California Consumer Privacy Rights

What it is

If you live in California, you have specific legal rights to see what data Chase has about you, ask Chase to delete it, correct it, limit use of sensitive data, and opt out of Chase sharing your data for advertising purposes.

Why it matters (compliance & governance perspective)

California's CCPA and CPRA give residents meaningful control over their personal data held by financial institutions, including rights not available to consumers in most other U.S. states.

Consumer impact (what this means for users)

California residents have enforceable rights to access, delete, correct, and limit use of their personal information held by Chase, and can opt out of sharing of their data with third parties for advertising, which provides materially stronger protections than those available to Chase customers in other states.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision reflects obligations under the California Consumer Privacy Act as amended by the California Privacy Rights Act, enforced by the California Privacy Protection Agency and the California Attorney General. The CPRA established specific requirements for handling sensitive personal information, honoring opt-out requests for sale or sharing, and responding to consumer rights requests within defined timeframes. Financial institutions subject to GLBA have partial exemptions under CCPA/CPRA for data processed under GLBA, but those exemptions are narrowly construed and do not cover all personal information Chase holds. GOVERNANCE EXPOSURE: High. The GLBA exemption under CCPA/CPRA applies to personal information collected and processed in the course of providing financial services, but does not exempt all data Chase collects, including online behavioral data, device identifiers, and browsing history used for marketing. Compliance teams must maintain accurate mapping of which data categories fall within the GLBA exemption and which are subject to CCPA/CPRA rights requests. JURISDICTION FLAGS: This provision applies specifically to California residents. However, other states including Virginia, Colorado, Connecticut, Texas, Oregon, and Montana have enacted comprehensive privacy laws with similar, though not identical, consumer rights frameworks. Teams should evaluate whether equivalent rights request workflows are required in those jurisdictions or whether California-specific infrastructure can serve as a template. CONTRACT AND VENDOR IMPLICATIONS: Service providers processing California residents' personal data on Chase's behalf must be bound by CPRA-compliant service provider agreements that prohibit use of data outside disclosed purposes and grant Chase audit rights. Any vendor that receives data subject to a consumer deletion request must honor those requests under applicable contractual and regulatory requirements. COMPLIANCE CONSIDERATIONS: Compliance teams should audit the end-to-end consumer rights request workflow, including verification procedures, response timelines, and the accuracy of data provided in response to access requests. The GLBA exemption scope should be documented and reviewed periodically to ensure the policy's disclosures accurately reflect the data categories for which CCPA/CPRA rights apply. Teams should also confirm that the opt-out mechanism for sharing of personal information is accessible, functional, and honored across all Chase digital properties and third-party advertising partners.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Affiliate and Third-Party Data Sharing medium
• Cookie and Behavioral Tracking medium
• Location Data Collection medium
• Data Collection from Third Parties medium
• Marketing Communications and Opt-Out low
• Children's Privacy low