Statement of CPRA and CCPA Compliance
Updated on 12/31/2022
California Privacy Rights Act / California Consumer Privacy Act – Statement of Compliance
Description of Your Rights: The California Privacy Rights Act (“CPRA”) / California Consumer Privacy Act (“CCPA”) confer statutory rights that provide California consumers with greater control and transparency over the use of their personal information and sensitive personal information by affected companies operating within this state. These statutory rights, include, among other things, the protections listed below. You may submit verifiable consumer requests, obtain additional information about these protections, and direct any questions to the Credit Union by email (ccparequest@alturacu.com), via telephone (888-883-7228), or in writing to Altura Credit Union P.O. Box 908, Riverside, CA 92502. Upon receipt of a verifiable consumer request for disclosures covered under CPRA / CCPA, including those seeking the correction of inaccurate personal information and the deletion of a consumer’s personal information, the Credit Union shall take the necessary steps and respond to you within the following 45 days; this time period may be extended once by an additional 45 days when reasonably necessary, as permitted by statute, and we will notify you of the extension within the original 45 day period.
- Right to Request and Receive Personal Information Disclosures under CPRA / CCPA (California Civil Code § 1798.100)
Under CPRA / CCPA, a business that controls the collection of your personal information must, at or before the point of collection, inform you about: (1) the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used, and whether such personal information is sold or shared; (2) the categories of sensitive personal information to be collected and the purposes for which the categories of sensitive personal information are collected or used, and whether such information is sold or shared; and (3) the length of time the business intends to retain each category of personal information and sensitive personal information, provided that such information is not retained for longer than is reasonably necessary for the disclosed purpose for which the information was collected.
- Right to Delete Personal Information under CPRA / CCPA (California Civil Code § 1798.105)
Under CPRA / CCPA, you have the right to request the deletion of personal information that a business has collected from you. A business that collects personal information about consumers must disclose the right of consumers to request the deletion of their personal information. Accordingly, a business that receives a verifiable consumer request for deletion must delete your personal information from its records and direct any service providers to delete your personal information from their records. Certain exceptions apply to these requests. A business or a service provider is not required to comply with your request to delete your personal information if it is reasonably necessary for the business or service provider to maintain your personal information in order to: (1) complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service that you requested, or reasonably anticipated by the consumer within the context of a business’s ongoing business relationship with you, or otherwise perform a contract between the business and you; (2) help to ensure security and integrity to the extent that the use of your personal information is reasonably necessary and proportionate for those purposes; (3) debug to identify and repair errors that impair existing intended functionality; (4) exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law; (5) comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the California Penal Code; (6) engage in public or peer-reviewed scientific, historical, or statistical research that adheres to all other applicable ethics and privacy laws, when the deletion of your information is likely to render impossible or seriously impair the ability to complete such research, if you have provided informed consent; (7) to enable solely internal uses that are reasonably aligned with your expectations based on your relationship with the business and compatible with the context in which you provided the information; or (8) comply with a legal obligation.
- Right to Correct Inaccurate Personal Information under CPRA / CCPA (California Civil Code § 1798.106)
Under CPRA / CCPA, you have the right to request the correction of any inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information. Upon receiving a verifiable consumer request to correct inaccurate personal information, we shall use commercially reasonable efforts to make any necessary correction(s), as directed by the consumer.
- Right to Know what Personal Information is Being Collected and Right to Access Personal Information (California Civil Code § 1798.110)
Under CPRA / CCPA, you have the right to request that a business that collects your personal information disclose the following information: (1) the categories of personal information it has collected about consumers; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about you. A business that collects your personal information must disclose, pursuant to paragraph (3) of subdivision (a) of California Civil Code § 1798.130, the information cited above upon receipt of a verifiable consumer request. A business that collects your personal information must disclose, pursuant to subparagraph (B) of paragraph (5) of subdivision (a) of California Civil Code § 1798.130 the information cited above.
- Right to Know what Personal Information is Sold or Shared, and to Whom (California Civil Code § 1798.115)
Under CPRA / CCPA, you have the right to request that a business that sells your personal information, shares yorur personal information, or discloses it for a business purpose, inform you of: (1) the categories of personal information that the business collected about you; (2) the categories of personal information that the business sold or shared about you and the categories of third parties to whom the personal information was sold or shared; and (3) the categories of personal information that the business disclosed about you for a business purpose, and the categories of persons to whom it was disclosed for a business purpose. A business that sells or shares your personal information, or that discloses your personal information for a business purpose, must disclose, pursuant to paragraph (4) of subdivision (a) of California Civil Code § 1798.130, the information cited above upon receipt of a verifiable consumer request. A business that sells or shares your personal information, or that discloses your personal information for a business purpose, must disclose, pursuant to subparagraph (C) of paragraph (5) of subdivision (a) of California Civil Code § 1798.130: (1) the category or categories of consumers’ personal information it has sold or shared, or if the business has not sold consumers’ personal information, it must disclose that fact; and (2) the category or categories of consumers’ personal information it has disclosed for a business purpose, or if the business has not disclosed the consumers’ personal information for a business purpose, it must disclose that fact. Under CPRA / CCPA, a third party is prohibited from selling personal information about a consumer that has been sold to the third party by a business unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out pursuant to California Civil Code § 1798.120. Please note that the Credit Union does not sell your personal information and sensitive personal information.
- Right to Opt-Out of the Sale or Sharing of Personal Information: Under CPRA / CCPA, you have the right, at any time, to direct a business that sells or shares your personal information not to sell or share your personal information. This right may be referred to as the “Right to Opt-Of of Sale or Sharing.” If a business has received direction from you not to sell or share your personal information, the business is prohibited from selling or sharing your personal information after its receipt of your direction, unless you subsequently provide your consent to sell or share your personal information. In the case of a minor consumer, the business is prohibited from selling or sharing the minor’s personal information if it has not received consent to do so.
- Right to Limit Use and Disclosure of Sensitive Personal Information under CPRA / CCPA (California Civil Code § 1798.121)
Under CPRA / CCPA, you have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer’s sensitive personal information to the use(s) necessary to: (1) perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services; (2) effectuate the business purpose of helping to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for that purpose; (3) meet the business purpose of short-term and transient use, including, but not limited to non-personalized advertising shown as part of your current interaction with the Credit Union; (4) fulfill the business purpose for the Credit Union’s performance services, including maintaining or servicing your account, providing customer service, processing or fulfilling orders or transactions, verifying your customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services; and (5) achieve the business purpose of undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the Credit Union, and to improve, upgrade, or enhance the service or device owned, manufactured, manufactured for, or controlled by the Credit Union.
- Right of Non-Retaliation Following Opt-Out of Exercise of Other Rights under CPRA / CCPA (California Civil Code § 1798.125)
Under CPRA / CCPA, a business must not discriminate against you because you exercised any of your rights under the CPRA / CCPA; these prohibited discriminatory acts include, and are not limited to: (1) denying goods or services to you; (2) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (3) providing a different level or quality of goods or services to you; (4) suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services; and (5) retaliating against an employee, applicant for employment, or independent contractor for exercising their rights under CPRA / CCPA.
A. Categories of Personal Information and Sensitive Personal Information that the Credit Union Collected and Shared in the Preceding 12 Months
The table below lists the categories of personal information and sensitive personal information that the Credit Union collected in the preceding 12 months, and provides additional related details. The length of time that the Credit Union retains these categories of personal information and sensitive personal information spans the duration of your account and relationship with the Credit Union, plus any additional retention period mandated by law. The Credit Union does not engage in the sale of any of your personal information and sensitive personal information. Please note that the Credit Union collects, uses, retains, and shares personal information and sensitive personal information only to the extent that it is reasonably necessary and proportionate to achieve the purposes for which this information was collected or processed, and as permitted under CPRA / CCPA.
| Categories of Personal Information and Sensitive Personal Information Collected in the Preceding 12 Months | Categories of Sources of Personal Information and Sensitive Personal Information | Business or Commercial Purpose(s) for the Collection of Personal Information and Sensitive Personal Information | Categories of Third Parties with whom the Credit Union Shares Personal Information and Sensitive Personal Information |
| Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records
|
– Provision and administration of products/services
– Legal proceedings – Marketing and research (member satisfaction surveys, market polls, etc.) – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) – Regulatory compliance – Security (administrative, physical, and technical) of our premises and operations – Operation of our Websites |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality
|
| Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, any other financial information, medical information, or health insurance information, and other personal information covered under California Civil Code § 1798.80(e) | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records
|
– Provision and administration of products/services
– Legal proceedings – Marketing and research (member satisfaction surveys, market polls, etc.) – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) – Regulatory compliance – Security (administrative, physical, and technical) of our premises and operations – Operation of our Websites |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality
|
| Characteristics of protected classifications (age, gender, race, etc.) under California or federal law | – Directly from the consumer, or an authorized representative | – Provision and administration of products/services
– Legal proceedings – Regulatory compliance |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality |
| Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records
|
– Provision and administration of products/services
– Legal proceedings – Marketing and research (member satisfaction surveys, market polls, etc.) – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) – Regulatory compliance – Security (administrative, physical, and technical) of our premises and operations – Operation of our Websites |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality
|
| Biometric information, such as fingerprints and voiceprints | N/A (The Credit Union does not collect this information.) |
N/A
|
N/A |
| Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records
|
– Provision and administration of products/services
– Legal proceedings – Marketing and research (member satisfaction surveys, market polls, etc.) – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) – Regulatory compliance – Security (administrative, physical, and technical) of our premises and operations – Operation of our Websites |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality
|
| Geolocation data | – Directly from the consumer, or an authorized representative- Consumer data resellers
– Credit reporting agencies – Marketing companies – Public records |
– Provision and administration of products/services
– Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality |
| Audio, electronic, visual, thermal, olfactory, or similar information | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Marketing companies
|
– Provision and administration of products/services
– Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.)
|
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality |
| Professional or employment-related information | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records |
– Provision and administration of products/services
– Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) |
– Your authorized representative
– Credit reporting agencies – Regulatory agencies – Service providers, subject to confidentiality |
| Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) | – Directly from the consumer, or an authorized representative | – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.)
|
– Your authorized representative
– Credit reporting bureaus – Regulatory agencies – Service providers, subject to confidentiality |
| Inferences drawn from personal information in order to develop an outline of a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes | – Directly from the consumer, or an authorized representative
– Consumer data resellers – Credit reporting agencies – Marketing companies – Public records
|
– Provision and administration of products/services
– Legal proceedings – Marketing and research (member satisfaction surveys, market polls, etc.) – Quality assurance and control / risk management functions (e.g. audit, fraud detection and prevention, etc.) – Regulatory compliance – Security (administrative, physical, and technical) of our premises and operations – Operation of our Websites |
– Your authorized representative
– Credit reporting bureaus – Regulatory agencies – Service providers, subject to confidentiality
|
B. Categories of Personal Information and Sensitive Personal Information that the Credit Union Sold in the Preceding 12 Months
As previously noted, the Credit Union does not engage in the sale of the personal information and sensitive personal information covered under the CPRA / CCPA. No such information was sold by the Credit Union within the preceding 12 months. For the purposes of this Privacy Policy, the term ‘sale’ is defined as the disclosure of personal information to another business or third party for monetary or other valuable consideration.
C. Categories of Personal Information and Sensitive Personal Information that the Credit Union Shared for Business or Commercial Purposes in the Preceding 12 Months
The table below lists the categories of personal information and sensitive personal information that the Credit Union collected (and shared, for business or commercial purposes) in the preceding 12 months, and provides additional related details. The length of time that the Credit Union retains these categories of personal information and sensitive personal information spans the duration of your account and relationship with the Credit Union, plus any additional retention period mandated by law.
| Categories of Personal Information and Sensitive Personal Information Collected in the Preceding 12 Months | Has the Credit Union Shared this Personal Information or Sensitive Personal Information for a Business or Commercial Purpose? | Categories of Third Parties with whom the Credit Union Shares Personal Information and Sensitive Personal Information |
| Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Signature, physical characteristics or description, telephone number, state identification card number, insurance policy number, education, bank account number, credit card number, debit card number, any other financial information, medical information, or health insurance information, and other personal information covered under California Civil Code § 1798.80(e) | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Characteristics of protected classifications (age, gender, race, etc.) under California or federal law | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Biometric information, such as fingerprints and voiceprints | N/A (The Credit Union does not collect this information.) | N/A |
| Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Geolocation data | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Audio, electronic, visual, thermal, olfactory, or similar information | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Professional or employment-related information | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, insurance, IT, legal, operational, processing, quality assurance, and web hosting services) |
| Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99) | Yes | – Your authorized representative
– Service providers, subject to confidentiality (e.g. firms that provide, among other things, insurance and HR services) |
| Inferences drawn from personal information in order to develop an outline of a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes | Yes | – Your authorized representative
– Credit reporting agencies (e.g., Experian, Equifax, and TransUnion) – Regulatory agencies (e.g., NCUA, CFPB, and CA DFPI) – Service providers, subject to confidentiality (e.g. firms that provide, among other things, actuarial, audit, data analytics, HR, IT, legal, operational, processing, quality assurance, and web hosting services) |
Changes to Our Privacy Policy
In the ordinary course of its business, the Credit Union will review (and update, if needed) this Privacy Policy on at least an annual basis. The current version, which bears the date that the Privacy Policy was last updated, is accessible at https://www.alturacu.com/disclosures. Where updates are made to the Privacy Policy, your continued use of the Websites constitutes your acknowledgment and acceptance of those changes.
Contact Us
Questions about this Online Privacy Policy may be directed to:
Email: ccparequest@alturacu.com
Telephone inquiries: 888-883-7228
(Monday through Friday, 8 am – 6 pm PT)
(Saturday, 9 am – 1 pm PT)
Written inquiries:
Altura Credit Union
P.O. Box 908
Riverside, CA 92502