POPULAR, INC.
PRIVACY RIGHTS NOTICE FOR CALIFORNIA RESIDENTS

REV: 1/1/2024
  • Additional Notice for California Residents

    At Popular, Inc, we are mindful of our responsibilities under the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code § 1798.100 et seq.) as amended by California Privacy Rights Act (CPRA) regarding your personal information. This additional disclosure applies only to California residents who are subject to the CCPA as it pertains to the categories of personal information we may collect, the sources from which we collect it, and the ways in which we use and disclose it.
    CCPA does not apply to personal information about California residents collected pursuant to Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulation. For more details on why, what, and how we collect your personal information subject to the standards of GLBA, and what we do with it, please refer to our Privacy Policy.

Key Concepts
  • Sensitive Personal Information (SPI) Includes social security number, driver’s license, state identification card, passport number. Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Precise geolocation, racial or ethnic origin, and mail, email, and text messages contents unless the business is the intended recipient of the communication. The processing of biometric information for the purpose of uniquely identifying a consumer.
  • “Service provider” means a person that processes personal information on behalf of a business and that receives from or on behalf of the business consumer’s personal information for a business purpose pursuant to a written contract.
  • “Share,” “shared,” or “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
  • “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.
  • “Third party” means a person who is not any of the following: (1) The business with whom the consumer intentionally interacts and that collects personal information from the consumer as part of the consumer’s current interaction with the business under this title. (2) A service provider to the business. (3) A contractor.
How We Collect, Use, and Share Personal Information
  • 1. Personal Information Collected in the Last Twelve Months

  • We collect information from consumers who are California residents in accordance with our Privacy Policy. In particular, we have collected the following categories of “Personal Information”1, as such term is defined in California Civil Code § 1798.140(v)(1):

  • A. Identifiers: Includes a real name, postal address, email address, unique personal identifier, online identifier, token identifier, account name, social security number, driver’s license number, passport number, other government issued number. All of these would be collected when and to the extent that you provide it to us to create an account with us, purchase our products, interact with us on social media, or sign up to learn more about our products and services.

  • B. Personal Information in Customer Records: Includes any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household, including, the “identifiers” listed in (A), and the following: signature, physical characteristics or description, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information when and to the extent that you provide it to us when you create an account or purchase any of our products or services.

  • C. Protected Classification Characteristics: Includes the following categories protected under California or federal law: date of birth/age (40 and over), gender, race, color, national origin, citizenship, marital status, physical or mental disability, veteran or military status, religion or creed, medical condition, pregnancy or childbirth and related medical conditions, sexual orientation, genetic information (including familial genetic information), when and to the extent that you provide it to us.

  • D. Commercial Information: Includes records of our products or services that you have purchased, obtained, or considered.

  • E. Internet or other similar Network Activity Information: Includes, but is not limited to, browsing history on our websites, search history, information on a consumer’s interaction with our websites or applications.

  • F. Geolocation Data: Includes information such as physical location or movements.

  • G. Sensory Data: Includes audio information such as recordings of when you called into our customer service line; visual recordings or images such as the ones obtained through Closed-Circuit Television (CCTV) at our local branches or other premises; and electronic information in the form of Internet or other electronic network activity information, as described above.

  • H. Professional or Employment-Related Information: Includes current or past professional or employment-related information, including job history, performance evaluations, position details, or references.

  • I. Non-Public Education Information: Includes education information and qualifications that are not publicly available.

  • J. Inferences drawn from other Personal Information: Includes information such as profiles reflecting a person’s preferences,behavior, attitudes, abilities, and aptitudes.

    K.Sensitive Personal Information in Records: Includes social security number, driver’s license, state identification card, passport number. Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Precise geolocation, racial or ethnic origin, and mail, email, and text messages contents unless the business is the intended recipient of the communication.

    Listed in Exhibit A are the Employees categories of Personal Data that we collect and the purposes for which we use the data that we collect.

For each of these categories, we obtain your Personal Information from a variety of sources, including from:

  •  Our customers and consumers, with respect to both online and offline interactions you may have with us or our service providers and other entities with whom you transact;
  •  others with whom you maintain relationships who may deal with us on your behalf;
  •  the devices you use to access our websites, mobile applications, and online services;
  •  credit bureaus;
  •  identity verification and fraud prevention services;
  •  marketing and analytics providers;
  •  public databases;
  •  social media platforms; and
  •  other sources consistent with this Privacy Policy.

Please note that Personal Information does not include:

  • publicly available information from government records,
  • de-identified or aggregated consumer information, and
  • Personal Information covered by certain sector-specific, federal or state privacy laws.
  • 2. Our Use of Personal Information for Business Purposes in the Last Twelve Months
  • We use the Personal Information we collect, as identified in the categories listed in Section 1 above, for the business purposes listed below:

  • A. Financial, Legal and Compliance Management: Audits, accounting, and supporting our everyday operations, including to meet risk, legal, and compliance requirements;

  • B. Fraud Prevention: Reporting relating to particular transactions and interactions, including online interactions, you may have with us or others on our behalf;

  • C. Security: Detecting and protecting against security incidents, and malicious, deceptive, fraudulent or illegal activity, and prosecuting the same;

  • D. IT Operations: Debugging to identify and repair errors in our systems;

  • E. Customer Services: Providing services on your or our behalf, or on behalf of another, including maintaining or servicing accounts, providing customer service, fulfilling transactions, verifying identity information, processing payments, and other services;

  • F. Research: Conducting internal research to develop and improve technology;

  • G. Improving Products and Services: Conducting activity to verify, enhance, and maintain the quality or safety of services or devices which we may own, control, or provide;

  • H. Operation of our Sites: Preparing statistics and performing analysis to support our operations;

  • I. Marketing/Prospecting: Short-term, transient use, including contextual customization of ads; conducting marketing and surveys regarding our products and services; and

  • J. Legal Proceedings: Receiving and responding to law enforcement requests and as required by applicable law, court order, or governmental regulations.

We may also use the Personal Information we collect for:

  • other operational processes,
  • purposes for which we provide you additional notice, or
  • purposes compatible with the context in which the Personal Information was collected.
  • 3. Sharing of Personal Information in the Last Twelve Months

  • A. Disclosures of Personal Information on California Consumers for Business Purposes

  • Within the last twelve months, we have disclosed Personal Information identified in Section 1 above only at your express request, for exempt activities such as transactions subject to GLBA and our business-to-business activities, or for the business purposes described above.
    For more information on the service providers with whom we share information, please see Reasons we can share your personal information.
    Whenever we disclose Personal Information for a business purpose, we execute a contract that describes such purpose and requires the recipient to keep the Personal Information confidential and prohibit its use for any purpose other than to perform the obligations under the contract.

    B. No Sale of Personal Information

  • We do not engage in the sale of the Personal Information within the meaning of the CCPA. As noted elsewhere in this disclosure, we share personal information with other businesses for a variety of reasons. While we often benefit from such exchanges, we do not share personal information for the sole purpose of receiving compensation for that information. We do not share personal information for the purpose of cross-context behavioral advertising as defined by the regulation.

  • 4. How Long We Keep Your Personal Information

  • We will retain your Personal Data for as long as it is needed or permitted in light of the purposes in Section II. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with you; (ii) whether there is a legal or regulatory obligation to which we are subject to; and (iii) whether retention is advisable in light of our legal or regulatory obligation (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

  • Privacy Rights and Choices for California Residents

    If you are a California resident, you may have certain rights related to your Personal Information under the CCPA. You may exercise these rights free of charge except as otherwise provided by applicable law. We will endeavor to respond to your request promptly upon verification and as required by applicable law.
    As required under applicable law, we take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may require you to provide information sufficient to allow us to reasonably verify you are the person about whom we collected Personal Information, or an authorized agent, and to describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to it. For example, we may request that you provide contact details to be verified with the email address recorded in our files (and subsequently verified by you). We may limit our response to your exercise of the above rights as permitted under applicable law.

    1. Right to Know / Portability

    You have the right to request that we disclose to you, in connection with our activities, specific pieces of Personal Information we have collected about you:

    • Categories of Personal Information we have collected about you;
    • Categories of sources from which the Personal Information was collected;
    • Our business or commercial purpose for collecting Personal Information;
    • Categories of third parties with whom we have shared Personal Information; and
    • Categories of Personal Information that we have disclosed for a business purpose, if any.

    You also have the right to obtain copies of your Personal Information in a readily usable format and have it transported to other businesses or organizations, to the extent it is technically feasible for the business to provide the PI in a structured, commonly used, and machine-readable format.

    2. Right to Limit the use of Sensitive Personal Information

    You have the right to restrict the use of the sensitive personal information we collect about you, to that use which is necessary to perform the services or provide the goods reasonably expected for the good or service requested, particularly around third-party sharing.

    3. Right to Rectification / Correction

    You have the right to request to have your personal information and sensitive personal information corrected if inaccurate, taking into account the nature of the personal information and the purposes of the processing of the personal information.

    4. Right to Deletion

    You have the right to request that we delete (and direct our service providers to delete) Personal Information we have collected about you and retained, subject to certain exceptions. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

    • complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
    • detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
    • debug products to identify and repair errors that impair existing intended functionality;
    • exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
    • comply with the California Electronic Communications Privacy Act;
    • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
    • enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;
    • comply with a legal obligation; or
    • make other internal and lawful uses of that information that are compatible with the context in which you provided it.

    5. Right to Opt-Out

    You have the right to direct us to not sell your Personal Information. Please note that Popular does not offer a right to opt-out because we do not engage in the sale of Personal Information as contemplated by the CCPA.

    6. Right to opt-out of automated decision making / Right to know about automated decision making

    You have the right to request access to and knowledge about how automated decision technologies work and what their probable outcomes are.
    You also have the right to say no to your Personal Information being used to make automated inferences (i.e profiling for targeted behavioral advertisement online).

    7. Right to Non-Discrimination for Exercising a California Privacy Right

    We will not discriminate against you because of your exercise of any of the above rights, or any other rights under the CCPA. This means that we may not deny you goods or services, charge you different prices or rates for services or provide you with a different level or quality of services (or suggest that we will do so), in response to a request made under the CCPA.
    We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Information.

    8. How to Submit a Request

    To exercise one or more of the above rights, you, or someone you authorize, may submit a request by:

    • Calling us toll-free at 1-877-756-7010 for Banco Popular in Puerto Rico and Virgin Islands and 1-855-756-7020 for Popular Bank

    • Emailing us at DataPrivacy@popular.com

    If contacting via email, you must put the statement “Your California Privacy Rights” in the body of your request, as well as your name, address and email address, phone number and alternate phone number. Please note that we will not accept and are not responsible for requests that are not labeled or sent properly, or that do not have complete information.

    9. Agent Authorization

    You may designate an authorized agent to make a request on your behalf. You may make such a designation by providing the agent with written permission to act on your behalf. As permitted by law, we may require additional information to prove your agent’s relationship to you. We may refuse a request if the agent does not provide adequate proof of their authorization. You may also make a verifiable consumer request on behalf of your minor child, but you must also provide proof that you are that child’s parent or legal guardian.

  • Other California Privacy Rights

    10. California “Shine the Light” Law (Civil Code Section § 1798.83)

    Under the Shine the Light Law, a California resident may ask us to refrain from sharing your Personal Information with third parties for their direct marketing purposes. We do not share Personal Information of California Consumers with third parties for their marketing purposes.

Contact Information Regarding this California Notice

Under the Shine the Light Law, a California resident may ask us to refrain from sharing your Personal Information with third parties for their direct marketing purposes. We do not share Personal Information of California Consumers with third parties for their marketing purposes.

Contact Information Regarding this California Notice

You may contact us with questions or concerns about our privacy policies or practices and your choices and rights under California law by:

  • Calling us at the toll-free line 1-877-756-7010 for Banco Popular in Puerto Rico and the Virgin Islands and at 1-855-756-7020 for Popular Bank

  • Emailing us at DataPrivacy@popular.com

You must put the statement “Your California Privacy Rights” in the body of your request, as well as your name, address and email address, phone number and alternate phone number. Please note that we will not accept status inquiries via email or by facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.

Exhibit A – Employees

The information below describes how Popular collects and processes personal data relating to its job applicants and employees to
manage the employment relationship.

1. Categories of personal information we collect

A. Identifiers: Includes a real name, postal address, email address, telephone, unique personal identifier, online identifier, token identifier, account name, social security number, driver’s license number, passport number, other government issued number.
B. Personal Information in Records: Includes any information that identifies, relates to, describes, or is capable of being associated with a particular consumer or household, including, the “identifiers” listed in (A), and the following: signature, physical characteristics or description, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
C. Protected Classification Characteristics: Includes the following categories protected under California or federal law: date of birth/age (40 and over), gender, race, color, national origin, citizenship, marital status, physical or mental disability, veteran or military status, religion or creed, medical condition, pregnancy or childbirth and related medical conditions, sexual orientation, genetic information (including familial genetic information), when and to the extent that you provide it to us.
D. Internet or Other Electronic Network Activity Information: Includes all activity on the Company’s information systems, such as IP address, internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames, and passwords. Also, all activity on communications systems including phone calls, call logs, voice mails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of Company-issued devices and certain Company information that is accessed or stored on employees’ personal devices that are used for Company business.
E. Geolocation Data: Includes information such as physical location or movements.
F. Sensory Data: Includes audio information such as recordings of when you called into our customer service line; visual recordings or images such as the ones obtained through Closed-Circuit Television (CCTV) at our local branches or other premises; and electronic information in the form of Internet or other electronic network activity information, as described above.
G. Professional or Employment-Related Information: Includes current or past professional or employment-related information, including job history, performance evaluations, position details, payroll and benefits related data, or references.
H. Non-Public Education Information: Includes education information and qualifications that are not publicly available.
I. Sensitive Personal Information in Records: Includes social security number, driver’s license, state identification card, passport number. Account log-in, financial account number, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account. Precise geolocation, racial or ethnic origin, mail, email, and text messages unless the business is the intended recipient of the communication.

2. Our Use of Personal Information for Business Purposes

As a job applicant, a former employee, or an active employee, when you share your information with us, we use this information for a variety of purposes, including, but not limited to:
A. Financial, Legal and Compliance Management: Audits, accounting, and supporting our everyday operations, including meeting risk, legal, and compliance requirements.
B. Hiring Process: Collect and process employment applications, including confirming eligibility for employment, background and related checks including but not limited to: Drug Tests, Credit Score Verification, OFAC verification, HR Suspect Search, etc.), and onboarding.
C. Administer Benefits: such as medical, dental, optical, commuter, and retirement benefits, including recording and processing eligibility of dependents, absence and leave monitoring, insurance and accident management and provision of online total reward information and statements.
D. Payment and Reimbursement: including salary administration, payroll management, payment of expenses, to administer other compensation related payments, including assigning amounts of bonus payments.
E. Performance Reviews: Performance appraisals, career planning, skills monitoring, job moves, promotions and staff re-structuring.
F. Human Resources Management Services: including providing employee data maintenance and support services, administration of separation of employment, approvals and authorization procedures, administration and handling of employee claims, and travel administration.
G. Employment Related Information: Communicating with employees and/or employees’ emergency contacts and plan beneficiaries. Maintaining personal records and complying with record retention requirements.
H. To Conduct Healthcare-Related Services: including conducting pre-employment and employment-related medical screenings for return-to-work processes and medical case management needs; determining medical suitability for particular tasks; identifying health needs of employees to plan and provide appropriate services, including operation of sickness policies and procedures.
I. Compliance with Applicable Law or Regulatory Requirements: such as legal (state and federal) and internal company reporting obligations, including headcount, management information, demographic and Health, Safety, Security and Environmental reporting.
We may also use the Personal Information we collect for:

  • other operational processes,
  • purposes for which we provide you additional notice, or
  • purposes compatible with the context in which the Personal Information was collected.

3. Sharing of Personal Information in the Last Twelve Months

A. Disclosures of Personal Information on California Consumers for Business Purposes
We have disclosed Personal Information identified in Section 1 above only at your express request, for exempt activities such as transactions subject to GLBA and our business-to-business activities, or for the business purposes described above.
For more information on the service providers with whom we share information, please see Reasons we can share your
personal information.

Whenever we disclose Personal Information for a business purpose, we execute a contract that describes such purpose and requires the recipient to keep the Personal Information confidential and prohibit its use for any purpose other than to perform the obligations under the contract.
B. No Sale of Personal Information
We do not engage in the sale of the Personal Information within the meaning of the CCPA. As noted elsewhere in this disclosure, we share personal information with other businesses for a variety of reasons. While we often benefit from such exchanges, we do not share personal information for the sole purpose of receiving compensation for that information. We do not share personal information for the purpose of cross-context behavioral advertising as defined by the regulation.

Privacy Rights and Choices for California Residents

  • Right to access
    You have the right to request your employer to provide all Personal Information data, including its categories, sources, collection purposes, retention periods, and third-party disclosures when requested.
  • Right to delete
    You have the right to request your employer to delete your Personal Information data.
  • Right to correct
    You have the right to rectify inaccurate or obsolete Personal Information data.
  • Right to opt-out of the sharing of PI
    You have the right to opt out of the sharing of your Personal Information with third parties.
  • Right to limit the disclosure of sensitive PI
    You have the right to request your employer to limit the use and disclosure of your Sensitive Personal Information for specific secondary purposes, including disclosure to third parties.
  • Right to non-discrimination
    We will not discriminate against you because of your exercise of any of the above rights, or any other rights under the CCPA.

Additional Privacy Rights and Choices for California Residents

If you are a California resident, you have the rights listed in section V above, and the following additional rights:

  • Right to limit the use of sensitive personal information
    You have the right to restrict the use of the sensitive personal information we collect about you, to that use which is necessary to perform the services or provide the goods reasonably expected for the good or service requested, particularly around third-party sharing.
  • Right to opt-out
    You have the right to direct us to not sell your Personal Information. However, please note that Popular does not engage in
    the sale of Personal Information as contemplated by the CCPA.
  • Right of no retaliation following opt-out or exercise of other rights
    We will not discriminate against you because of your exercise of any of the above rights, or any other rights under the CCPA. This means that we may not deny you goods or services, charge you different prices or rates for services or provide you with a different level or quality of services (or suggest that we do so), in response to a request made under the CCPA.
    We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference
    is reasonably related to the value provided to us by your Personal Information.

To exercise one or more of the above rights, you or someone you authorize may submit a request by following the instructions described in section VI or by calling us toll-free at 1-877-756-7010 for Banco Popular in Puerto Rico and Virgin Islands and 1-855- 756-7020 for Popular Bank.

 

How to Submit a Request

To exercise one or more of the above rights, you or someone you authorize, may submit a request by:
• Calling us toll-free at 1-877-756-7010 for Banco Popular in Puerto Rico and Virgin Islands and 1-855-756-7020 for Popular Bank
• Emailing us at DataPrivacy@popular.com

 

1 Please note that the categories of Personal Information we collect about consumers will vary based on our relationship or interaction with those individuals.