Skip to main content

California Consumer Privacy Act Notice

Last updated January 3, 2024

Legal Entities

This California Consumer Privacy Act Notice (“Notice”) applies to Bank of America legal entities that utilize the brand names Bank of America, Merrill, and BofA Securities, Inc. as well as the following entities: Managed Account Advisors LLC and BAL Investment & Advisory, Inc (“Company”, “we”, “us” or “our”).

Applicability

Your privacy is important to us. This California Consumer Privacy Act Notice (download a printable copy of this Notice; PDF, requires Adobe Reader layer) explains how we collect, use, and disclose personal information relating to California residents covered by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the “CCPA”). This “Notice” constitutes our notice at collection and our privacy policy pursuant to the CCPA.

Introduction

Under the CCPA, “Personal Information” is information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular California resident and includes certain categories of Personal Information discussed below that constitute “Sensitive Personal Information.” The CCPA, however, does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act (“GLBA”).

The specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Notice does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes. For more information about how we collect, disclose, and secure information relating to these customers, please refer to our U.S. Consumer Privacy Notice.

Keeping Personal Information secure is one of our most important priorities. Consistent with our obligations under applicable laws and regulations, we maintain physical, technical, electronic, procedural and organizational safeguards and security measures that are designed to protect personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access, whether it is processed by us or by others on our behalf.

Collection, Use and Disclosure of Personal Information

In the past 12 months, we may have collected and disclosed for our business purposes each of the following categories of Personal Information relating to California residents covered by this Notice:

  • Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers;
  • Any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
  • Characteristics of protected classifications under California or federal law, such as sex and marital status;
  • Commercial information, such as records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies;
  • Biometric information;
  • Internet or other electronic network activity information, such as browsing history, search history, and information regarding a California resident's interaction with an internet website application or advertisement;
  • Geolocation data, such as device location and Internet Protocol (IP) location;
  • Audio, electronic, visual, thermal, or similar information such as call and video recordings;
  • Professional or employment-related information, such as work history and prior employer;
  • Education information, directly related to a student; and maintained by an educational agency or institution or by a party acting for the agency or institution;
  • Inferences drawn from any of the Personal Information listed above to create a profile about a California resident reflecting their preferences, characteristics, psychological trends, predispositions, behavior, and attitudes, intelligence, abilities, and aptitudes; and
  • The following categories of Sensitive Personal Information:
  • Personal Information that reveals:
  • A California resident's Social Security, driver's license, state identification card, or passport number;
  • A California resident's account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
  • A California resident's precise geolocation;
  • A California resident's racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership;
  • The contents of a California resident's mail, email, and text messages unless the business is the intended recipient of the communication;
  • The processing of biometric information for the purpose of uniquely identifying a California resident; and
  • Personal information collected and analyzed concerning a California resident's health.

In addition to collecting Personal Information ourselves, we additionally coordinate with third parties to collect Personal Information on our behalf, which third parties are engaged in one or more of the business practices described below:

  • Delivering advertising and marketing, including on non-affiliated persons' or entities' sites and mobile apps;
  • Facilitating events and event management, including virtual and/or in-person events (e.g., hotels, restaurants, virtual platforms, audio/visual capabilities, food/beverage, transportation services, etc.); and
  • Referral sources, whether for purposes of identifying candidates for employment, identifying new client opportunities, or recommending vendors or contractors.

The categories of sources from which we collected Personal Information are:

  • Directly from a California resident or the individual's representatives;
  • Service Providers, Consumer Data Resellers, Credit Reporting Agencies and other similar persons or entities;
  • Public Record Sources (Federal, State or Local Government Sources);
  • Information from our Affiliates;
  • Website/Mobile App Activity/Social Media;
  • Information from Client Directed persons or entities or Institutions representing a Client/Prospect; and
  • Information from Corporate Clients about individuals associated with the Clients (e.g., an employee or board member).

With respect to each category of Personal Information that we disclosed for a business purpose in the past 12 months, the categories of persons or entities to whom we disclosed that Personal Information are:

  • Affiliates of Bank of America;
  • Service Providers and Contractors who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure, customer service, email delivery, auditing, marketing, supporting research activities, credit financing, event management, and real estate management;
  • Other Service Providers and Contractors who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, real estate expertise, appraisal expertise, notaries and auditors, who promote the bank and its financial services and products to customers and other prospective buyers;
  • Other Service Providers and Contractors who enable customers to conduct transactions online and via mobile devices, support mortgage and fulfillment services, vehicle loan processes and aggregators (at the direction of the customer);
  • Other persons or entities to whom we transfer Personal Information as an asset that is part of a merger, acquisition or other transaction in which such other person or entity assumes control of all or part of the business;
  • Government Agencies as required by laws and regulations; and
  • Other persons or entities with which you may use or direct us to intentionally interact or to which you may use or direct us to intentionally disclose your Personal Information.

We do not disclose Personal Information to any other categories of third parties.

We collect, use and disclose for our business purposes Personal Information, including Sensitive Personal Information, relating to California residents to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business or commercial purposes, including the following:

  • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services (except for cross-context behavioral advertising, a type of targeted advertising), providing analytic services, providing research services, facilitating event management and execution, managing our real estate portfolio, or providing similar services;
  • Helping to ensure security and integrity to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes;
  • Short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a current interaction with us, where the information is not disclosed to a third party and is not used to build a profile or otherwise alter the California resident's experience outside the current interaction with us;
  • Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with this specification and other standards;
  • Undertaking activities to verify or maintain the quality or safety of a service controlled by us, and to improve, upgrade, or enhance that service;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Undertaking internal research for technological development and demonstration; and
  • Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions).

How Long We Retain Personal Information

The length of time that we intend to retain each category of Personal Information will depend on several criteria, including (i) the length of time we are required to retain Personal Information in order to comply with applicable legal and regulatory requirements, (ii) the length of time we may need to retain Personal Information in order to accomplish the business or commercial purpose(s) for which such Personal Information is collected, used or disclosed (as indicated in this Notice), and (iii) whether you choose to exercise your right, subject to certain exceptions, to request deletion of your Personal Information.

Sale or Sharing of Personal Information

In the 12 months preceding the date of this Notice, we have not “sold” or “shared” Personal Information or Sensitive Personal Information subject to the CCPA nor have we “sold” or “shared” Personal Information or Sensitive Personal Information of minors under the age of 16.

For purposes of this Notice:

  • “sold” means the disclosure of Personal Information or Sensitive Personal Information to a third party for monetary or other valuable consideration; and
  • “shared” means the disclosure of Personal Information or Sensitive Personal Information to a third party for cross-context behavioral advertising.

How We Use Sensitive Personal Information

We only use or disclose Sensitive Personal Information for the following purposes consistent with CCPA Regulations:

  • To perform the services or provide the goods reasonably expected by an average California resident who requests those goods or services. For example, a California resident's precise geolocation may be used by a mobile application that is providing them with directions on how to get to a specific location.
  • To detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that the use of a California resident's Personal Information is reasonably necessary and proportionate for this purpose. For example, we may disclose a California resident's log-in information to a data security company that it has hired to investigate and remediate a data breach that involved that individual's account.
  • To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions, provided that the use of a California resident's Personal Information is reasonably necessary and proportionate for this purpose. For example, we may use information about a California resident's ethnicity and/or the contents of email and text messages to investigate claims of racial discrimination or hate speech.
  • To ensure the physical safety of natural persons, provided that the use of a California resident's Personal Information is reasonably necessary and proportionate for this purpose. For example, we may disclose a California resident's geolocation information to law enforcement to investigate an alleged kidnapping.
  • For short-term, transient use, including, but not limited to, nonpersonalized advertising shown as part of a California resident's current interaction with us.
  • To perform services such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying a California resident's information, processing payments, providing financing, providing analytic services, providing storage.
  • To verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.

Rights under the CCPA

If you are a California resident covered by the CCPA, you have the right to:

  1. Receive this Notice at or before the point of collection of your Personal Information.
  2. Request we disclose to you free of charge the following information covering the 12 months preceding your request:
    1. the categories of Personal Information about you that we collected;
    2. the categories of sources from which the Personal Information was collected;
    3. the purpose for collecting Personal Information about you;
    4. the categories of third parties to whom we disclosed Personal Information about you and the categories of Personal Information that were disclosed (if applicable) and the purpose for disclosing the Personal Information about you; and
    5. the specific pieces of Personal Information we collected about you;
  3. Request we correct inaccurate Personal Information that we maintain about you.
  4. Request we delete Personal Information we collected from you, unless the CCPA recognizes an exception.
  5. Be free from unlawful discrimination for exercising your rights under the CCPA.

Please see the section below entitled, “How to Exercise Your Rights,” for instructions explaining how you can exercise these rights described above.

Requests for specific pieces of Personal Information will require additional information to verify your identity.

For individuals submitting a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom the request is made.

For a company or organization submitting a request on behalf of another person, we may require proof of authorization from the individual such as a Power of Attorney and verification of identity directly from the person for whom the request is made.

In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another California resident or where the Personal Information that we maintain about you is not subject to the CCPA's access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide Social Security numbers, driver's license numbers or government-issued identification numbers, financial account numbers, unique biometric data, health care or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

We will work to process all verified requests within 45 days pursuant to the CCPA. If we need an extension for up to an additional 45 days in order to process your request, we will provide you with an explanation for the delay.

How We Process Opt-Out Preferences

Bank of America permits California residents to automatically exercise their right to opt-out of sale/sharing through opt-out preference signals without having to make individualized opt-out requests. Bank of America treats opt-out preference signals as valid requests to opt-out of sale/sharing for the browser. Please note, however, we do not “sell” or “share” personal information with any third parties, as such terms are defined by the CCPA.

How to Exercise Your Rights

If you are a California resident, you may submit a request by:

  1. Completing an online Personal Information Request Form
  2. Calling 888.341.5000

Questions or Concerns

You may contact us with questions or concerns about this Notice and our practices by:

  1. Writing us at:
    Individual Rights Operations TX-041-02-08
    16001 N Dallas Pkwy Building 1
    Addison, TX 75001
  2. Emailing us at serviceinquiries4@bofa.com

Metrics

Please visit www.bankofamerica.com/ccpa-metrics for data reporting published in accordance with Section 7102 of the California Consumer Privacy Act Regulations.

Changes to This California Consumer Privacy Act Notice

We may change or update this Notice from time to time. When we do, we will post the revised Notice on this page with a new “Last Updated” date.

Where You Can Find This Notice Online

You may access this Notice online at www.bankofamerica.com/CCPA-Notice.