Last updated: JUNE 2023
This disclosure is addressed to California residents only, and concerns the practices of the JPMorgan Chase & Co. family of companies (“we,” “us,” “our,” or “JPMorgan Chase”) that relate to personal information of California residents. It explains what personal information we collect, where we collect it from, what we use it for, who we disclose it to, how long we keep it, the rights California residents may have, and how to exercise them.
Please note that the CCPA, and this disclosure, do not apply to information covered by other federal and state privacy laws, including the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act and certain other laws. If you have questions after reviewing this policy, please visit our Frequently Asked Questions. If you have questions or concerns not addressed here, please contact us at (800) 573-7138.
Printer Friendly version (PDF)
Categories of Personal Information
In the past 12 months we have collected personal information (meaning information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with you or a household) in the following categories:
- Personal identifiers, including those listed in other California statutes: Real name; alias; Social Security number; passport number; other government issued number; Green Card number; driving license number; telephone number; email address; postal address; account name; online identifier; device identifier; IP address
- Characteristics of protected classifications: date of birth/age; gender; military or veteran status; marital status; nationality; citizenship; request for family care leave; request for leave for employee’s own serious health condition; request for pregnancy leave
- Biometric information: imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint or a voiceprint, can be extracted, keystroke patterns or rhythms, and gait patterns or rhythms
- Professional or Employment: title; salary; employment files; references
- Education information: details of your education and qualifications
- Financial details: bank account numbers; debit/credit card numbers; cardholder or accountholder name and details; transaction details
- Commercial Information: records of personal property; products and service purchased, obtained or considered; purchasing or consuming histories or tendencies
- Internet or other electronic network activity information: browsing history, search history, information regarding your interaction with a website, application or advertisement
- Geolocation data: any information used to identify your physical location
- Communications, recordings, images: audio, electronic, visual
- Inferences: Any derivation of information, data, assumptions, or conclusions drawn from certain of the above categories used to create a profile reflecting the individual’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes
- Sensitive Personal Information: includes certain government identifiers (such as SSN, driver’s license, passport number); an account log-in, financial account, debit or credit card number with any required security code, password, or credentials allowing access to an account; precise geolocation (which means within 1,850 feet of a particular person); contents of mail, email, and text messages; genetic data; biometric information processed to identify an individual; information concerning an individual’s health, sex life; sexual orientation; or information about racial or ethnic origin, religious or philosophical beliefs, or union membership.
Categories of Sources of Personal Information
In the past 12 months we have collected personal information about California residents from the following categories of sources:
- Directly from you, when you provide it to us digitally or physically (e.g., where you contact us via email or telephone, or by any other means)
- As well as from:
- our affiliates
- your employer, when your employer is a client of ours
- public sources, when you manifestly choose to make it public, including via social media (e.g., we may collect information from your social media profile(s), to the extent that you choose to make your profile publicly visible)
- service providers and third parties who provide it to us (e.g., our customers; credit reference agencies; and law enforcement authorities)
- your visits to any of our apps or websites or your use of any features or resources available on or through an app or website. When you use an app or visit a website, your device and browser may automatically disclose certain information (such as device type, operating system, browser type, browser settings, IP address, language settings, dates and times of connecting and other technical communications information), which may constitute Personal Information. We may share some of this information with third parties for cross contextual behavioral advertising purposes and describe further down in this disclosure how you can opt-out of this sharing by implementing the Global Privacy Control browser setting.
Business and Commercial Purposes for the Collection, Disclosure, and Use of Personal Information
We collect and use Personal Information from or about California residents for the following business and/or commercial purposes:
- Marketing/Prospecting: communicating with you via any means (including via email, telephone, text message, social media, post or in person) subject to ensuring that such communications are provided to you in compliance with applicable law; and maintaining and updating your contact information where appropriate
- Operation of our websites: operation and management of our websites; providing content to you; displaying advertising and other information to you; and communicating and interacting with you via our websites
- IT operations: management of our communications systems; operation of IT security; and IT security audits
- Health and safety: health and safety assessments and record keeping; and compliance with related legal obligations
- Financial management: sales; finance; corporate audit; and vendor management
- Research: conducting market or customer satisfaction research; and engaging with you for the purposes of obtaining your views on our products and services
- Security: physical security of our premises (including records of visits to our premises and CCTV recordings); and electronic security (including login records and access details, where you access our electronic systems)
- Investigations: detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law
- Legal compliance: compliance with our legal and regulatory obligations under applicable law
- Legal proceedings: establishing, exercising and defending legal rights
- Improving our products and services: identifying issues with existing products and services; planning improvements to existing products and services; and creating new products and services
- Risk Management: Audit, compliance, controls and other risk management
- Fraud prevention: Detecting, preventing and investigating fraud
- Providing our products and services in ways not already described in the categories above
Disclosure of Personal Information
In the past 12 months we have disclosed the categories of California residents’ personal information to some or all of the following categories of recipients:
- You and, where appropriate, your family, your associates and your representatives
- Our affiliates
- Anti-fraud services providers
- Accountants, auditors, financial advisors, lawyers and other outside professional advisors to JPMorgan Chase, subject to confidentiality
- Data aggregation services
- Accreditation bodies
- Service providers (examples include payment services providers; marketing partners, shipping companies)
- Credit reporting agencies
- Governmental, legal, regulatory, or other similar authorities and/or local government agencies, upon request or where required
- Other third parties to comply with legal requirements such as the demands of applicable subpoenas and court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third parties
- Any relevant third party acquirer(s), in the event that we sell or transfer all or any relevant portion of our business or assets (including in the event of a reorganization, dissolution or liquidation)
- Other parties, if you specifically direct or expressly consent to us disclosing your personal information to them
Retention of Personal Information
We take reasonable steps designed to ensure that your personal information is only processed for the minimum period necessary for the purposes set out in this disclosure. The criteria for determining the duration for which we will retain your personal information are as follows:
- We will retain copies of your personal information in a form that permits identification only for as long as:
- We maintain an ongoing relationship with you (e.g., while you are still receiving services from us); or
- Your personal information is necessary in connection with purposes set out in this disclosure plus:
- The duration of any applicable limitation period under applicable law; and where required by applicable law or a retention policy established in accordance with applicable law
In addition, if any relevant legal claims are anticipated/brought, we may continue to retain your personal information for such additional periods as are necessary in connection with that claim.
Once the periods above have concluded, each to the extent applicable or permitted by applicable law, we will 1) permanently delete or destroy the relevant personal information, or 2) archive your personal information so that it is beyond use; or 3) anonymize the relevant personal information.
Rights for California Residents
As a California resident, you may have one or more of the following rights under the CCPA:
- the right to know:
- the categories of personal information we have collected;
- the categories of sources used to collect the personal information;
- the business or commercial purposes for collecting your personal information;
- the categories of recipients with whom we share your personal information, including for cross-contextual behavioral advertising purposes; and
- the specific pieces of personal information we have collected about you
- the right to request, on legitimate grounds, deletion of your personal information that we collected;
- the right to opt out of our sharing your personal information for the purpose of cross contextual behavioral advertising
- the right, in certain circumstances, to correct inaccurate personal information we collected about you; and
- the right not to be discriminated against for exercising any of these rights.
We also must provide in this online disclosure certain details about our collection and handling of categories of personal information.
How to Exercise Your Rights Under the CCPA
To exercise one or more of your rights, you or someone you authorize to make a request on your behalf may call us at (800) 573-7138 or click on the following link CCPA Request and follow the instructions provided. Additional detail is available in our Frequently Asked Questions, including relating to:
- How to submit a rights request
- How to authorize someone else to submit a rights request on your behalf
- What to expect after submitting a request
Sharing Personal Information
We may sometimes share personal information (specifically, personal identifiers and internet or other electronic network activity information) with our marketing partners for cross-contextual behavioral advertising purposes. California residents may have a right to opt out of this sharing. To facilitate this right, we recognize Global Privacy Control (GPC) opt-out preference signals. GPC is a setting available in some browsers that notifies our websites of a California resident’s decision to opt out of the sharing of their personal information for cross-contextual behavioral advertising purposes. You can learn how to enable GPC on your browser here.
Other means of communicating your behavioral advertising preferences include opting out through the cross-industry Self-Regulatory Program for Online Behavioral Advertising managed by the Digital Advertising Alliance (DAA). Please click here and follow the instructions. You can also click on the Advertising Options Icon featured on certain JPMorgan Chase ads on third-party websites. Finally, you may be able to opt out using the privacy settings available through your device operating system (e.g., turning on "Opt out of Ads Personalization" in Android, or switching off “Allow Apps to Request to Track" in iOS).
Please bear in mind that opt outs may be specific to a browser or device. Therefore, you may need to opt out from each browser on each of the devices that you use. Note that even if you opt out, you may still receive advertisements from us, they just won’t be customized relying on the personal information you have opted out of being shared.
Sale of Personal Information
We do not offer an opt-out from the sale of personal information because we do not sell personal information as defined by the CCPA (and have not done so in the last 12 months).
Individuals Under 16 Years of Age
We do not knowingly collect or share personal information from children under 16 without parental consent.
Use and Disclosure of Sensitive Personal Information
We do not offer a right to limit our use and disclosure of Sensitive Personal Information because we do not use or disclose Sensitive Personal Information in such a manner as to require provision of the right (specifically, for purposes of inferring characteristics about an individual).
Annual CCPA Request Metrics
Our annual CCPA request metrics can be found at this link (PDF).
Changes to this Disclosure
We may change this disclosure from time to time. When we do, we will communicate the changes by appropriate means, such as by posting the revised disclosure on our CCPA web site with a new “Last Updated” date. Any changes to this disclosure will become effective when posted unless indicated otherwise.