FDIC-Insured - Backed by the full faith and credit of the U.S. Government
Comerica Logo

California Privacy Rights Act (CPRA)

California Consumer Privacy Rights Statement

Updated: August 2025

California Consumer Privacy Rights Statement (“Statement”)

The California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) includes additional privacy protections for consumers. It requires businesses to be transparent about how they collect, share and use consumers’ personal data.

This Statement supplements the information contained in the Consumer Privacy Notice(PDF, 312 KB) and Online Privacy Practices and Privacy Notice of Comerica Bank and its subsidiaries and affiliates (collectively, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this Statement to comply with the CCPA and other California privacy laws.

Information We Collect

We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In the preceding twelve (12) month period, we have collected the following categories of personal information from consumers:

Categories of PI Collected Examples
A. Identifiers A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
C. Protected classification characteristics under California or federal law Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
D. Commercial information Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
E. Biometric information Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
F. Internet or other similar network activity Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
G. Geolocation data Physical location or movements.
H. Sensory data Audio, electronic, visual, thermal, olfactory, or similar information.
I. Professional or employment-related information Current or past job history or performance evaluations.
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)) Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
K. Sensitive Personal Information Social Security, driver’s license, state identification card, or passport number, account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account, precise geolocation, consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, biometric information, health, sex life or sexual orientation.
L. Inferences drawn from other personal information Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

Personal information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA's scope, like:
    • Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
    • Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994

We obtain the categories of personal information listed above from the following categories of sources:

  • Directly from our clients or their agents. For example, from documents that our clients provide to us related to the services for which they engage us
  • Indirectly from our clients or their agents. For example, through information we collect from our clients in the course of providing services to them
  • Directly and indirectly from activity on our website (www.comerica.com). For example, from submissions through our website portal or website usage details collected automatically
  • From third-parties that interact with us in connection with the services we perform

Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

  • To fulfill or meet the reason for which the information is provided
  • To provide you with information, products or services that you request from us
  • To provide you with email alerts and other notices concerning our products or services, that may be of interest to you
  • To improve our website, present its contents to you, and for short-term, transient use, such as contextual customization of ads
  • For testing, research, analysis, product development and to upgrade or enhance our services
  • As necessary or appropriate to protect the rights, property or safety of us, our clients or others
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations
  • To detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and to prosecute those responsible for that activity
  • For debugging to identify and repair errors with our services
  • For auditing relating to interactions, transactions and other compliance activities
  • As described to you when collecting your personal information or as otherwise set forth in the CPRA

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Processing Sensitive Personal Information. We collect and process Sensitive Personal Information for the purposes disclosed at the time we collect this information. We do not process this information for purposes other than the purpose for which it was originally collected unless required by law. We use and process Sensitive Personal Information collected from California employees, job applicants or vendors (including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status) to comply with laws including anti-discrimination laws and disability accommodation laws. We use Sensitive Personal Information from other consumers (including racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status) to provide disability accommodations. We also use sensitive personal information for the purposes listed in this notice.

Disclosing Personal Information
We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

We disclose your personal information for a business purpose to the following categories of third parties:

  • Our affiliates
  • Service providers
  • Third parties to whom you or your agents authorize us to disclose your personal information in connection with products or services we provide to you

Selling and Sharing of Personal Information. In the preceding twelve (12) month period, we have not sold personal information for monetary consideration. When you visit our website, we may use tracking technologies such as cookies for a variety of purposes, including to understand how visitors interact with our websites, and to provide personalized advertisements. The use of these technologies may constitute a “sale” or “share” of personal information under the CCPA.

We do not knowingly sell or share personal information of consumers under 16 years of age.

Your Rights and Choices

Access to Specific Information and Data Portability Right
You have the right to request that we disclose certain information to you about our collection and use of your personal information. You may make these requests up to twice in a twelve (12) month period. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you
  • The categories of sources for the personal information we collected about you
  • Our business or commercial purpose for collecting or selling that personal information
  • The categories of third parties with whom we share that personal information
  • The specific pieces of personal information we collected about you (also called a data portability request)
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

Deletion Request Rights
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete your personal information from our records, unless an exception applies. Exceptions include:

  • If data is already regulated by Gramm-Leach-Bliley-Act (GLBA)
  • If data is required to complete a transaction for which personal information is collected to provide a good or service requested by the consumer.
  • If data is required for legal obligations or regulatory reasons.
  • If data is required to detect security incidents; protect against malicious, deceptive, fraudulent, illegal activity; to prosecute those who are responsible for that activity.
  • If data enables solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer relationship with the business.

Correction Request Rights
You have the right to correct any of your personal information that we have collected and maintain by contacting our customer service center. We will correct your personal information from our records, unless an exception applies.

Opt Out Rights

  • Do Not Sell or Share My Personal Information. You have the right to opt out of having your personal information sold or shared with others for cross-context or behavioral advertising purposes. This does not include using your interactions with us or information that you provide to us to select advertisements to show you.
  • Limit Processing of Sensitive Personal Information. You have the right to tell us not to process Sensitive Personal Information for any purpose other than the purpose for which we originally collected it. We only process Sensitive Personal Information for the purpose for which we originally collected it, unless required by law.
  • In the event of a merger, acquisition, or similar event, we will preserve your opt-out preferences regarding the sale or sharing of personal information.

Exercising your Rights

  • Access, Correction and Deletion. To exercise the access, correction, and deletion rights California residents may visit our online CPRA Request Page by clicking the link at the top or bottom of this page or by calling us toll free at 1-800-522-2265. We will ask you for information that allows us to reasonably verify your identity (that you are the person about whom we collected personal information) and will use that information only for that purpose. We may request that you submit a signed statement under penalty of perjury that you are the individual you claim to be. Any disclosures we provide will only cover the 12-month period preceding receipt of your request, but you may request an expanded time period as permitted by law.  We will honor that expanded request unless doing so would involve a disproportionate effort.
  • Opt-Out Rights. To opt out of the sale of your personal information or the sharing of your personal information you may submit a request to us by clicking the link at the top or bottom of this page and selecting Opt Out Request or by calling us toll free at 1-800-522-2265. You do not need to tell us to limit processing of Sensitive Personal Information because we already limit such processing.

You may also opt out by activating a user-enabled global privacy control, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicates or signals your choice to opt-out of the sale and sharing of personal information. When we receive such a signal we will stop setting third party, analytics, or advertising partner cookies on your browser. This will prevent the sale or sharing of information relating to that specific device through cookies to our advertising or analytics partners. This option does not stop all sales or sharing of your information because we cannot match your device’s identification or internet protocol address with your personally identifiable information like your name, phone number, email address or ZIP Code. If you delete cookies on your browser, any prior do not sell or do not share signal is also deleted and you should make sure that your user-enabled setting is always activated.

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

Response Timing and Format
We will acknowledge receipt of your request for access, correction or deletion within 10 business days and will endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to a total of 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

For requests that we not sell or share your information or limit processing of Sensitive Personal Information we will comply with your request promptly, in accordance with law. Once we receive your request, we will wait at least 12 months before asking you to reauthorize personal information sales or sharing.

Non-Discrimination
We will not discriminate against you for exercising any of your CPRA rights. Unless permitted by the CPRA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Statement
We reserve the right to amend this privacy statement at our discretion and at any time. Any changes made to this privacy statement will be available on our website.

Contact Information
If you have any questions or comments about this statement, our Privacy Notice, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please call 1-800-522-2265.

CPRA Request

Submit a form to create a new CPRA request or Review request details / check the status of a request.