Skip to Main Content

Privacy Notice for California Residents

Privacy Notice for California Residents

This Privacy Notice for California Residents (“California Privacy Notice”) supplements the information contained in First Horizon’s (First Horizon includes First Horizon Bank, First Horizon Corporation and their affiliates) (collectively “First Horizon,” “we,” or “our”) Privacy Policy and applies solely to all natural persons residing in the State of California ("consumers" or "you"). This California Privacy Notice describes our online and offline information practices, the rights you have regarding your personal information, and our obligations under the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), and its implementing regulations (collectively referred to as the “California Privacy Laws”). Any terms defined in the California Privacy Laws shall have the same meaning when used in this California Privacy Notice.

A significant portion, if not all, of the information we collect from you is to obtain or provide a financial product or service. Such information is exempt from the scope of the California Privacy Laws as it is collected, processed, sold, or disclosed subject to the Gramm-Leach-Bliley Act (“GLBA”). This California Privacy Notice does not apply to information excluded from the scope of the California Privacy Laws. Furthermore, this California Privacy Notice does not apply to employment-related personal information collected from you when you act as an employee, job applicant, contractor, or similar individual to First Horizon. A Notice to California Employees and Applicants will be made available by First Horizon separately.

Notice at Collection

First Horizon collects information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household ("personal information").

We may collect the following categories of personal information listed in the table below:

Category

Description

Identifiers

Examples: A real name, alias, postal address, unique personal identifier, online identifier, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Sold or Shared? We do not sell or share this category of personal information.

Personal information described in Cal. Civ. Code § 1798.80(e)

Examples: A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, or medical information.

Sold or Shared? We do not sell or share this category of personal information.

Protected classification characteristics under California or federal law

Examples: Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, gender, gender identity, sexual orientation, veteran or military status.

Sold or Shared? We do not sell or share this category of personal information.

Commercial information

Examples: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

Sold or Shared? We do not sell or share this category of personal information.

Biometric information

Examples: Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans.

Sold or Shared? We do not sell or share this category of personal information.

Internet or other similar network activity

Examples: Browsing history, search history, information regarding a consumer's interaction with an internet website application, or advertisement.

Sold or Shared? We do not sell or share this category of personal information.

Geolocation data

Examples: Physical location or movements.

Sold or Shared? We do not sell or share this category of personal information.

Sensory data

Examples: Audio, electronic, visual, or similar information.

Sold or Shared? We do not sell or share this category of personal information.

Professional or employment-related information

Examples: Current or past job history or performance evaluations.

Sold or Shared? We do not sell or share this category of personal information.

Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))

Examples: Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student identification codes, or student financial information.

Sold or Shared? We do not sell or share this category of personal information.

Sensitive Personal Information

Examples: Social Security number, driver’s license number, state identification number, passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, precise geolocation information, racial or ethnic origin, religious or philosophical beliefs, or union membership, contents of mail, email, and text messages unless the business is the intended recipient of the communication, genetic data, biometric data for the purposes of uniquely identifying a consumer, health information, or sexual orientation information.

Sold or Shared? We do not sell or share this category of personal information.

**We only collect Sensitive Personal Information for legitimate business purposes appropriate for the use and disclosure of Sensitive Personal Information as defined in the California Privacy Laws, and do not otherwise use it to infer characteristics about you.

   

Retention Period. We will retain and use the foregoing categories of personal information for an appropriate period of time as is necessary to fulfill the purposes for which the information was collected, to comply with our business requirements and legal obligations, to provide our services, resolve disputes, enforce our agreements, and other purposes to the extent provided in this California Privacy Notice. We take reasonable steps to delete personal information when (1) we have a legal obligation to do so; (2) we no longer have a purpose or obligation for retaining the information; or (3) if you ask us to delete the information unless there is an applicable exception to deleting the information under CPRA.

We are required to maintain records of consumer requests submitted under the CPRA, which may include personal information, and how we responded to such requests for at least twenty-four (24) months. Such information related to consumer requests is retained only for recordkeeping purposes.

Exclusions from Personal Information: Personal information does not include:

  • Publicly available information or lawfully obtained, truthful information that is a matter of public concern.
  • Consumer information that is deidentified or aggregated.
  • Information excluded from the scope of the CPRA including, but not limited to:
    • Personal information collected, processed, sold, or disclosed subject to the Gramm-Leach-Bliley Act (GLBA) or the California Financial Privacy Act.
    • An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, a furnisher of information who provides information for use in a consumer report, and by a user of a consumer report provided that the agency, furnisher, or user is subject to regulation under the Fair Credit Reporting Act (FCRA).
    • Medical information governed by the Confidentiality of Medical Information Act or protected health information as governed by the U.S. Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
    • Personal information collected, processed, sold, or disclosed pursuant to the Driver’s Privacy Protection Act of 1994.

Again, please keep in mind that much, if not all, of the information we collect from you is to obtain or provide a financial product or service. Accordingly, such information is exempt from the CPRA since it is subject to the GLBA or other applicable exemptions.

Business or Commercial Purposes: We may use the categories of personal information identified above for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request information on obtaining a financial product or service or ask a question about our products or services, we will use that personal information to respond to your inquiry. If you provide your personal information to apply for a financial product or service, we will use that information to process your application, for payment and to facilitate providing that financial product or service.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, transactions, and payments and prevent transactional fraud.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
  • To provide you with support and to respond to your inquiries, including to investigate and address your complaints and monitor and improve our responses.
  • To help to ensure security and integrity to the extent the use of the personal information is reasonably necessary and proportionate.
  • To provide auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards.
  • To detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for that activity.
  • To debug to identify and repair errors that impair existing intended functionality.
  • For short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s personal information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business.
  • To perform services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business.
  • To provide advertising and marketing services, except for cross-context behavioral advertising, to the consumer provided that, for the purpose of advertising and marketing, a service provider or contractor shall not combine the personal information of opted-out consumers that the service provider or contractor receives from, or on behalf of, the business with personal information that the service provider or contractor receives from, or on behalf of, another person or persons or collects from its own interaction with consumers.
  • As described to you when collecting your personal information or as otherwise set forth in the CPRA. 
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us about our consumers is among the assets transferred.
  • For other purposes as expressly authorized by the implementing regulations of the California Privacy Laws.

Other Processing Activities: As permitted by applicable law, we may use the personal information we collect in order to:

  • Comply with federal, state, or local laws or comply with a court order or subpoena to provide information.
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
  • Cooperate with law enforcement agencies concerning conduct or activity that we, a service provider, or third party reasonably and in good faith believes may violate federal, state, or local law.
  • Cooperate with a government agency request for emergency access to a consumer’s personal information if a natural person is at risk or danger of death or serious physical injury.
  • Exercise or defend legal claims.
  • Collect, use, retain, sell, share, or disclose consumers’ personal information that is deidentified or aggregate consumer information.

First Horizon will not collect additional categories of personal information or use personal information collected for additional purposes that are incompatible with the disclosed purpose for which the personal information was collected without providing you notice as may be required under the CPRA.

Data Practices During Last 12 Months

Personal Information Collected: As described in this California Privacy Policy, we may have collected the categories of personal information listed below during the preceding 12 months:

  • Identifiers.
  • Personal information described in Cal. Civ. Code § 1798.80(e).
  • Protected classification characteristics under California or federal law.
  • Commercial information.
  • Biometric information.
  • Internet or other similar network activity.
  • Geolocation data.
  • Sensory data.
  • Professional or employment-related information.
  • Non-public education information (per the Family Education Rights and Privacy Act).
  • Sensitive Personal Information.

Categories of Sources: We may have collected the categories of personal information identified in this California Privacy Policy from the following categories of sources:

  • Directly from you. For example, from forms you complete, applications you submit, or products or services you obtain from us.
  • Indirectly from you. For example, from third parties or cookies.
  • Service Providers. For example, credit reporting agencies or credit and verification providers.
  • Government entities. For example, from government records.

Business and Commercial Purpose for Collecting: We may have collected the categories of personal information identified for the purposes listed in the “Business or Commercial Purposes” section above.

Categories of Personal Information Disclosed for a Business Purpose: We may have disclosed the following categories of personal information to third parties for a business purpose during the preceding 12 months:

  • Identifiers.
  • Personal information described in Cal. Civ. Code § 1798.80(e).
  • Protected classification characteristics under California or federal law.
  • Commercial information.
  • Biometric information.
  • Internet or other similar network activity.
  • Geolocation data.
  • Sensory data.
  • Professional or employment-related information.
  • Non-public education information (per the Family Education Rights and Privacy Act).
  • Sensitive Personal Information.

These categories of personal information may have been disclosed for a business purpose to the following categories of third parties:

  • Service providers or contractors (for services such as data analytics, data storage, mailing, marketing and advertising, payment processing, website and platform administration, technical support, security monitoring, and operating systems and platforms).
  • Third parties with your consent.
  • Government entities.
  • Marketing providers.
  • Affiliates.

Prior to disclosing any personal information to a service provider or contractor for a business purpose, we enter into a written contract which describes, among other things: (1) the specific purpose which the personal information can be used by the service provider or contractor to perform the services specified in the contract; (2) requires the service provider or contractor to keep any personal information confidential; (3) prohibits the service provider or contractor receiving the personal information from retaining, disclosing, or using the personal information for any purpose other than performing and providing services under the contract; (4) provides us the right to take reasonable and appropriate steps to ensure that the service provider or contractor uses personal information in accordance with contractual terms.

Categories of Personal Information Sold or Shared to Third Parties: We have not sold or shared any categories of personal information to third parties in the preceding 12 months.

California Consumer Rights and Choices Consumer Rights

Consumer Rights

The California Privacy Laws provide consumers with specific rights regarding their personal information. This section describes your rights and explains how to exercise those rights. You may submit requests to us as described below and we honor those rights where they apply.

Right to Know: You have the right to request that First Horizon disclose personal information that it has collected, sold, or shared about you. This includes a request for any or all of the following:

  • The categories of personal information we have collected about you.
  • The categories of sources from which the personal information is collected.
  • The categories of personal information that we have sold or disclosed for a business purpose about you.
  • The categories of third parties to whom the personal information was sold or disclosed for a business purpose.
  • The specific pieces of personal information we collected about you.
  • The business or commercial purpose for collecting, selling, or sharing personal information.

Right to Delete: You have the right to request that First Horizon delete any personal information that we have collected, sold, or shared about you.

Right to Limit: In certain circumstances, you have the right to limit the use and disclosure of sensitive personal information. Our use of your sensitive personal information is solely for business purposes and not for those purposes for which a consumer may exercise a right to limit the use or disclosure under the CPRA. Therefore, we include this disclosure of information for information purposes only.

Right to Opt Out of Sale/Sharing: You have the right to direct a business that sells or shares personal information about you to third parties to stop doing so. First Horizon does not sell or share any personal information as defined by the CPRA. Therefore, we include this disclosure of information for informational purposes only.

Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you. Our goal is to keep your personal information accurate, current, and complete. These rights do not apply to personal information collected or disclosed under certain exemptions under the CPRA. This includes, but is not limited to, personal information collected, processed, sold, or disclosed subject to the GLBA. Therefore, rights such as the Right to Know and Right to Delete do not apply to personal information collected, processed, sold, or disclosed pursuant to these exemptions.

How to Submit Requests to Know, Requests to Delete, and Requests to Correct

You may submit a Request to Know, Request to Delete, or Request to Correct by either:

  • Calling us at 877-242-9880 or
  • Visiting www.firsthorizon.com/questions.

Verification Procedures

We are required by the CPRA to verify the identity of individuals who submit a Request to Know, Request to Delete, or Request to Correct. We will take steps to verify your identity before granting you access to such personal information or acting on your request to exercise your rights as outlined below.

A verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected information. Whenever feasible, we will verify your identity by matching the identifying information provided by you in the request to the personal information we may already maintain about you. As part of this process, we may ask that you provide the following information when submitting your request: name, telephone number, email address, and account number.

You may designate an authorized agent to make a Request to Know, Request to Delete, or Request to Correct on your behalf. If you use an authorized agent to submit a request, we require the authorized agent to provide proof that the consumer gave the authorized agent signed, written permission to submit the request. We may also require you to verify your identity directly with us and you to directly confirm with us that you provided the authorized agent permission to submit the request. We will inform you if we cannot verify your identity.

  • If we cannot verify the identity of the person making a Request to Know specific pieces of personal information, we are prohibited from disclosing any specific pieces of personal information to the requestor. However, if denied in whole or in part for this reason, we will evaluate the request as if it is seeking the disclosure of categories of personal information about the consumer. If we still cannot verify the request, and the request is denied in whole or in part, we will provide a copy of, or direct you to, our privacy policy.
  • If we cannot verify the identity of the person making a Request to Delete or Request to Correct, we may deny the request and inform the person making the request that their identity cannot be verified.

Response Timing: Upon receiving a Request to Know, Request to Delete, or Request to Correct, we will confirm receipt of the request within 10 business days and provide information about how we will process your request. The information provided will include our verification process and when you should expect a response from us (unless we have already granted or denied the request). In general, we will respond to a request within 45 calendar days from the day the request is received but, if necessary, we may take an additional 45 calendar days to respond to the request. If this extension is needed, we will notify you of the extension and explain the reasons that responding to your request will take more than 45 calendar days.

Response Process: If you have an online account with us, we may deliver our written response to that account along with any requested personal information that may be responsive to your request in a portable and, to the extent technically feasible, readily usable format. If you do not have an account with us, we will deliver our written response and any requested personal information that may be responsive to you by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Limitations: We are committed to responding to requests in accordance with applicable law. However, your rights are subject to certain limitations including, but not limited to, the following:

  • We are only required to respond to Requests to Know twice in a 12-month period.
  • A response to a Request to Know may be limited to the 12-month period preceding receipt of the request if it would be impossible, involve disproportionate effort, or the request is for data for a specific time period.
  • We are prohibited from disclosing certain specific pieces of personal information in response to a Request to Know including, but not limited to, Social Security numbers, driver’s license numbers, and financial account numbers.

We are not required to delete your personal information if it is reasonably necessary for us, our service providers, or our contractors to maintain the personal information in order to:

  • Complete the transaction for which the personal information was collected, provide a loan or service that you requested, take actions reasonably anticipated by you within the context of our ongoing business relationship with you, or otherwise perform a contract with you.
  • Help ensure the security and integrity to the extent the use of your personal information is reasonably necessary and proportionate for those purposes.
  • Debut to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise that consumer’s right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Ca. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research that conforms or adheres to all other applicable ethics and privacy laws, when the business’ deletion of the information is likely to render impossible or seriously impair the ability to complete such research, if you have provided informed consent.
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business and compatible with the context in which the consumer provided the information.
  • Comply with a legal obligation.

Non-Discrimination

We will not discriminate against you for exercising any of your CPRA rights including, but not limited to, by:

  • Denying you goods or services.
  • Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Providing you a different level or quality of goods or services.
  • Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Accessibility

We are committed to ensuring this California Privacy Notice is accessible to individuals with disabilities. If you wish to access this California Privacy Notice in an alternative format, please contact us as described below.

Contact Information

If you have any questions or comments about this California Privacy Notice, the ways in which First Horizon collects and uses your information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: Call 877-242-9880

Website: firsthorizon.com/questions

Postal Address:

First Horizon

Attn: Compliance Department

165 Madison Avenue

Memphis, TN 38103

Last Updated: June 2023

Need more info?