing” of your personal information. We, our service providers, and third parties engaged on our behalf may use cookies, pixel tags, or similar tracking technologies (collectively, “Collection Technologies”) to gather personal information when you use, access, or otherwise interact with our websites, mobile applications, or other digital properties. While we do not disclose your personal information in exchange for money, our use of these collection technologies may be considered a “Sale” or “Sharing” under California law. As noted above, California residents have the right to opt out of such selling/sharing activity. For more information about our use of collection technologies, please visit our Digital and Mobile Privacy Notice at columbiabank.com/privacy/digital-privacy-notice.
PERSONAL INFORMATION WE COLLECT
We may have collected your personal information in the preceding 12 months. The California Consumer Privacy Act (CCPA), however, does not apply to certain information, such as
information subject to the Gramm-Leach-Bliley Act (“GLBA”). The personal information we may have collected depends on our relationship to you. Please see below for examples of types that may have been collected:
|
Category of personal information |
Representative data elements |
Do we collect? |
|
Identifiers |
ü Real name ü Postal address ü Unique identifier or unique personal identifier ü Social Security number ü Passport number ü Driver’s license number ü Telephone number ü Email address |
Yes |
|
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code§ 1798.80(e)) |
ü Name ü Signature ü Physical characteristics or description ü State or government issued identification card number ü Insurance policy number ü Employment information and history ü Bank account number ü Credit or debit card number ü Other financial information ü Medical information ü Health insurance information |
Yes |
|
Protected classification characteristics under California or federal law |
ü Date of birth/age ü Gender, including gender identity ü Military or veteran status ü Marital status ü Request for leave for employee(s) ü Request for pregnancy leave ü Request for family care leave ü Race/color ü Ethnicity or national origin or ancestry |
Yes |
|
Category of personal information |
Representative data elements |
Do we collect? |
|
|
ü Religion ü Sexual orientation ü Disability |
|
|
Commercial information |
ü Records of personal property ü Products or services purchased, obtained, or considered ü Other purchasing or consuming histories or tendencies |
Yes |
|
Biometric information |
ü Fingerprints ü Faceprints or face imagery ü Voiceprints and/or voice recordings that can be extracted ü Physiological characteristics ü Biological characteristics ü Behavioral characteristics ü Identifiable sleep, health and exercise data ü Activity patterns |
Yes |
|
Internet or other similar network activity |
ü Browsing history ü Search history ü Information regarding interaction with a website, application, or advertisement |
Yes |
|
Device information Note: Some information included in this category may overlap with other categories. |
ü Device identifier or identifying information, characteristics, or settings about the device you use to access our online services ü IP address ü Information in cookies, pixel tags, or from other collection technologies ü Mobile ad identifiers ü Mobile device information (with permission, such as location, contacts, camera) |
Yes |
|
Geolocation data |
ü Physical location ü Movements ü Precise geolocation |
Yes |
|
Sensory data |
ü Audio ü Visual ü Electronic For example, in the employment context, this may include: ü Information captured from video, audio, monitoring, or surveillance systems
ü Employee photographs Note: These data types are typically collected during phone and in-person interactions for security and training purposes. |
Yes |
|
Professional or employment related information Note: Some information included in this category may overlap with other categories and may apply to all employees and their dependents, beneficiaries, and emergency contacts. |
ü Current and past job history or performance evaluation For example, in the employment context, this may include: ü Personnel records, including salary/wage information, occupation, and disciplinary notices and actions ü Job application and resume ü Employment contracts or independent contractor agreements ü Information from background checks ü Employment offer detail ü Other information you provide during screening and recruitment ü Records of involvement in company-sponsored events or community involvement as an employee |
Yes |
|
Non-public education information (per the Family Educational Rights and Privacy Act) |
ü Education records, such as enrollment, grades, transcripts, and student schedules ü Student financial information, including tuition costs and reimbursement |
Yes |
|
Inferences drawn from other personal information |
ü Inferences based on information about an individual to create a summary about, for example, an individual’s preferences and characteristics Note: Inferences are not performed based on any sensitive personal information collected, as defined below. |
Yes |
|
Sensitive Personal Information Note: Some information included in this category may overlap with other categories. |
ü Government identifiers (Social Security, driver’s license, state identification card, or passport number) ü Complete account access credentials (usernames, account numbers or card numbers, combined with any security or access code, password, or credential required for allowing access to an account) ü Precise geolocation
ü Racial or ethnic origin, religious or philosophical beliefs, or union membership ü Biometric information when used for the purpose of uniquely identifying a consumer ü Personal information collected and analyzed concerning your health, including from employees’ certain medical conditions. For example, in the employment context, this may include: ü Employee benefit plan information, including dependents and beneficiaries ü Emergency contact information ü Employee leave information related to benefits (vacation), family and medical leave, or other disability leave ü Personal information collected and analyzed concerning your sex life or sexual orientation |
Yes |
SOURCES OF PERSONAL INFORMATION
We obtain the categories of personal information listed above from the following sources:
• Directly from you – For example, from documents that you provide us related to the product(s) or service(s) for which you engage or use us or purchase from us, including when you apply for employment or during the course of your employment.
• Indirectly from you – For example, through information we collect from you while providing business services or interactions, including human resource services.
• Directly and indirectly from activity on our websites (e.g., columbiabank.com and finpac.com) – For example, from submissions through our website portal or website usage details collected automatically through our use of Collection Technologies.
• From third parties, outside companies, or organizations that interact with us in connection with the services we perform and products we provide or other business relationships – For example, we may collect employment related information from credit bureaus, former employers, schools, or references to process and evaluate applications for positions with us or for other administrative purposes.
PURPOSES FOR COLLECTION AND USE OF PERSONAL INFORMATION
The purposes for which we collect and use each category of personal information and sensitive personal information depend on, among other things, our relationship or interaction with specific California residents. We may use the personal information we collect for the following business or commercial purposes:
|
Purpose for collection and use |
Example |
|
Provide and manage products and services |
ü Establish your account(s) and/or preferences, process transactions for our products and services including checking accounts, credit cards, loans, investment accounts, as well as additional products for businesses such as commercial financing and payment services. ü Support the ongoing management and maintenance of our products and services including to provide account statements, online banking access, online services, customer service, payments and collections, and account notifications. ü To respond to your inquiries and fulfill your requests. ü To provide important information regarding the products or services for which you apply or may be interested in applying for, or in which you are already enrolled, changes to terms, conditions, and policies and/or other administrative information. ü To allow you to apply for products or services (for example, to prequalify for a mortgage, apply for a credit card, or to open an account) and evaluate your eligibility for such products or services. |
|
Provide and manage human resource services for hiring and performance |
ü Talent planning and recruitment. ü Hiring practices, such as processing applications, pre- employment screening, onboarding, employment agreements and establishing your employee account(s) and/or preferences. ü Support employee training, education, and development. ü Employee performance management. |
|
Support employment benefits administration |
ü Provide benefits to employees, dependents, and beneficiaries, including healthcare or medical, retirement, insurance, and other benefit plans. ü Support benefit claims processing. |
|
Support our everyday human resource operations, including to meet risk, legal, and compliance requirements |
ü Manage pay and compensation activities. ü Administer employee performance management and corrective actions. ü Perform accounting, monitoring, and reporting. ü Comply with policies, procedures, and contractual obligations, including compliance requirements such as reporting. ü Enable information security and anti-fraud operations and verify your identity. ü Support audit and investigations, complete legal requests and demands, as well as exercise and defend legal claims. ü Enable the use of service providers, third parties and contractors for business purposes. |
|
Support our everyday operations, including to meet risk, legal, and compliance requirements |
ü Perform accounting, monitoring, and reporting. ü Enable information security and anti-fraud operations, verify your identity, as well as credit, underwriting, and due diligence. ü Support audit and investigations, legal requests and demands, as well as exercise and defend legal claims. ü Enable the use of service providers for business purposes. ü Manage our business relationships. ü Comply with policies, procedures, and contractual obligations. ü Verify or enforce our terms of use or other applicable policies. ü For purposes of compliance, fraud prevention, technical support, and safety, including emergency response and protecting the security of account and personal information. ü Collect information through our social media pages and other online interactions with you to assist in verifying your identity and account status. We may combine this online information with information collected from offline sources or information we already have. ü Defend or protect us, you, our client, or third parties, from harm or in legal proceedings. ü Respond to court orders, lawsuits, subpoenas, and government requests. |
|
Manage, improve, and develop our business |
ü Personalize, develop, as well as improve our products and human resource services. ü Support customer relationship management. ü To personalize your experience on our websites and enhance websites. ü To allow you to participate in surveys and other forms of market research, sweepstakes, contests, and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Personal Information is used and shared. ü Conduct research and analysis, including to drive innovation in recruiting, retention, and employee management. ü Support employee relationship management. |
|
Purpose for collection and use |
Example |
|
Research and Analytical Purposes |
ü Understand how you use our websites, mobile applications, and other digital properties (collectively, the “Sites”). ü The methods and devices you use to access our Sites. ü Make improvements to our Sites. ü Conduct research and analysis, identify usage trends, determine effectiveness of promotional campaigns, and to drive product and services innovation. |
|
Marketing and Advertising Purposes |
ü Send you marketing and advertising communications about our products and services, tailored to your interests or more general in nature. |
|
Provide and manage digital and mobile products and services |
ü Information stored on your device, such as location, camera, contacts, or other features you are enrolled in to enrich and simplify your own user experience and improve our services, as well as provide additional security to protect your account. |
Please note:
• We only use and disclose sensitive personal information to third parties, service providers, and contractors for the business purposes outlined in this notice and have ensured the purposes are what you would reasonably expect are necessary to provide our products and services, including to provide those individuals acting in the employment context with human resource services. We do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
• We may also use data that we collect on an aggregate or anonymous basis (such that it does not identify any individual customers) for various business purposes, where permissible under applicable laws and regulations.
RETENTION OF PERSONAL INFORMATION
We retain your personal information, including sensitive personal information, for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. Please note that in many situations we must retain all, or a portion, of your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, to protect against fraudulent, deceptive, or illegal activity, or for another one of our business purposes.
INFORMATION DISCLOSURE
The information below lists the categories of recipients to whom we may disclose personal information for our business or commercial purposes:
Affiliates. We may disclose your personal information with our subsidiaries and affiliates for purposes consistent with this Privacy Notice. This includes affiliated websites and businesses to bring you improved service across our family of products and services, when permissible under relevant laws and regulations; we do not disclose information about your credit worthiness to affiliates.
Service Providers and Contractors. We may disclose personal information with third-party service providers and contractors subject to appropriate confidentiality and use restrictions, as part of providing products and services, completing transactions, supporting everyday operations or business management and development. This includes disclosing personal information to support human resource activities and workforce management, such as employee training and development, recruiting, employment eligibility, onboarding, compensation analysis, payroll, and other transactions involving employees and to employee benefits service providers including companies who provide healthcare, retirement, insurance or other benefits plans.
Advertising or Analytics Providers. As mentioned above, we may use personal information in support of our: (1) advertising and marketing efforts, including to serve interest-based advertisements across the Internet; and track and categorize your activity, interests and device(s) used over time on our websites and applications, and on third-party websites and mobile applications; and (2) research and analytics efforts, including to better understand your use of our websites and applications to improve those technologies and optimize your experience and
interactions. To do this, we may disclose your information with certain third-party advertising or analytics providers (collectively, “Analytics and Advertising Providers”) through our use of
Collection Technologies. These Analytics and Advertising Providers may use Collection Technologies on our digital properties to collect and store information about you and your use of our websites, applications, and other digital properties.
Representatives of California Residents. We may disclose personal information with companies or individuals that represent California residents, such as accountants, financial advisors, or individuals with power of attorney.
For Routine or Required Reporting. We may disclose personal information for routine or required reporting, including to consumer reporting agencies or other third parties.
Professional Advisors. We may disclose your personal information to professional advisors, such as lawyers, auditors, and insurers, where necessary in the course of the professional services that they render to us.
Business Partners. We may disclose personal information to our business partners, such as those companies with which we offer co-branded services, products, or programs.
For Risk, Legal, and Compliance. We may disclose your personal information to third parties, including regulators, government agencies, and law enforcement, for the risk, legal, and compliance purposes described in the section above.
Business Transfers. We may transfer or disclose some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Your Consent or Instruction. We may disclose your personal information in situations where we have your consent or instruction to do so.
The table below identifies: (1) the categories of personal information we may have disclosed in the preceding 12 months for our business or commercial purposes; and (2) the categories of recipients, including third parties, to whom we have disclosed such information. Please note, the table below contains shorter descriptions of the recipients. The full descriptions are described above within the “Information Disclosure” section. We may also disclose any of the categories of personal information listed below: (1) for risk, legal, or compliance purposes; (2) to our Professional Advisors; (3) because of a business transfer (or potential business transfer); or (4) based on your consent or instruction.
|
Category of personal information or (*)Sensitive Personal Information |
Category of recipients to whom we disclose personal information |
|
Identifiers |
• Affiliates, Service Providers and Contractors • Representatives of California Residents, Professional Advisors, Business Partners • In connection with performing routine or required reporting • For Risk, Legal, and Compliance |
|
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e)) |
• Service Providers and Contractors • Representatives of California Residents, Professional Advisors, Business Partners • In connection with performing routine or required reporting • For Risk, Legal, and Compliance |
|
Protected classification characteristics under California or federal law |
• Service Providers and Contractors • Representatives of California Residents, Professional Advisors, Business Partners • In connection with performing routine or required reporting • For Risk, Legal, and Compliance |
|
Commercial information |
• Service Providers and Contractors • Representatives of California residents, Professional Advisors, Business Partners • In connection with performing routine or required reporting • For Risk, Legal, and Compliance |
|
Biometric information |
• Service Providers and Contractors |
|
Internet or other similar network activity |
• Service Providers and Contractors • Advertising or Analytics Providers • For Risk, Legal, and Compliance |
|
Device information |
• Advertising or Analytics Providers |
|
Geolocation data |
• Service Providers and Contractors |
|
Sensory data |
• Service Providers and Contractors |
|
Professional or employment related information |
• Service Providers and Contractors • Representatives of California Residents • For Risk, Legal, and Compliance |
|
Category of personal information or (*)Sensitive Personal Information |
Category of recipients to whom we disclose personal information |
|
Non-public education information (per the Family Educational Rights and Privacy Act) |
• Service Providers and Contractors |
|
Inferences drawn from other personal information |
• Service Providers and Contractors |
|
(*Sensitive category) Government identifiers (Social Security, driver’s license, state identification card, or passport number) Complete account access credentials (usernames, account numbers or card numbers, combined with any security or access code, password, or credential required for allowing access to an account) Precise geolocation Racial or ethnic origin, religious or philosophical beliefs, or union membership Biometric information when used for the purpose of uniquely identifying a consumer Personal information collected and analyzed concerning your health Personal information collected and analyzed concerning your sex life or sexual orientation Note: Some information included in this category may overlap with other categories. |
• Service Providers and Contractors • Representatives of California Residents, Professional Advisors, Business Partners • In connection with performing routine or required reporting • For Risk, Legal, and Compliance |
Please note:
• We only use and disclose sensitive personal information to third parties, service providers, and contractors for the business purposes outlined in this notice. The business purposes are what you would reasonably expect are necessary to provide our products and services, including providing those individuals acting in the employment context with human resource services.
We do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
• We may disclose anonymous or aggregated information with third parties to help deliver products, services, and content that are tailored to the users of our online services and for other purposes.
• The categories of personal information we may sell or share through Collection Technologies include internet or other similar network activity, Device Information and Unique identifiers. The business purposes for selling or sharing are:
o To support our everyday operations, including to meet risk, legal, and compliance requirements
o To manage, improve, and develop our business
o Research and Analytical Purposes
o Marketing and Advertising Purposes
o To provide and manage digital and mobile products and services
EXERCISING YOUR RIGHTS
To exercise your rights to access, deletion, and correction, please submit a verifiable consumer request to us by either:
• Calling us at 1-833-427-5227
• Visiting our website at columbiabank.com/privacy/ccpa-individual
Once a request to access, delete, or correct has been submitted, we will attempt to verify that you are the individual to whom the request applies. We do that by taking the identifying information you provide (e.g., name, email address, account-related information) and using a
combination of the information we have on file and our identity verification engine. We attempt to match a minimum of three of the data points you submitted. If we are unable to verify the request with the materials you provided, we may reach out to you for additional information.
Only you or a person authorized to act on your behalf may make a valid consumer request
related to your personal information. An authorized agent may submit a request by calling us at 1-833-427-5227 or visiting our website at columbiabank.com/privacy/ccpa-representative. You may also make a verifiable consumer request on behalf of your minor child.
You may only submit a verifiable consumer request twice within a 12-month period. The verifiable request must:
• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and,
• Describe your request with enough detail that allows us to properly understand, evaluate, and respond to it.
Additional information regarding your right to correct inaccurate information: You may be able to review or update certain account information by logging in and accessing your online
account(s). If you cannot change the incorrect information online, or you prefer to request changes offline, please use the Contact Us option on our site at columbiabank.com/contact-us, call or write to us using the contact information listed on your account statements, records, or other account materials, or submit a verifiable consumer request to us on our website at columbiabank.com/privacy/ccpa-individual. You can also speak to one of our branch representatives, your financial advisor, or your digital banking representative.
You can exercise your right to opt out of the “sale” or “sharing” of your personal information by either:
• Modifying Your Cookie Preferences: When you first visit our website, you will be presented with a banner which offers you a choice about whether to accept or reject our use of cookies and similar tracking technologies, the use of which may constitute a “sale” or “share” of personal
information under applicable law. If you wish to amend your choices, you can by clicking the “Manage my cookie preferences” link near the bottom of the Columbia Bank homepage (columbiabank.com). Please note that your request to opt out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access our sites, you will need to renew your cookie management choices.
• Global Privacy Control: You may exercise your opt-out right by broadcasting an opt-out preference signal, such as the Global Privacy Control (globalprivacycontrol.org/), on the browsers and/or browser extensions that support such a signal. Please note that your request to opt-out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access our sites, you will need to renew your opt-out request.
For more information on how we use Collection Technologies, please visit our Digital and Mobile Privacy Notice at columbiabank.com/privacy/digital-privacy-notice.
We do not knowingly sell or share the personal information of consumers under 16 years of age.
For Financial Pacific Leasing customers residing in California: If you wish to opt out of our affiliate sharing, please email privacy@finpac.com or call us at 1-833-427-5227. Please provide your name, email, phone number, and/or mailing address to which you wish to not receive marketing communications.
REQUEST RESPONSES
Privacy and data protection laws, other than the CCPA, apply to much of the personal information that we collect, use, and disclose. When these laws apply, personal information may be exempt from, or outside the scope of, the CCPA, including with respect to access and deletion requests. As a result, in some instances, we may decline all or part of an access request or deletion request related to this personal information.
LINKING TO THIRD-PARTY WEBSITES
Columbia Banking System, Inc. may provide links to websites that are owned or operated by other companies ("third-party websites"). When you use a link online to visit a third-party website, you will be subject to that website’s privacy and security practices, which may differ from ours. You should familiarize yourself with the privacy policy, terms of use, and security practices of the linked third-party website before providing any information on that website.
CHILDREN’S ONLINE PRIVACY PROTECTION ACT (COPPA)
The Federal Trade Commission adopted a regulation (16 CFR 312) to implement the Children's Online Privacy Protection Act (COPPA), which governs the collection and use and/or disclosure of personal information from and about children on the internet.
We do not operate a website or online service directed to children that collects or maintains personal information about children under the age of 13 or operate a general audience website or online service and knowingly collect or maintain personal information online from a child under the age of 13.
For more information about the Children’s Online Privacy Protection Act (COPPA), visit the FTC website: ftc.gov
SECURITY
We use physical, electronic, and procedural safeguards that comply with federal standards to protect and limit access to personal information. This includes device safeguards and secured files and buildings.
Please note that information you send to us electronically may not be secure when it is transmitted to us. We recommend that you do not use unsecure channels to communicate sensitive or confidential information (such as your SSN) to us.
CHANGES TO OUR PRIVACY NOTICE
We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by appropriate means, such as email, through a notice on our website homepage, or by posting a revised policy on this page with a new “Last Updated” date. If no ad-hoc changes are warranted, this privacy notice will be reviewed annually.
CONTACT INFORMATION
If you have any questions or comments about this notice, our Privacy Statement (columbiabank.com/privacy), Digital and Mobile Privacy Notice (columbiabank.com/privacy/digital- privacy-notice), the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights, please contact us at:
Phone: 1-833-427-5227
Website: columbiabank.com/privacy
