The California Consumer Privacy Act (CCPA) FAQs
General information
What does CCPA require JPMorgan Chase to do?
The California Consumer Privacy Act (CCPA) of 2018 (including changes made to the CCPA by the California Privacy Rights Act, or “CPRA”) gives eligible California residents several rights regarding their personal information, and requires JPMorgan Chase to create ways for California residents to exercise these rights and to have them fulfilled. These rights include:
- The right to “notice,” which means the right to be informed about the collection, disclosure, and sale and (for cross-contextual behavioral advertising purposes only) “sharing” of their personal information, including: the personal information collected; the categories of personal information disclosed, shared or sold; the categories of sources of personal information and categories of third parties to whom that information is sold, shared or disclosed; the purpose of collecting, sharing or selling personal information; and a description of the consumer’s rights.
- The right to access (one of two rights to know): the right to request the specific pieces of personal information JPMorgan Chase has collected about them; the categories of personal information JPMorgan Chase collected; the sources used to collect the personal information; the business or commercial purposes for collecting that information; and the categories of third parties with whom we share their personal information.
- The right to data portability (one of two rights to know): the right to obtain copies of their personal information in a readily usable format that will allow them to transmit the information from one entity to another.
- The right to delete: the right to request that JPMorgan Chase delete the personal information that we collected from them.
- The right to correct: the right, in certain circumstances, to correct inaccurate personal information we collected about you; and
- The right to opt-out of sale or sharing: You may request that businesses stop sharing your personal information (“opt-out”) for cross-contextual behavioral advertising purposes, including via a user-enabled global privacy control
- Please note, JPMorgan Chase does not offer an opt-out from the sale of personal information because it does not sell personal information as defined by the CCPA (and has not done so in the last 12 months).
- Right to limit use and disclosure of sensitive personal information: You can request that businesses only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data) for limited purposes.
- Please note, JPMorgan Chase does not offer consumers a right to limit use and disclosure of sensitive personal information because it does not use or disclose sensitive personal information in such a manner as to require provision of the right (specifically, for purposes of inferring characteristics about a consumer).
- Right to Equal Service and Price: the right not to be discriminated against for exercising any of these rights.
Please review the California Consumer Privacy Act (CCPA) Disclosure and Notice at Collection for additional details.
Does the CCPA apply to me?
The CCPA applies to you if you're a California resident and aren't excluded based on your existing relationship with us. Please note that the rights provided under CCPA do not apply to personal information we may have about you if the personal information is covered by other federal and state privacy laws, including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA) and certain other laws.
I’m a current or former JPMorgan Chase customer; can I exercise rights under the CCPA?
Customers include individuals with current retail (retail means personal or household) relationships with us as well as those who applied for, but were denied or otherwise didn't get, financial products or services offered by JPMorgan Chase. The CCPA does not apply to personal information collected, processed, or disclosed in connection with our retail customer or consumer relationships. For this reason, JPMorgan Chase does not process requests from current or former consumers or customers. However, if you are a current customer, you can access much of the personal information we have about you by signing into your account online.
Can I still submit a CCPA request if I’m not a customer?
Yes, if you're a California resident you can send us a CCPA request. The CCPA doesn't require you to be a JPMorgan Chase customer to make a request, but we will ask you to clarify your relationship with JPMorgan Chase as part of the CCPA request process.
The Employment and Workforce Related Privacy Notice addresses our practices for current or former workforce members and job applicants who are California residents.
I'm not in California but I do have a residence there. Can I still submit a request?
Yes, you can send in a request if you use your California address when completing your CCPA request. Please note that if this isn't an address you regularly use, it may be harder for us to verify your identity or match personal information we have about you with your request.
Submitting your CCPA request
How do I send in a CCPA request?
CCPA requests can be submitted online by going to either chase.com/ccparequest or jpmorgan.com/ccparequest. To make a CCPA request by phone, call us at the CCPA Privacy Call Center toll free number 1-800-573-7138 between 7 AM – 10 PM EST.
What information is needed from me to send a CCPA request?
We will need to verify your identity to protect your personal information, as well as that of others, before fulfilling certain types of requests you make under the CCPA. To complete this verification process when this is the case, you'll need to provide us with your name, address, phone number, email, date of birth, and the last 4 digits of your Social Security number. We require this information to ensure that the person making a CCPA request is authorized to do so.
If this request is regarding a business relationship, additional information may be needed to complete your request. Please see the section in this FAQ on “…Can I make another request (follow-up request)?” below.
What happens after I send in a CCPA request?
Once we receive your request with all required information provided, you'll be given a reference number as confirmation that your request was received. We'll send you a response within 45 days of your initial submission date.
Can I send a request on behalf of someone else (spouse, mother, father, etc.)?
Yes, you can submit a request on behalf of someone else (as an authorized agent) if the person you are submitting a CCPA request on behalf of completes and signs the CCPA Authorization form. A link to this document is included on the website within the CCPA request process, or you can download it by using the link below. Please make sure that the name you use when completing the authorization form exactly matches the name you use on the CCPA request that you send in.
Download CCPA Authorization Form (PDF)
Will I receive confirmation that I’ve submitted a CCPA request?
Yes, you’ll receive a confirmation with a CCPA reference number once you submit your request. If you made your CCPA request online, you’ll see your reference number once you select “Send request.” If you made your CCPA request over the phone, we’ll provide your reference number at the end of your call. Your reference number will also be included with your CCPA response.
What personal information of mine will you keep as a result of my CCPA request?
We'll retain your name, address, email and phone number as required evidence that we received your request and acted on it.
Receiving your CCPA response
How long does it take to receive my CCPA response?
You can expect to hear from us within 45 days from when you submitted your CCPA initial request. In some rare cases, we made need additional time to process your request fully, and in those instances, your first response will be a notification that your full CCPA response will be delayed for up to an additional 45 days (up to a total of 90 days from the date you submitted your initial CCPA request).
How do I receive my CCPA Response?
When you submit your CCPA request, you can let us know how you’d prefer to receive your request: electronically (digital delivery) or by U.S. mail (physical delivery).
If you choose digital delivery and you don't have an existing digital profile with JPMorgan Chase, you'll need to create a CCPA privacy profile. The CCPA privacy profile is a secure option available to users who don't bank with JPMorgan Chase, but who still want to receive their CCPA response electronically. With a CCPA privacy profile, you can easily send in future or follow-up requests and receive your responses by a secure and verified method. Creating a profile won't create an account with us and will not indicate that you’d like to receive any goods or services from us. After requesting a CCPA privacy profile, you'll receive instructions on how to create your username and password. These instructions will expire after 60 days. Please complete your CCPA privacy profile as soon as you receive your instructions to ensure a smooth and seamless delivery of your CCPA response.
I selected electronic delivery, how do I access my CCPA Response?
To access your response digitally, do the following once you’ve set up your CCPA privacy profile (additional information on the CCPA privacy profile provided above):
- Use the links provided in your CCPA response notification e-mail or visit chase.com/ccparequest or jpmorgan.com/ccparequest and choose “Manage My Request”
- For the safety and security of your personal information, you'll be asked to verify yourself. Please choose the sign-in method that applies to you: “I have an online profile with JPMorgan Chase” or “I created a privacy profile”.
- Once you’ve signed in, choose “See the response to my CCPA request”. This will take you to your CCPA response. You'll have the ability to download your CCPA response documents and save them to your personal device.
I didn’t get what I expected in my CCPA response; can I make another request (follow-up request)?
If you received your response to a CCPA request and you don't believe that it's complete, or have questions about your response, you can send a follow-up request online at chase.com/ccparequest or jpmorgan.com/ccparequest. You should include in your follow-up request the reason(s) why you believe the initial CCPA response was incomplete. Please note that we do not retain personal information indefinitely, so we may no longer have your information at the time you request it.
If your original request relates to a business relationship, please provide the business name, address, email, and names of products or primary contacts at JPMorgan Chase, in your follow-up request.
Why was my CCPA request denied or declined?
When you receive a CCPA response from us, if your request was denied or declined, we will provide context (specific to your request) on why your CCPA request was denied or declined.
There are several reasons why your request could have been denied or declined, including the following:
- If you are not a California resident, you are not covered by the CCPA.
- If you are an existing JPMorgan Chase customer, your personal information is subject to regulatory requirements provided under other federal and state privacy laws, as noted in the “Am I covered under the CCPA” and “I’m a current or former JPMorgan Chase customer; can I exercise rights under the CCPA?” sections above. Additionally, as a current customer, you have access to your personal information through your online profile. We also provide you with annual privacy notices containing details about the personal information we collect.
- If we previously collected your personal information, but we no longer have that information at the time of your request.
If you disagree with the denial or decline reason stated in your CCPA response, you can send a follow-up request online at chase.com/ccparequest or jpmorgan.com/ccparequest and explain why you disagree with the denial or decline decision reason. Please note that we do not retain personal information indefinitely, so we may no longer have your information at the time you request it.
Additionally, please note that you may only make two (2) verifiable CCPA requests under the “Right to Know” (consisting of the right to access and portability) per calendar year. As such, we encourage you to follow up with us on your original CCPA response if you disagree with the content or disposition of the response.
I don't understand the response to my CCPA request. How can I ask questions?
You can send in a follow-up request to clarify questions from your original CCPA request and/or response. Prior to sending a request for clarification, we ask that you review this list of FAQs, as they may address your questions.
I sent in a request to access my personal information, now I'd like to request to delete it; how do I do that?
You can submit another CCPA request using the instructions above and ask that your personal information be deleted.
I’d like to delete my personal information; will I receive a copy of the personal information that'll be deleted?
No, not automatically. If you’d like to know what personal information may be deleted as a result of your CCPA deletion request, you must first submit an access request to obtain a copy of personal information we have collected and maintain about you.
I’d like to modify my personal information, how do I do that?
Follow the instructions on chase.com/ccparequest for submitting a CCPA request to modify your personal information. Please provide as much detail as you can in the description text regarding the personal information you are requesting to modify.
Please note, if you are a JPMorgan Chase customer, the best way to modify your personal information is via our web and/or mobile apps, calling the number on the back of your card or statement or reaching out to your banker.
Additionally, please note that if you are not a JPMorgan Chase customer and are not covered by any other exemption under the CCPA, we may delete your personal information, rather than correcting it.
My CCPA response stated that you were unable to verify my identity; what does that mean?
We may not have been able to verify your identity for several reasons, including if the information you provided for verification didn't match what we have on file, or we didn't have enough information on you in our documentation, systems, and/or data to make a match.
Protecting your personal information
How does JPMorgan Chase keep my information safe?
We use reasonable physical, electronic, and procedural safeguards that comply with federal standards to protect and limit access to your personal information. This includes device, data, and system safeguards, and secured files and buildings. For more details about how we protect your personal information please follow the links below:
chase.com/privacy
jpmorgan.com/privacy
Please note that when you use an unsecure channel or method to send us personal information electronically, you may be jeopardizing the security of your personal information. We strongly recommend that you don't use unsecure channels to communicate any personal information to us, and particularly sensitive information (such as your Social Security number).
Where are your privacy policies?
Your privacy is important to us and we take our responsibility to protect the privacy and confidentiality of your information, including personal information, very seriously. To learn more about our privacy practices please go to:
chase.com/privacy
jpmorgan.com/privacy
Our online privacy policies explain how we collect, share, use, and protect information when you visit or use our online services. Other privacy principles or policies could apply depending on how you interact with us, the financial products or services you have with us, or the jurisdiction in which we are doing business with you.
To access our CCPA Disclosure and Notice at Collection please visit chase.com/digital/resources/privacy-security/privacy/ca-consumer-privacy-act or https://www.jpmorgan.com/disclosures/ca-consumer-privacy-act.