This California Consumer Privacy Act Disclosure (“Disclosure”) explains how Discover Financial Services and its subsidiaries* (collectively, “Discover”, “our”, “us” or “we”) collect, use, and disclose, share, and retain Personal Information subject to the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (the “CCPA”).
This Disclosure applies solely to California residents and covers both online and offline practices (e.g., phone and in-person).
* Discover Bank, DFS Services LLC, PULSE Network LLC, Diners Club International, Ltd., the Discover Global Network, Pulse EFT Association, Inc., DFS Corporate Services LLC, DFS International Incorporated, Discover Products Inc., The Student Loan Corporation, and their affiliates and subsidiaries, including companies related by common ownership or control with a Discover or DFS name and financial companies such as GTC Insurance Agency, Inc.
What is Personal Information?
Under the CCPA, "Personal Information" is information that identifies, relates to, describes, or could reasonably be linked with a particular California resident or household. The CCPA, however, does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act ("GLBA"). As a result, this Disclosure does not apply, for example, with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes (“GLBA Consumers”).
For more information about how we collect, disclose, and secure information relating to our GLBA Consumers, please refer to our Consumer Privacy Statements. If you have an account relationship with us, you are also able to access important account, transaction, and other information by logging in to your secure account at Discover.com.
Our Information Practices Regarding Personal Information
We collect, use, disclose, and retain Personal Information relating to California residents in a variety of contexts, as described below. For example, we collect Personal Information relating to California residents for marketing purposes and from individuals who apply for employment with us or are our employees, vendors, contractors, or similar personnel. The specific Personal Information that we collect, use, disclose, and retain relating to a California resident, will depend on our specific relationship or interaction with that individual.
In the past 12 months, we have collected the following categories of Personal Information relating to California residents:
(1) Personal identifiers, such as name and mailing address;
(2) Personal Information, as defined in the California Customer Records statute, such as contact information and financial information;
(3) Characteristics of protected classifications under California or federal law, such as age, citizenship, and marital status;
(4) Commercial information, such as transaction and account information;
(5) Internet or electronic network activity information, such as browsing history and interactions with our website;
(6) Geolocation data, such as device location and certain device information;
(7) Biometric data, such as faceprint or a voiceprint;
(8) Sensory data, such as call recordings, audio, electronic, visual, and similar information;
(9) Professional or employment-related information, such as current employment information or employment history;
(10) Education information, such as school and date of graduation;
(11) Inferences drawn from any of the Personal Information listed above to create a profile about, for example, an individual's preferences and characteristics; and
(12) Sensitive Personal Information, such as certain government identifiers (e.g., social security number, driver’s license number, state identification card number, passport number; account access credentials or biometric information for the purposes of uniquely identifying a California resident. For employees, former employees, or applicants, examples of Sensitive Personal Information may also include racial or ethnic origin, religious or philosophical beliefs, or union membership, health information, or sex life or sexual orientation.
We may keep Personal Information as long as necessary or relevant for the practices described in this Disclosure or as otherwise required by law. Actual retention periods vary depending on product and service. We use the following to determine retention periods: Personal Information that is needed to provide our products and services as described in this Disclosure, for auditing purposes, to troubleshoot problems or assist with investigations, to enforce our policies and to comply with legal requirements. Laws and regulations require all financial institutions to obtain, verify, and record information that identifies each person for whom we open or have established an account. It is the policy of Discover that our records reflect our customer’s name, physical address, date of birth, and identification number. With respect to records such as customer applications, account statements, and payments on the account, Discover generally retains those records for a minimum of seven years.
In the past 12 months, we have collected the categories of Personal Information set forth above from the following categories of sources:
(1) Directly from you;
(2) Discover affiliates and subsidiaries;
(3) Online and mobile app services, including cookies, pixel tags, beacons, and software development kits;
(4) Consumer reporting agencies;
(5) Data analytics providers;
(6) Government entities, including federal, state, or local government(s), or other public sources;
(7) Third parties such as social networks and advertising networks;
(8) Businesses or Nonbusinesses that you have authorized or directed to disclose your information to us; and
(9) Service providers or contractors, with whom we have a contractual relationship to perform services on our behalf, or that you have authorized or directed to disclose your information with including data brokers as defined under California law.
We may collect Personal Information to operate, manage, and maintain our business, to provide our products and services, for our employment and vendor management purposes, and to accomplish our business purposes and objectives. For example, we use the Personal Information we collect to:
(1) Personalize, develop, market, advertise, and provide our products and services (including analytic services);
(2) Provide customer service;
(3) Process payments or transactions, provide financing, or fulfill orders;
(4) Help to ensure security and integrity;
(5) Conduct research and data analysis;
(6) Perform identity verification;
(7) Maintain our systems, infrastructure, and facilities including debugging to identify and repair errors that impair existing intended functionality;
(8) Maintain and service accounts;
(9) Conduct risk and security control and monitoring;
(10) Perform audit functions, including auditing interactions with consumers;
(11) Maintain and enhance a product or service;
(12) Verify and provide employment benefits and administration (e.g., employment eligibility, payroll, and performance management); and
(13) Conduct other internal functions, such as investigations or research for technology development, comply with legal obligations, maintain business records, and exercise and defend legal claims and rights.
We do not use or disclose Sensitive Personal Information for purposes other than as specified in CCPA.
In the past 12 months, we have disclosed the following categories of Personal Information relating to California residents to the following categories for our business purposes, as indicated:
(1) Personal identifiers, such as name and mailing address, Personal Information, as defined in the California Customer Records statute, such as contact information and financial information, and Professional or employment-related information, such as current employment information or employment history, have been disclosed to Discover affiliates and subsidiaries, service providers, regulatory agencies, law enforcement, and other government entities, consumer reporting agencies, social networks/advertising networks, and data analytics providers;
(2) Characteristics of protected classifications under California or federal law, such as age, citizenship, and marital status, and Education information such as school and date of graduation, have been disclosed to Discover affiliates and subsidiaries, service providers, regulatory agencies, law enforcement, and other government entities, consumer reporting agencies, and data analytics providers;
(3) Commercial information, such as transaction and account information, has been disclosed to Discover affiliates and subsidiaries, service providers, and regulatory agencies, law enforcement, and other government entities;
(4) Internet or electronic network activity information, such as browsing history and interactions with our website, has been disclosed to Discover affiliates and subsidiaries, service providers, and consumer reporting agencies, social networks/advertising networks, and data analytics providers;
(5) Geolocation data, such as device location and certain device information, has been disclosed to Discover affiliates and subsidiaries, service providers, and data analytics providers;
(6) Sensory data, such as call recordings, has been disclosed to Discover affiliates and subsidiaries, service providers, regulatory agencies, law enforcement, and other government entities, and social networks;
(7) Inferences drawn from any of the Personal Information listed above has been disclosed to Discover affiliates and subsidiaries; and
(8) Sensitive Personal Information such as certain government identifiers (e.g., social security number, driver’s license number, state identification card number, passport number); account access credentials; or processing of biometric information for the purposes of uniquely identifying a California resident has been disclosed to service providers, regulatory agencies, law enforcement and other government entities, and consumer reporting agencies. For employees, former employees or applicants, examples of Sensitive Personal Information may also include racial or ethnic origin, religious or philosophical beliefs, or union membership, health information, or sex life or sexual orientation has been disclosed to service providers, regulatory agencies, law enforcement and other government entities.
Additionally, we have disclosed Personal Information to Business or Nonbusiness third parties based upon the consent or at the direction of a California resident to disclose the information.
In the past 12 months, based upon our actual knowledge, we have not “sold” Personal Information or Sensitive Personal Information relating to California residents (including minors under 16 years of age) nor have we “shared" Personal Information with third parties for targeted advertising purposes. For purposes of this Disclosure, “sold” means the disclosure of Personal Information to a business or third party for monetary or other valuable consideration. For purposes of this Disclosure, “share” means sharing a consumer’s Personal Information with a third party for cross-contextual behavioral advertising for monetary or other valuable consideration or for the benefit of a business in which no money is exchanged.
Your Rights Under the CCPA
If you are a California resident, you may have certain rights over the Personal Information we have about you. You may request the following:
- The categories of Personal Information that we collected about you and the categories of sources from which we collected such information;
- The business or commercial purposes for collecting Personal Information about you;
- The categories of third parties to whom we disclosed such Personal Information (if applicable);
- The categories of Personal Information that we disclosed for a business purpose, and for each category identified, the categories of third parties to whom we disclosed that category of Personal Information (if applicable);
- Access to specific pieces of Personal Information we collected about you;
- Deletion of Personal Information that we collected from you;
- Correction of Personal Information that may be inaccurate; and
- Limitations regarding the use of your Sensitive Personal Information
In some instances, we may decline to honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer, where the Personal Information that we maintain about you is not subject to CCPA requirements, or where the Personal Information is a trade secret. We may also decline to honor your request if we cannot verify your identity or confirm that the Personal Information that we maintain relates to you, or if we cannot verify that you have the authority to make a request on behalf of another individual.
The CCPA also sets forth exceptions for when a business is not required to delete Personal Information, including but not limited to, where it is reasonably necessary to maintain Personal Information to provide a good or service that you requested, comply with a legal obligation, or to help ensure security and integrity. As you would reasonably expect, the Sensitive Personal Information we collect, use, and disclose is done so to provide goods and services you requested, thus we cannot limit the use of your Sensitive Personal Information.
Furthermore, we may decline the request to correct Personal Information depending on the nature of the Personal Information, the accuracy of the request, how the information was obtained and the business purposes for which the information was collected, maintained, or used.
Nonetheless, you have the right to be free from unlawful discrimination for exercising your rights under the CCPA.