Effective Date: January 1, 2024
- Introduction
- Collection, Sources, and Use of Personal Information and Sensitive Personal Information
- Data Retention
- Disclosure of Business Purposes
- Sale and Sharing of Personal Information
- Automated Decision Making
- Other Legal Disclosures
- Our Policy Towards Children
- Your Rights and Choices
A. Right to Know
B. Right to Correct
C. Right to Delete
D. Right to Opt-Out of Selling and Sharing
E. Right to Access Information About and Opt-Out of Automated Decision Making Technology
F. Right to Limit the Use of Your Sensitive Personal Information
G. Right to Non-Discrimination
H. How to Exercise your California Privacy Rights - Changes to Our Privacy Notice
- Contact Information
1. Introduction
The California Consumer Privacy Act of 2018 (“CCPA”) was amended by the California Privacy Rights Act of 2020 (“CPRA”) to provide additional privacy rights and will be collectively referred to in this notice as “CCPA”. This notice provides information that applies solely to California residents covered by the CCPA. Bank of Hope (the “Bank,” “we,” or “us”) adopts this notice to comply with the CCPA, as amended.
Bank of Hope is a financial institution subject to the Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations, and the California Financial Information Privacy Act and accordingly, part of the information we collect, use, and share from California consumers is exempted from the CCPA (for example, non-public personal information).
For information on how non-public personal information is used and disclosed under GLBA, please see our GLBA Privacy Notice. We also have a separate privacy policy for our employees or prospective employees.
2. Collection, Sources, and Use of Personal Information
For several activities that we undertake to achieve our mission, we need to process Personal Information (“PI”). PI about our customers, employees, and business contacts under the CCPA is defined to include information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Some examples of personal information include:
- Real name
- Postal address
- Unique personal identifier
- Online identifier IP address
- Email address
- Account name
- Social Security number
- Driver’s license number
- Passport number
PI is collected for a variety of purposes, such as to provide personal and commercial financial products and services. We will not use or disclose PI for purposes other than those authorized by the CCPA and its regulations. We will minimize the use and storage of your PI and will not collect or use additional categories of PI for additional purposes that are incompatible with the purposes disclosed in this notice without providing you prior notice.
Personal information does not include:
- Publicly available information from federal, state, or local government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA’s scope, such as personal information covered by certain sector-specific laws, including the Fair Credit Reporting Act (“FCRA”), the Gramm-Leach-Bliley Act (“GLBA”) or California Financial Information Privacy Act (“CFIPA”), and the Driver’s Privacy Protection Act of 1994 among other exemptions.
A sub-category of PI known as Sensitive Personal Information (“SPI”) is also collected. Some examples of SPI include but is not limited to:
- Government-issued identifiers, such as social security, driver’s license, state identification card number;
- Financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- Precise geolocation;
- Country of citizenship or immigration status;
- Racial or ethnic origin, veteran status, disability status, religious or philosophical beliefs, or union membership;
- The contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication;
- Processing of biometric information for the purpose of uniquely identifying a consumer;
- Genetic data;
- PI collected and analyzed concerning a consumer’s sexual orientation.
As defined by the CCPA, SPI shall be treated as PI except where it is collected or processed for “the purpose of inferring characteristics about a consumer.” Bank of Hope does not collect or process SPI for the purposes of inferring characteristics about you.
In the table below, we provide the list of categories of PI that Bank of Hope has collected within the last twelve (12) months and some examples in each category. We also have identified the main sources and purposes for collection:
Categories of PI | Examples | Collected | Sources of PI | Purposes for PI collection |
---|---|---|---|---|
A. Personal Identifiers | This may include but is not limited to: a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, username, Social Security Number, or other similar identifiers. | Yes | Consumer directly (e.g., forms you complete or services you obtain from us) Consumer indirectly (e.g., from activity on our websites or applications) |
Performing customer services, processing, and managing interactions and transactions Security and debugging Analytics Advertising and marketing activities of Bank of Hope Quality assurance |
B. Personal Records |
This may include but is not limited to: a name, telephone number, address, signature, passport number, insurance policy number, bank account number, credit card number, debit card number, or any other financial information. |
Yes | Consumer directly | Performing customer services, processing, and managing interactions and transactions Security and debugging Sending and receiving documents Advertising and marketing activities of Bank of Hope Quality assurance |
C. Protected classification characteristics under California or federal law | This type of PI may include but is not limited to: sex, marital status, familial status, race, and gender identity, age, disability. | Yes | Consumer directly (this PI may potentially be captured depending on the information you exchange via email with Bank of Hope) |
Performing customer services, processing, and managing interactions and transactions |
D. Commercial information | This may include but is not limited to: records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | Yes | Consumer directly or indirectly | Performing customer services, processing, and managing interactions and transactions Advertising and marketing activities of Bank of Hope |
E. Biometric information | This may include but is not limited to: physiological, or biological characteristics used as a form of identification and access control, such as, fingerprints, faceprints, and voiceprints. | No | N/A | N/A |
F. Internet or another similar network activity | This may include but is not limited to: search history, information on a consumer's interaction with a website, application, or advertisement. | Yes | Consumer directly or indirectly | Analytics Advertising and marketing activities of Bank of Hope |
G. Geolocation data | This may include but is not limited to: location based on IP address | Yes | Consumer indirectly | Analytics Advertising and marketing activities of Bank of Hope |
H. Sensory data |
This may include but is not limited to: audio (voicemails), electronic, visual, or similar information. |
Yes |
Call Center, CCTV security cameras, Consumer directly |
Performing customer services, processing and managing interactions and transactions Compliance with regulatory requirements Quality assurance Analytics Physical Security |
I. Professional or employment related information |
This may include but is not limited to: professional education, or employment related information. |
Yes | Consumer directly | Manage pay, employment, and compensation activities Provide benefits to employees and dependents |
J. Non-public Education Records | This may include but is not limited to: education records directly related to a student maintained by an educational institution, such as grades, transcripts, class lists, or student disciplinary records. | No | N/A | N/A |
K. Inferences drawn from other personal information | This may include but is not limited to: profile reflecting a person's preferences, characteristics, predispositions, behavior, or attitudes | Yes | Consumer directly Consumer indirectly |
Advertising and marketing activities of Bank of Hope |
For additional information on the purposes listed in this chart, you can find some examples in the list below:
- Performing customer service, processing, and managing interactions: To fulfill services you requested. For example, to respond to your inquiries or process your requests and transactions, for documenting and archiving safe deposit box or to manage the ticketing system for the call center.
- Security and debugging: To create, maintain, customize, and secure your account with us. To help maintain the safety, security, and integrity of our website, products and services, databases and other technology assets, and business.
- Quality assurance: To guarantee the quality of our services, websites, and products, including to investigate and address your concerns and monitor and improve our responses.
- Compliance with regulatory requirements: To prevent transactional fraud, respond to law enforcement requests and as required by applicable law, court order, or governmental regulations. According to applicable law, we may use your information to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Bank of Hope’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our customers is among the assets transferred.
- Advertising and marketing activities of Bank of Hope: For example, providing content and product offerings relevant to your interests via our website sweepstakes, email marketing, text messages (with your consent, where required by law) or other mechanisms.
- Analytics: For research and analysis of your interactions with our call center, website, applications, and online platforms to improve our products and services, and for product development. For example, we use Google Analytics on our website to count the visitors of our website, identify the pages most visited and improve our services and offerings; however, we have implemented mechanisms to limit the type of information Google accesses when providing this service and, also how it is used.
- CCTV Security: Monitoring Bank of Hope’s offices and locations for security purposes.
- As described to you when collecting your personal information or as otherwise set forth in the CCPA.
Subject to the restrictions and obligations of the CCPA, our service providers may also use your PI for some or all the above-listed business purposes.
3. Data Retention
We will retain your information only for as long as necessary for the purposes for which the information was collected (e.g., for as long as your account is active or as needed to provide services to you) and to the extent required to comply with applicable laws, statutes, regulations of state and federal governments, regulatory bodies, or for legal or other obligations.
4. Disclosure of Business Purposes
At times, Bank of Hope engages service providers and contractors for the same business purposes for which we collect such PI as described in the previous section. To that end, a written contract is signed with each service provider and contractor that requires the recipient to keep PI confidential and not use it for any purpose except as stated in the contract and to assist the Bank in complying with CCPA consumer requests.
In the description below, we provide categories of PI that Bank of Hope has disclosed to our service providers and contractors.
Note that the categories of service providers listed in the chart below do not represent an exhaustive list but provide a better understanding of vendors we usually engage.
Categories of Personal Information Collected | Is PI shared for business purposes? | Categories of service providers with whom PI has been shared for business purposes |
---|---|---|
A. Personal Identifiers | Yes | Service Providers and contractors such as Internet Service Providers (“ISP”), security audit, and quality assurance services, software and IT providers, sales/marketing, analytics, and advertising providers |
B. Personal Records | Yes | Service Providers and contractors such as ISP, security audit, and quality assurance services, software and IT providers, sales/marketing, and advertising providers |
C. Protected classification characteristics under California or federal law. | Yes | Information security providers |
D. Commercial information | Yes | Service Providers and Vendors such as ISP, security audit, software and IT providers, sales/marketing and advertising providers |
E. Biometric information | No | N/A |
F. Internet or another similar network activity | Yes | Service Providers and contractors such as ISP, security audit, software and IT providers, analytics, sales/marketing, and advertising providers |
G. Geolocation data | Yes | Service Providers and contractors such as ISP, security audit, software and IT providers, analytics, sales/marketing, and advertising providers |
H. Sensory data | Yes | Service Providers and contractors such as ISP, security audit, software and IT providers, and quality assurance services |
I. Professional or employment related information. | Yes | Service Providers and contractors, such as for advertising or marketing purposes, ISP, software, and IT providers |
J. Non-public Education Records | No | N/A |
K. Inferences drawn from other personal information. | Yes | Service Providers and contractors such as ISP, software and IT providers, analytics, sales/marketing, and advertising providers |
5. Sale and Sharing of Personal Information
The Bank does not sell or share your Personal Information with third parties as defined by the CCPA.
For the purposes of this notice and as defined by CCPA, “sale” means “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration." The CPRA defines “sharing” as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by a business to a third party for the purpose of cross-contextual behavioral advertising, whether or not for monetary or other valuable consideration."
6. Automated Decision Making
The Bank does not utilize automated decision-making technology as defined by the CCPA.
7. Other Legal Disclosures
In certain circumstances, Bank of Hope may use or disclose your PI when authorized or required by law, to public authorities, courts, or law enforcement, concerning conduct or activity that we reasonably and in good faith believe may violate federal, state, or local law or when required to protect our legal rights, such as to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability. See some examples below:
- Sometimes, we refer clients to our wealth management partners; however, this only happens upon customers’ request with their prior opt-in authorization. In these cases, a contractual relationship is often established between the customer and the wealth management partner.
- We may also share your personal information as part of a merger, acquisition, bankruptcy, or other transaction in which a third party takes control of all or some parts of our business. Any changes to this notice after the takeover will be communicated to you by that third party.
8. Our Policy Towards Children
Bank of Hope does not knowingly collect PI directly from minors and does not sell or share PI from minors under 16 years of age. Any information we may collect from minors is with the consent of a parent or guardian. If you are under 16 years old, do not use or provide any information on our website or on or through our services. If we learn that we have collected PI directly from a minor under the age of 16 years old, we will delete it. For additional information on your California privacy rights, please follow the instructions in Section 9.
9. Your Rights and Choices
The CCPA provides California residents with specific rights regarding their personal information. This section describes those rights and explains how to exercise those rights.
- Right to Know
- Right to Correct
- Right to Delete
- Right to Opt-Out of Selling and Sharing
- Right to Access Information About and Opt-Out of Automated Decision-Making Technology
- Right to Limit the Use of Sensitive Personal Information
- Right to Non-Discrimination
- How to Exercise Your California Privacy Rights
A. Right to Know
You have the right to send us a request, no more than twice in a 12-month period, for any of the following:
- The categories of personal information (PI) we collected about you.
- The categories of sources for the PI we collected about you.
- Our business or commercial purposes for collecting , selling, or sharing your PI.
- The categories of third parties with whom we disclose your PI.
- A list of the categories of PI disclosed for a business purpose or that no disclosures occurred.
- A list of the categories of PI sold or shared about you, or that no sale or sharing occurred.
- The specific pieces of PI we collected about you. You can obtain a copy of your PI that we have collected by mail or electronically. This type of request requires a stricter verification standard.
- You have the right to request us to transfer specific personal information to another entity in a machine readable format that is in a structured, commonly used, and machine readable format to the extent that it is technically feasible.
B. Right to Correct
You have the right to request us to correct inaccurate personal information we may have about you. Upon request, we will take commercially reasonable efforts to correct your personal information.
C. Right to Delete
Except to the extent we have a basis for retention under applicable law or policy, you may request us to delete your personal information that we have collected directly from you and are maintaining. We will also notify all service providers or contractors with whom your PI has been shared with for specified business purposes to delete your PI from their records. We are not required to delete your PI that we did not collect directly from you.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing relationship with you, or otherwise perform our contract with you.
- Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another customer to exercise their free speech rights, or exercise another right provided for by law.
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us and compatible with the context in which the consumer provided the information.
- Comply with a legal obligation or when otherwise authorized by law, including the CCPA.
- Make other internal and lawful uses of that information that are compatible with the context in which your provided it.
D. Right to Opt-Out of Selling and Sharing
As described in Section 5 above, the Bank does not sell or share PI. Therefore, submitting a request to Opt-Out is not required.
E. Right to Access Information About and Opt-Out of Automated Decision Making Technology
The Bank does not utilize automated decision making technology as defined by the CCPA. Therefore, submitting a request to Opt-Out is not required.
F. Right to Limit the Use of Your Sensitive Personal Information
Sensitive Personal Information, as defined by the CPRA, is not collected or processed for the purpose of inferring characteristics about you. Therefore, submitting a request to limit the use of your sensitive personal information is not required.
G. Right to Non-Discrimination
We will not discriminate against you or treat you less favorably for exercising your CCPA rights.
According to the law, we may charge a different price or rate, or offer a different level or quality of good or service, to the extent that doing so is reasonably related to the value of the applicable data.
In addition, we may offer you financial incentives for the collection, sale and retention and use of your PI as permitted by the CCPA that can; result in reasonably different prices, rates, or quality levels. Participating in these programs is entirely optional and requires your opt-in consent. If we decide to offer one of these programs, we will provide you with additional details in advance.
H. How to Exercise your California Privacy Rights
Mechanisms to submit Requests to Know, Delete, and Correct: If you are a California resident You may exercise the right to know, correct, and delete by submitting your request by either:
- Completing an Online form on our website, by clicking here.
- Calling us at our toll-free telephone number: 1-855-325-2226.
Call Center Business Hours
Mon-Fri: 5:30 am - 6:00 pm (PST)
Sat: 6:00 am - 1:00 pm (PST)
Initial Identification and Verification: Any request to know, correct or delete that you submit to us is subject to an identification and verification process.. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Making a verifiable consumer request does not require you to create an account with us. However, we cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request.
Process: Once the initial identification and verification process is complete, we will send you an acknowledgement of receipt within 10 days from receiving your request and a reference number. If you submit the request via the toll-free telephone number, we will provide you with the reference number during the call to confirm receipt of your request.
When you submit an online request to delete PI, we will confirm your request before proceeding to the deletion.
On some occasions, we may not be able to comply with your requests. This could be in instances where we cannot verify your identity, when compliance with your request(s) would cause unreasonable risk to the security of PI, your account or the security of our systems and network, when it would be in breach of applicable federal or state laws, or because compliance might infringe data privacy rights of other individuals whose details are contained in it, among others. If this is the case, we will inform you in writing and explain the reasons.
Time period: We will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, up to an additional 45 days (90 days total), we will inform you in writing.
Designating an authorized agent: To exercise any of these privacy rights you can also designate another person to act on your behalf. Your authorized agent may submit a request on your behalf by contacting: Privacy@bankofhope.com. Your authorized agent must provide us with a written authorization (such as a Power of Attorney) to show that you gave them your permission to submit information requests on your behalf.
Fees: We will typically not charge a fee to fully respond to your requests; however, we may charge a reasonable fee if we consider that your request is excessive, repetitive, unfounded or overly burdensome. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
To obtain this information in an alternative format: If you require this notice to be provided in a different format (e.g., audio), please contact us at:
- Toll-free telephone numbber: 1-855-325-2226
Call Center Business Hours
Mon-Fri: 5:30 am - 6:00 pm (PST)
Sat: 6:00 am - 1:00 pm (PST)
10. Changes to Our Privacy Notice
Bank of Hope reserves the right to amend this privacy notice at our discretion at any time, as we continue to develop our compliance program in response to legal developments and new interpretations of the CCPA. When we make changes to this notice, we will post the updated notice on the website and update the effective date of the notice.
11. Contact Information
If you have any questions or comments about this notice, the ways in which Bank of Hope collects and uses your PI or SPI and wish to exercise your rights under California law, please feel free to contact us at:
- Toll-free telephone numbber: 1-855-325-2226
Call Center Business Hours
Mon-Fri: 5:30 am - 6:00 pm (PST)
Sat: 6:00 am - 1:00 pm (PST)
Need help?
Contact Us
Call us at 1-855-325-2226
Mon-Fri: 5:30 am - 6:00 pm (PST)
Sat: 6:00 am - 1:00 pm (PST)
Message Us
Send us an email and one of our
representatives will reach out to
you soon.