CCPA Frequently Asked Questions

The California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA), created consumer privacy rights and business obligations with regard to the collection, sharing and sale of personal information (PI) of California consumers.

The CCPA was originally effective January 1, 2020, but was later amended by the CPRA resulting in an updated CCPA, which took effect on January 1, 2023.

You have rights under the CCPA if you are a California resident and the collection of your PI is not excluded based on your relationship with MidFirst Bank (MidFirst) or as otherwise provided by the CCPA.

Exclusions include:

• PI collected, processed or disclosed in conjunction with financial products used for personal and household purposes for both current and former customers, is excluded from CCPA but covered by our Privacy Notice, as required by the Gramm Leach Bliley Act (GLBA);
   
  • MidFirst Bank Privacy Notice
  • 1st Century Bank Privacy Notice
  • Vio Bank Privacy Notice 
     
• PI collected, processed or disclosed in compliance with Federal Laws and Regulations are excluded from CCPA when rights under the CCPA conflict with federal laws and regulations, but are treated consistently with those federal requirements; and
   
• PI collected, processed or disclosed subject to the Health Insurance Portability and Accountability Act (HIPAA), but are treated consistently with HIPAA requirements.

If you are a California resident, you have the following rights:
 

Right to Access – You may request the following information from MidFirst:

1. The categories of PI that we collect, use, disclose, sell and share as applicable;
2. The categories of sources from which PI is collected;
3. The business or commercial purpose for collecting, selling or sharing (if applicable) the PI;
4. The categories of third parties to whom we disclose PI; and
5. The specific pieces of PI that we have collected about you.

• Where do I find information about the categories of PI and sources?
  • You can find this information in our California Privacy Policy.

• Right to Receive – You may request to receive your PI in a portable format.
   
• Right to Delete – You may request that we delete your PI.
   
• Right to Correct – You may request that we correct inaccurate information we have about you.
   
• Protection against Discrimination – You have the right to be free from unlawful discrimination when you exercise your rights under the CCPA.
   
• Sale of PI – You have the right to tell a business that sells or shares your PI to third parties to stop selling or sharing your PI (e.g. opt-out).
  • Where is the link to opt-out on MidFirst’s website(s)?
    • You can manage your data sharing preferences via the Do Not Sell or Share My Personal Information link in the website footer. Note that your selection is specific to the device, website and browser you are using, and is deleted whenever you clear your browser’s cache.
       
• Right to Limit Use and Disclosure of Sensitive PI – If a business infers characteristics about a consumer from sensitive PI it has collected, you have the right to tell the business to limit the use of sensitive PI to what is necessary and reasonable to perform services or provide a product, and certain other specific uses. 
  • MidFirst collects and processes sensitive PI without the purpose of inferring characteristics about a consumer.

• Personal Information: Information that identifies you, relates to you or could be reasonably linked to you.  PI does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern.  A list of specific personal identifiers can be found in the definitions section of the CCPA. 
   
• Sensitive Personal Information:
  • Social security, driver’s license, state identification card or passport number
  • Account log-in, financial account, debit card or credit card number in combination with any required security or access code, password or credentials allowing access to an account
  • Precise geolocation
  • Racial or ethnic origin, religious or philosophical beliefs, or union membership.
  • Contents of a consumer’s mail, email and text messages unless the business is the intended recipient of the communication
  • Genetic data
  • Processing of biometric information for the purpose of uniquely identifying a consumer
  • PI collected and analyzed concerning a consumer’s health
  • PI collected and analyzed concerning a consumer’s sex life or sexual orientation
  • Information that reveals a consumer's citizenship or immigration status
• Sensitive PI is also PI. As discussed above, a California resident has a right to limit the use of Sensitive PI only if it is used to draw inferences about the characteristics of the consumer.

Yes, you can submit an online request if you use your California address on the request form. You may also call the toll-free number 855.928.2146.  Note: if the address you submit is not an address you regularly use, it may be difficult for us to verify your identity or match the PI we have on file for you.

No. The CCPA does not require that you be a MidFirst customer to make a CCPA request. If you are a California resident, you can submit a CCPA request.

• Consumer-Related Relationships: Customers include persons that have a current or former relationship with MidFirst and include persons who applied for, but were denied or otherwise did not receive a consumer-related financial product or service offered by MidFirst.  MidFirst does not process requests from current or former customers who have or who applied for a consumer-related financial product or service as the PI collected and used in connection with that product or service is subject to the GLBA and the Fair Credit Reporting Act (FCRA).  Under the CCPA, information subject to the GLBA and the FCRA is exempt. 

• Business-Related Relationships: Customers whose PI is collected, processed or disclosed in connection with a business-related financial product or service offered by MidFirst may exercise their rights under the CCPA.

Yes.  However, we may not provide some or all of the PI when you make a CCPA request. Your PI may be exempt if it is subject certain privacy and data protection laws, including, but not limited to, HIPAA. 

To make a request to access, delete or correct your PI, click here, or call us toll free at 855.928.2146.

If you are a California resident, we will provide you with a communication acknowledging that we received your request and we will send you a response within 45 days.  If we determine we need more than 45 days to respond to your request, we will notify you.  We will send all communications to you via the method (email or postal mail) you chose during the submission process.

You may submit a maximum of two requests to access data collected by MidFirst in a 12-month period.

Yes.  If you are a California resident, you can authorize someone other than yourself (e.g. an agent) to make a CCPA request on your behalf.  This agent will need to provide your PI in the CCPA request form fields, and they will need to provide proof – such as a Power of Attorney – that you have authorized them to act on your behalf.  This proof is needed in order to ensure we secure and protect your PI.

You can reach us by telephone at 855.928.2146 or by submitting your questions to the email address on the MidFirst response.