Information For California Residents

This California Privacy Notice (“Notice”) describes how First American Bank and its subsidiaries and affiliates (collectively, “First American Bank,” “we,” “us,” or “our”) collect, use, disclose, and retain personal information about California residents (“you” or “your”). This Notice is provided in accordance with the California Consumer Privacy Act, as amended from time to time, including by the California Privacy Rights Act (the “CCPA”).

This Notice supplements our Consumer Privacy Notice and our Online Privacy Policy. In the event of a conflict between this Notice and those policies with respect to California residents, this Notice controls.

Scope

This Notice applies to personal information subject to the CCPA. “Personal information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household. Personal information does not include publicly available information, deidentified or aggregated information, or information excluded from the CCPA’s scope.

As a financial institution, much of the information we collect and use in connection with consumer financial products and services (such as deposit accounts, loans, and investment accounts) is subject to the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, or the California Financial Information Privacy Act. Information covered by these laws is exempt from the CCPA. For information about how we handle that data, please see our Consumer Privacy Notice.

This Notice does not apply to information collected from First American Bank job applicants, employees, independent contractors, or other workers.

Understanding Personal Information and Sensitive Personal Information
Under the CCPA, “personal information” is a broad category covering any information that can be linked to you or your household. It includes everyday data such as your name, email address, browsing history, and transaction records.

“Sensitive personal information” is a subset of personal information that includes higher-risk data, such as government identification numbers (e.g., Social Security numbers), financial account credentials (e.g., account numbers combined with passwords), precise geolocation, and racial or ethnic origin. The CCPA provides consumers with an additional right to limit how businesses use sensitive personal information beyond what is necessary to provide the products or services you requested.

Because First American Bank only uses sensitive personal information for permitted purposes (such as providing the banking products and services you request, verifying your identity, preventing fraud, and complying with legal obligations), there is no need to exercise this additional limitation right. We explain the permitted purposes in more detail in the Sensitive Personal Information section below.

 

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of non-sensitive personal information from or about California residents, depending on our relationship or interaction with you:

Category Examples Purpose(s) for Collection Shared for Cross-Context Behavioral Advertising Sold Other Disclosures
Identifiers Name, alias, postal address, email address, phone number, IP address, device identifiers, online identifiers, account name Providing and improving our products and services; complying with legal obligations; fraud prevention; marketing Yes (IP address, device identifiers, and online identifiers only) No Processors, business partners, analytics providers
California Customer Records (Cal. Civ. Code § 1798.80(e)) Name, signature, address, telephone number, bank account number, credit or debit card number, other financial information Providing products and services; complying with legal obligations No No Processors, business partners
Protected Classification Characteristics Age, race, national origin, citizenship, marital status, sex, disability status, military or veteran status Complying with legal obligations (e.g., fair lending, HMDA reporting) No No Processors, business partners
Commercial Information Records of products or services purchased, obtained, or considered; other purchasing or consuming histories Providing and improving products and services; complying with legal obligations No No Processors, business partners
Internet or Other Electronic Network Activity Browsing history, search history, cookies, device identifiers, IP address, interaction with our website or advertisements Providing and improving our services; website analytics; delivering relevant advertising Yes No Processors, analytics and advertising partners
Geolocation Data Imprecise physical location (e.g., city or ZIP code derived from IP address) Providing personalized services; improving services; fraud prevention Yes (imprecise location derived from IP address) No Processors, business partners
Sensory Information Audio recordings (e.g., customer service calls), photographs, video surveillance at branches Providing services; quality assurance; security No No Processors
Professional or Employment-Related Information Employer, occupation, employment history, salary Complying with legal obligations (e.g., loan underwriting) No No Processors, business partners
Inferences Profiles reflecting preferences, characteristics, or behavior derived from the above categories, including interest profiles derived from browsing activity Providing and improving products and services; marketing; delivering relevant advertising Yes No Processors, analytics and advertising partners

Categories of Sensitive Personal Information

In the preceding 12 months, we have collected the following categories of sensitive personal information from or about California residents:

Category Purpose(s) for Collection Shared for Cross-Context Behavioral Advertising Sold Other Disclosures
Government ID Data (Social Security number, driver’s license, passport number, or similar government ID) Complying with legal obligations; verifying identity; fraud prevention No No Processors, business partners (for identity verification and legal compliance)
Financial Account Credentials (account log-in, financial account, debit or credit card number in combination with required security code, password, or credentials) Providing products and services; verifying identity No No Processors, business partners (for account servicing and identity verification)
Sensitive Category Data (racial or ethnic origin, citizenship) Complying with legal obligations (e.g., fair lending, HMDA reporting) No No Not otherwise disclosed
Precise Geolocation Data (GPS coordinates from your device) Improving services; providing location-based functionality No No Processors (for customer service and debugging)

We only use and disclose sensitive personal information for the following purposes permitted under the CCPA:

  • Performing services reasonably expected by an average consumer who requests those services (e.g., servicing your accounts, processing transactions, verifying your identity).
  • Detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity.
  • Ensuring physical safety.
  • Short-term, transient use, such as displaying non-personalized content during your current interaction with us.
  • Verifying or maintaining the quality or safety of our services.
  • Complying with legal and regulatory obligations.

Because we limit our use and disclosure of sensitive personal information to these permitted purposes, we do not offer a separate right to limit the use of sensitive personal information.
 

Sources of Personal Information

We obtain the categories of personal information listed above from the following categories of sources. In the preceding 12 months, we have collected personal information:

  • Directly from you, such as when you open an account, apply for a loan, contact us, visit a branch, or interact with our website or mobile application.
  • Indirectly from you, such as from your transactions and activity with us and through your interactions with our website.
  • From our business partners, service providers, and contractors.
  • From tracking technologies, including cookies, pixels, and similar technologies on our website (see “Cookies and Tracking Technologies” below).
  • From public sources, such as government databases and publicly available records.
How we use Personal Information

We use personal information for the following business and commercial purposes:

  • Providing, managing, and servicing your accounts and the products and services you request from us.
  • Processing transactions, payments, and collections.
  • Verifying your identity and preventing fraud.
  • Complying with applicable laws, regulations, and legal processes.
  • Communicating with you about your accounts, our products and services, and offers that may interest you.
  • Operating, maintaining, analyzing, and improving our website and services.
  • Delivering advertising and marketing, including advertising based on your activity on our website and on third-party websites (see “Sharing of Personal Information for Cross-Context Behavioral Advertising” below).
  • Conducting research and data analysis to improve our products and services.
  • Maintaining the security of our systems, premises, and operations.
  • Exercising or defending legal claims.

We will not collect additional categories of personal information or use personal information for materially different, unrelated, or incompatible purposes without providing you notice.

Disclosure Personal Information For Business Purposes
In the preceding 12 months, we have disclosed personal information to the following categories of recipients for our business purposes:
  • Processors (Service Providers and Contractors):Companies that process personal information on our behalf under written contracts that restrict their use of the information. Examples include payment processors, data analytics providers, customer service support providers, IT and cybersecurity service providers, and marketing service providers.
  • Business Partners: Companies with which we have a commercial relationship and that may assist in providing products or services, such as co-branded card partners or referral partners.
  • Analytics and Advertising Partners: Companies that help us analyze website traffic and deliver advertising (see “Sharing of Personal Information for Cross-Context Behavioral Advertising” and “Cookies and Tracking Technologies” below).
  • Legal and Regulatory Recipients: Government agencies, regulators, law enforcement, and courts, as required by applicable law, regulation, subpoena, or court order.
  • Transaction Parties: In connection with a merger, acquisition, divestiture, or other transfer of all or a portion of our business or assets.
We only make business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the information confidential, and prohibit the recipient from using the information for any purpose other than performing the contract.

Sharing of Personal Information for Cross-Context Behavioral Advertising
We do not sell personal information for monetary consideration.

We may share certain personal information with third-party advertising and analytics partners for purposes of cross-context behavioral advertising, which, under the CCPA, generally refers to targeted advertising based on a consumer’s activity across different websites or services. When third-party cookies and tracking technologies on our website collect information about your browsing activity to deliver advertising tailored to your interests on other websites, this may constitute “sharing” under the CCPA.

In the preceding 12 months, we may have shared the following categories of personal information for cross-context behavioral advertising:
  • Identifiers (such as IP address, device identifiers, and online identifiers)
  • Internet or other electronic network activity information (such as browsing history and interaction with our website and advertisements)
  • Geolocation data (such as imprecise location derived from IP address)
  • Inferences (such as interest profiles derived from browsing activity)
We share this information with the following categories of third parties:
  • Third-party advertising technology providers
  • Third-party advertising partners, including social media platforms
  • Data analytics providers We do not share sensitive personal information for cross-context behavioral advertising. We do not knowingly sell or share for targeted advertising the personal information of California residents under 16 years of age.
Cookies and Tracking Technologies
Our website uses cookies and similar tracking technologies to enable site functionality, analyze site usage, and deliver relevant advertising. We use OneTrust to manage cookie consent preferences on our website. You may adjust your cookie preferences at any time by selecting the Manage Cookies icon in the lower left corner of our website.

We categorize cookies on our website as follows:
  • Strictly Necessary Cookies: Required for the website to function and cannot be turned off. These include anti-forgery and bot management cookies.
  • Performance Cookies: Help us understand how visitors interact with our website by collecting analytics data (e.g., Google Analytics, Microsoft Clarity).
  • Functional Cookies: Enable additional website features and personalization (e.g., content management, video playback, and site analytics).
  • Targeting Cookies: Set by our advertising partners to build a profile of your interests and show you relevant advertisements on other websites. Our targeting cookie partners may include such companies as Google, Meta (Facebook and Instagram), LinkedIn, Microsoft Bing, StackAdapt, and Yahoo, among others. The current list of targeting cookie partners operating on our website, and details regarding their purposes and retention periods, are available through the Manage Cookies icon in the lower left corner of our website. For the avoidance of doubt, where there is any difference between this Notice and the Cookie Settings interface, the Cookie Settings interface will control with respect to cookies and similar tracking technologies.
For more information about the specific cookies on our website, please click the Manage Cookies icon in the lower left corner of our website to view and manage your cookie preferences.
For more information about our website data practices generally, please see our Online Privacy Policy.

How to Opt Out of Sharing for Cross-Context Behavioral Advertising
You may opt out of the sharing of your personal information for cross-context behavioral advertising through any of the following methods:
  1. Cookie Preference Center: Click “Manage Cookies” in the lower left corner of our website and adjust your targeting cookie preferences.
  2. Global Privacy Control (GPC): We honor opt-out preference signals sent through the GPC to the extent such signals are technically feasible and recognized by our website and consent‑management platform. Cookies and similar tracking technologies are used as the technical means by which we implement opt‑out preferences for interest‑based advertising and are managed through our cookie consent tool, which allows you to review and adjust your preferences. GPC is a browser-level setting that automatically communicates your opt-out preference to websites you visit. You can learn more and enable GPC at globalprivacycontrol.org.
  3. Device Settings: You may be able to opt out of interest-based advertising through the settings on your device (e.g., “Limit Ad Tracking” on iOS or “Opt Out of Ads Personalization” on Android).
These opt-out methods apply solely to the sharing of personal information for cross-context behavioral advertising. They do not disable cookies or other tracking technologies that are used for purposes such as website functionality, security, analytics, or fraud prevention.

Opt-out preferences are specific to the browser and device you are using. You may need to opt out separately on each browser and device. Even after opting out, you may still see advertisements from us; they will not be personalized based on information shared for cross-context behavioral advertising.

Retention of Personal Information

We retain personal information for as long as necessary to carry out the purposes for which it was collected, consistent with our record retention schedule and applicable legal and regulatory requirements. The factors we use to determine retention periods include: (i) the duration of our relationship with you; (ii) whether there is a legal or regulatory obligation that requires us to retain the information (including obligations under the Bank Secrecy Act, GLBA, FCRA, and other financial regulations); and (iii) whether retention is advisable in light of our legal position (such as applicable statutes of limitation, litigation holds, or regulatory investigations). Our retention and destruction practices are governed by First American Bank’s internal records retention schedule and information governance policies, which are designed to align with applicable banking, privacy, and data security laws.

Cookie and online tracking data are retained for varying periods depending on the type of cookie and its purpose. For more information, please click the Manage Cookies in the lower left corner of our website.
When personal information is no longer needed, we will delete, deidentify, or otherwise dispose of it in accordance with our record retention and destruction policies.

Your Rights Under the CCPA
If you are a California resident, you have the following rights regarding your personal information:
  • Right to Know: You may request that we disclose to you the categories of personal information we collected about you in the preceding 12 months, the sources, the purposes for collection, the categories of third parties to whom we disclosed or shared your information, and the specific pieces of personal information we collected about you.
  • Right to Delete: You may request that we delete personal information we collected from you, subject to certain exceptions.
  • Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
  • Right to Opt Out of Sharing: You may opt out of the sharing of your personal information for cross-context behavioral advertising (see “How to Opt Out of Sharing for Cross-Context Behavioral Advertising” above).
  • Right to Non-Discrimination: We will not discriminate or retaliate against you for exercising any of your CCPA rights.
Exercising Your Rights
To exercise your right to know, delete, or correct, please submit a verifiable request to us by either: You may submit a request to know twice in any 12-month period. Please describe your request with sufficient detail so we can properly understand, evaluate, and respond to it.

Verification
To protect your privacy, we will verify your identity before responding to a request to know, delete, or correct. We will verify your identity by sending an email to your email address on file with a verification link. We may ask for additional information, including your first and last name, email address, phone number, account number (if applicable), and the type of product you have or have applied for with First American Bank. If you do not complete the verification process, we may be unable to process your request. Any information you provide to authenticate your identity will only be used to process your request.

Authorized Agents
You may designate an authorized agent to submit a request on your behalf. Your authorized agent may submit a request using the same methods described above. We may require verification of your authorized agent’s authority, in addition to verifying your identity.

Response Timing
We will confirm receipt of your request within 10 business days. We will respond to verifiable requests within 45 days of receipt (or 15 business days for opt-out requests). If we need additional time (up to another 45 days), we will inform you of the reason and the extension period in writing.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded.

Children’s Data
We do not knowingly sell or share for targeted advertising the personal information of California residents under 16 years of age. We comply with the Children’s Online Privacy Protection Act (“COPPA”) with respect to personal information collected from children under the age of 13.

Changes to This Notice
We may update this Notice from time to time. When we do, we will post the revised Notice on our website with a new “Last Updated” date at the top of this page. Your continued use of our services after any changes constitutes your acceptance of the updated Notice. We encourage you to review this Notice periodically.
Contact Us
If you have any questions or concerns about this Notice or our privacy practices, please contact us at: fabprivacy@firstambank.com

Last updated: March 31, 2026

 
 
 
 
Get Started
Contact Us
(866) 469-0015
Excellent customer service.
Share Your Story
Great bank. Makes you feel like a person, not a number.
Share Your Story
Get More For Your Money
Freedom of choice is just the beginning
Checking Accounts
Your financial solution is close to home
Home Equity Loans