California privacy notice

This notice is applicable to California residents only.

For the main TIAA privacy notice, click here.

For TIAA Trust’s privacy notice click hereOpens pdf.

This California Privacy Notice (California Notice) is for California residents only, pursuant to the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), and supplements information contained in the (i) TIAA Privacy Notice provided by TIAA and its affiliated “TIAA Companies” using the TIAA brand or sharing a common corporate identity and the (ii) TIAA Trust, N.A. Privacy Notice provided by TIAA Trust, N.A., to the extent you have a relationship with any of these entities. 

Please review this California Notice carefully, as it applies to the collection, use and sharing of the personal information (as defined by the CCPA) we may collect about you in connection with: 

(i) a business relationship you may have with TIAA or a TIAA Company (in which case you are referred to as a “Business Client”); or

(ii) if you do not yet have a relationship with TIAA or the TIAA Companies, introducing you to our financial products and services for personal or household use (in which case you are referred to as a “Prospect”). 

Specifically, CCPA exempts the personal information collected by TIAA Companies once you apply for, access or purchase a financial product or service for your direct personal or household use and/or used to deepen our financial relationship with you; our collection, use and sharing of such personal information is instead subject to the TIAA Privacy Notice and the TIAA Trust N.A. Privacy NoticeOpens pdf for TIAA Trust, N.A. Customers (each referred to hereafter as a “Privacy Notice”).  

If TIAA is administering an employment benefit plan offered by your current and/or former employer(s), we request that you direct any CCPA-related questions you may have to the employer.  

As used in this California Notice and as defined in the CCPA, personal information includes information that relates to, is capable of being associated with, or could reasonably be linked to you, one of your devices and/or a member of your household, that is not in furtherance of your current relationship with TIAA or a TIAA Company. Personal information also includes “sensitive personal information,” which is further described below.

Your rights under the CCPA

If you are a California resident, you have the following rights with respect to your personal information:

  • Receive information on our privacy and information practices, including why we collect personal information about you, from whom, for what purposes, and with whom we share or “sell” it. This information is contained in the chart below. You are also entitled to know how long we expect to retain your personal information. Our retention periods vary, and we use the following criteria to determine them: (i) if you are a Prospect, usually three years; if you are a Business Client, the time during which our business relationship with you continues. In addition, we comply with our internal retention requirement, which is generally seven years, which can be extended under some circumstances, such as anticipated or ongoing litigation or regulatory activities.
  • Request access to personal information that we have collected about you in the twelve months prior to your request. Please note that we are not required to disclose any personal information that may compromise the security of your account(s) or put you at risk of identity theft; for example, we will not disclose to you your specific Social Security Number if we have collected it.
  • Request the deletion of your personal information, if we use it outside our business purposes (which are explained below).
  • Request the correction of your personal information.
  • Limit the use of your sensitive personal information, if we use it outside our business purposes. We do not collect sensitive personal information from you, with the exception of a government-issued identification number (such as a Social Security or a Driver’s License Number) if you are a Business Client. We do use this information to authenticate you, which is considered to be a “business purpose” under CCPA. Therefore, the right to limit our use of your sensitive personal information is not available at this time.
  • Opt-out of certain automated decision-making. Until the California regulators define automated decision making, we are not yet able to offer this right to you. We do not use automated decision-making in a way that will materially impact your legal rights or discriminate against you.
  • Receive information whether we “sell or share” your personal information with vendors that provide cross-context digital advertising or cannot assure us that your personal information is used only to deliver services we have hired them to provide us.    You are also entitled to opt-out of any such “sale or sharing.”

    > We do not sell to anyone any of your personal information for money.   

    > Personal information collected by our use of digital tracking technology is information that, on its own, might not identify you; however, when such information is combined with other information about you, it may be possible to identify you or your household.

    > Digital tracking technology may be deployed by us or our service providers on our behalf, for analytics, marketing, and interest-based advertising services. We may, and our service providers may also, rely on other third parties to deliver to you our interest-based advertising on websites and platforms that you may visit while online. TIAA and its service providers do not share your personal information with these third parties to enable interest-based advertising. Regardless, we recognize that the use of third-party providers for certain marketing activities may be considered a “sale” or “sharing” under the CCPA. By visiting our digital preference management center [link], you have the ability to review a current list of digital tracking technology that we allow on our sites and opt out of the digital activities that could constitute sales/sharing of your personal information. Please note that your opt-out preferences will be stored in cookies and that if you clear your cookie cache or access our site from another device, we may not have the ability to identify you for the purpose of applying your opt-out choices, and you may need to opt out again.

    > Our website also detects the Global Privacy Control signal from a number of common browsers, and we will automatically opt you out of interest-based advertising if we detect that you have enabled this signal. To learn more about the Global Privacy Control, please visit globalprivacycontrol.org.  
  • Not be discriminated against for exercising these rights.

Our business purposes

Certain activities we perform require the use of your personal information and/or your sensitive personal information.   Under the California Privacy Rights Act, you may not request that we (i) delete it; (ii) limit our use of your personal information or sensitive personal information; or (iii) limit our sharing it with our service providers when our activities fall within our "business purposes".   

We require our service providers to contractually agree to use your personal and sensitive personal information only to render us the services we have hired them to perform, to protect it with technical, administrative and physical measures appropriate to its sensitivity, not to use it for their own purposes, collect further personal information with respect to it, and to tell us if they cannot comply with such requirements and to allow us to make sure that they are complying with their obligations.  

The activities constituting our “business purposes” are:

  • Completing a transaction for which the personal information was collected, providing a product or service requested by you, taking actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise performing our contract(s) with you.
  • If you are a Business Client and the entity that you represent has hired us, performing the contracted services we were hired to perform, including granting you access to the information your employer has authorized you to access from us.
  • Preventing, detecting and investigating security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible for such activities.
  • Debugging products to identify and repair errors that impair existing intended functionality.
  • Short-transient use relating to our current business interaction with you.
  • Exercising free speech, ensuring the right of other consumers to exercise their free speech rights, or exercising another right provided for by law.
  • Enabling solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us. This includes performing analytics to improve the products and services we provide you, creating internal reports for our management, and providing information to auditors.
  • Complying with a legal obligation, including our records retention obligations, to answer subpoenas or requests from our regulators.
  • Making other internal and lawful uses of that information that are compatible with the context in which you provided it.
  • Information that helps us match you to our products and services, such as information about your interests and activities, including your purchases;
  • Inferences or insights we may draw from such information.

Personal Information of Minors

Our products and services are not geared to minors, and we do not knowingly collect Personal Information of minors under sixteen years of age outside your existing relationship with us (e.g. beneficiary information).

Category and Sources of Personal Information

Contact Information

We collect this type of information from:

  • You, when you contact us via the internet, in person, by phone or online communities that you may have agreed to join
  • Your employer, if you are a Business Client such as a plan sponsor, plan administrator or your role includes administering employment benefits or your employer has a business relationship with TIAA or a TIAA Company.
  • A client that we have in common, if you are a Business Client such as a third party administrator or agent hired by a plan, an investment advisor hired by a plan, an individual investor or a global investor.
  • A third party services, such as LinkedIn, trade shows and conferences,

Examples of Types of Data Elements:

  • Full name, title, preferred form of address 
  • Mailing address
  • Residential address
  • Email address
  • Telephone number
  • Mobile number

Purpose for Collecting and Disclosing the Personal Information: 
We use this type of information to identify you and stay in touch with you, including: 

  • To communicate with you and to maintain our business relationship and provide customer service
  • To send marketing communications, contests/sweepstakes and other invitations
  • To personalize our communications
  • For our business purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose. 

We may disclose this type of information to other TIAA Companies for their business purposes and to:

  • Service providers, since they have agreed to use your information solely to render services to us and protect it.  This may include social media companies that have agreed to such conditions, such as Facebook and Google.

Categories of Third Parties with whom this type of Personal Information is Sold or Shared.

We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.  

Government-issued Identification Numbers 

We collect this type of information from: You

Examples of Types of Data Elements:
We may collect from you:

  • A government issued identifier, such as a Social Security or Driver’s License Number

Purpose for Collecting and Disclosing the Personal Information
We use this type of information:

  • To identify you
  • For authentication
  • For security and risk management, fraud prevention and similar purposes  
  • For our business purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose:

We may disclose this type of information to our service providers and to other TIAA Companies for our business purposes.

Categories of Third Parties with whom this type of Personal Information is Sold or Shared.

We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.  

Account Access Information  

We collect this type of information from:

  • You, when establish an account or change your password in an online portal that you need pursuant to our business relationship

Examples of Types of Data Elements:
Data elements in this category include:

  • Usernames and passwords
  • Account recovery information

Purpose for Collecting and Disclosing the Personal Information
We use this type of information:

  • To identify and authenticate you
  • To permit you to access the online portals that you need pursuant to your relationship with us
  • For security and similar purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to service providers that we have hired for IT services and for our business purposes.

Categories of Third Parties with whom this type of Personal Information is Sold or Shared.

We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Relationship Information

We collect this type of information from:

  • You
  • Your employer, if you are a Business Client
  • Third parties that provide access to information you make publicly available, such as social media.

We may also infer information about you based on information that you have given us and your past interactions with us and other companies.

Examples of Types of Data Elements:
Data elements in this category include:

  • Personal characteristic and preferences, such as your age range, marital and family status, shopping preferences, languages spoken
  • Data from social media profiles, such as Facebook, Twitter, LinkedIn and similar platforms
  • Education information
  • Professional information
  • Hobbies and interests

Purpose for Collecting and Disclosing the Personal Information:
We use this type of information:

  • To identify prospective customers
  • For our business purposes

Categories of Third Parties with whom this type of Personal Information is Sold or Shared.

We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.  

Online & Technical Information

We use digital tracking technology on our websites and in our marketing campaigns including, but not limited to, pixels, beacons, and cookies to collect from your computer or other connected device information about you, your internet and website activity, and your preferences. We collect this type of information from:

  • You and from your connected devices when you interact with our websites, online content, and mobile applications.  For example, when you visit our websites, our server logs record your IP address and other information.  
  • Through digital tracking technologies such as cookies, pixels, and beacons,

We also associate information with you using unique identifiers collected from your devices or browsers.

Examples of Types of Data Elements:

Personal information collected by our use of digital tracking technology is information that, on its own, might not identify you; however, when such information is combined with other information about you, it may be possible to identify you or your household.  In the context of digital tracking technology, such information may include: 

  • your identifiers, including your cookie identifier, Internet Protocol address, hashed email address, device identifier, mobile ad identifier, and similar online and unique personal identifiers;
  • your geolocation data; and
  • your internet or other electronic network activity information, such as the time you spent on the website, your navigation throughout the site, and other information regarding your interaction with an internet website, application, or advertisement).

Purpose for Collecting and Disclosing the Personal Information:
We use this type of information:

  • To make our website usable by enabling basic functions, like page loading, account sign-in, and filling out forms;
  • To monitor website traffic and activity;
  • To maintain security, enable fraud detection, and provide trouble-shooting and support;
  • To facilitate an action initiated by you, such as setting or detecting your privacy settings;
  • To establish and maintain a logged-in connection while you are in the secure section(s) of our website. For example, when you visit your account, perform transactions, update contact information or perform other activity a "cookie" allows you to navigate from page to page in a secure fashion without having to repeatedly log in;
  • To enable us to personalize your web experience by remembering your online preferences including, but not limited to, your preferred language, web layout, or location settings;
  • To detect your browser and device capabilities for displaying website content;
  • To understand how you interact with our marketing content and use our website, including in some instances identifying the marketing channel through which you have accessed our site; and
  • To track your visit across our websites and to serve you targeted advertising and content we think will interest you while you are on our site or visiting non-TIAA sites (“interest-based advertising”).
  • For our business purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose:
We may disclose this type of information to:

  • TIAA Companies,
  • service providers
  • Third parties who assist with fraud prevention, detection and mitigation
  • Third party network advertising companies 
  • Other third parties as required by law

Categories of Third Parties with whom this type of Personal Information is Sold or Shared

Our use of third-party providers for certain marketing activities may be considered a “sale” or “sharing” under the CCPA and you are entitled to opt-out of such activities.

To visit our digital preference management center to review a current list of digital tracking technology that we allow on our sites and to opt out of sales/sharing of your personal information, please click below.

Do Not Sell or Share My Personal Information

Please note that your opt-out preferences will be stored in cookies and that if you clear your cookie cache or access our site from another device, we may not have the ability to identify you for the purpose of applying your opt-out choices, and you may need to opt out again.

Our website also detects the Global Privacy Control signal, and we will automatically opt you out of interest-based advertising if we detect that you have enabled this signal.  To learn more about the Global Privacy Control, please visit globalprivacycontrol.org.

What to Expect When You Exercise an Available CCPA Right

Verification & Response Process

We take protecting your Personal Information very seriously. When you make a request, we will first take steps to verify that it is really you who is making the request. Depending on the sensitivity of your Personal Information, we may request that you provide us with additional documentation to verify your identity and may decline your request if we are unable to verify your identity.

Access to Personal Information

Once we have verified your request, we will provide information from our records for the preceding 12 months, including the business purpose for our collection. We will also direct our service providers to do the same if they are holding your Personal Information. Please note, we may decline your request if we are unable to verify your identity.   We also decline to provide you with any of your personal information that may put you at risk of ID theft or create a security risk.   For example, we would not disclose to you a specific government-issued ID number.

Deletion of Personal Information

Once we have verified your request, we will delete your personal information from our records, and will also direct our service providers to do the same, unless retaining the information is necessary for us or our service providers to conduct our business purposes, as more fully described above.

Appointing a designated agent

CCPA allows you to exercise your rights through a designated agent. Please submit to us at our address below a duly notarized California power of attorney appointing the individual whom you have designated to act on your behalf for this purpose. We will verify your identity and the identity of your attorney-in-fact.

TIAA
Privacy Fulfillment
P.O. Box 1259
Charlotte, NC 28201

Exercising rights and verifiable requests

To exercise the access and deletion rights described above, please submit a request by either:

  • Calling us at 877-554-1001 weekdays, 8 a.m. to 10 p.m. (ET); or
  • Visiting TIAA.org/public/support/privacy 

Correction of inaccurate Personal Information

  • To correct or update your personal information please visit your online account or call our National Contact Center at 800-842-2252 weekdays, 8 a.m. to 10 p.m. (ET).
  • Participants in their employer sponsored retirement plan may also visit your institution / employer’s HR Department to correct inaccurate personal information.

To provide a “verifiable request” you must provide enough information that allows us to reasonably confirm and verify you are the person about whom TIAA collected personal information or you are the attorney-in-fact of a CA resident.

Questions

If you have any questions about this California Notice, TIAA’s Privacy Notice, the ways in which TIAA collects and uses your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at 877-554-1001.

Non-Discrimination

TIAA will not discriminate against you for exercising any of your CCPA rights as described in this California Notice. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services. 

Changes to this privacy notice

We reserve the right to amend this California Notice at our discretion and at any time. When we make substantive changes to this California Notice, we will inform you through a notice on our website.

January 2024

Do Not Sell / Do Not Share My Personal Information

Our website also detects the Global Privacy Control signal, and we will automatically opt you out of interest-based advertising if we detect that you have enabled this signal. To learn more about the Global Privacy Control, please visit globalprivacycontrol.org.

As described in this California Notice, our use of third-party providers for certain digital marketing activities may be considered a “sale” or “sharing” under the CCPA.  To visit our digital preference management center to review a current list of digital tracking technology that we allow on our sites and to opt out of sales/sharing of your personal information, please click below.

Do not sell or share my personal information

Please note that opt-outs made through tiaa.org will only apply to digital tracking technology utilized on tiaa.org sites. Similarly, opt-outs made through tiaabank.com will only apply to digital tracking technology utilized on tiaabank.com sites. Depending on your relationship with TIAA, please navigate to the “Do Not Sell or Share My Personal Information” link in the footer of the appropriate tiaa.org or tiaabank.com website to ensure that you have properly exercised your opt-out rights. Your opt-out preferences will be stored in cookies and that if you clear your cookie cache or access our site from another device, we may not have the ability to identify you for the purpose of applying your opt-out choices, and you may need to opt out again.

Accessing, deleting or correcting data for California residents

These options are only applicable if you are a resident of California. If you are not a resident of California, these provisions do not apply to you (return to the main TIAA privacy page). 

If you have multiple accounts with TIAA, please explore each option as needed.

The retirement plans and other benefits you may participate in are sponsored by your current and/or former employer(s). They may or may not be exempt under CCPA. Please direct any questions you may have about your CCPA rights relating to your employment benefits administered through TIAA to your current or former employer(s), as applicable.

TIAA may have collected personal information about you if you have applied for or opened a retail financial account with us. Such personal information is specifically exempt from access, deletion and correction requests under CCPA because it is governed under the Gramm-Leach-Bliley Act. Please review the TIAA Privacy Notice at TIAA.org for more information as to how your personal information is collected, used and shared.

TIAA Trust may have collected personal information about you if you have applied for or opened a retail financial account with us. Such personal information is specifically exempt from access, deletion and correction requests under CCPA because it is governed under the Gramm-Leach-Bliley Act. Please review the TIAA Trust Privacy Notice at TIAA.org for more information as to how your personal information is collected, used and shared.

TIAA-CREF Life Insurance Company may have collected personal information about you if you have applied for or purchased a retail financial product from us. Such personal information is specifically exempt from access, deletion and correction requests under CCPA because it is governed under the Gramm-Leach-Bliley Act. Please review the TIAA Privacy Notice at TIAA.org for more information as to how your personal information is collected, used and shared.

Services may have collected personal information about you if you have applied for or opened a retail financial account with us. At this time, such personal information is specifically exempt from access, deletion and correction requests under CCPA because it is governed under the Gramm-Leach-Bliley Act. Please review the TIAA Privacy Notice at TIAA.org for more information.

TIAA-CREF Mutual Funds may have collected personal information about you if you have applied for or purchased mutual funds directly from them. Such personal information is specifically exempt from access, deletion and correction requests under CCPA because it is governed under the Gramm-Leach-Bliley Act. Please review the TIAA Privacy Notice at TIAA.org for more information as to how your personal information is collected, used and shared.

TIAA collects personal information as part of the application for employment process. Please review the TIAA Privacy Notice For TIAA Applicants Residing In California above for more information as to how your personal information is collected, used, and shared in connection with our application process.

Access: Please access the applicant portal through WorkdayOpens in a new window to view the specific pieces of personal information we have collected about you.

Delete: The personal information we have collected about applicants for employment with TIAA or a TIAA affiliate, including TIAA Bank and Nuveen, is retained for business purposes as permitted by the CCPA, including to comply with our legal obligations and record retention requirements. If our legal and records retention obligations with respect to your specific personal information have expired, we have either deleted your information or it remains archived without further use on our part or the ability to reasonably access it.

Correct: You can correct the personal information that TIAA has related to your application for employment by logging into the applicant portal through WorkdayOpens in a new window and making any necessary corrections.

TIAA collects personal information about employees solely in their capacity as an employee of TIAA or a TIAA affiliate and as a participant in TIAA employment benefits other than health care and retirement. We use the personal information we have collected about you to maintain our employment relationship, including but not limited to paying your salary, administering your benefits, and complying with our obligations as your employer. For more information as to how your personal information is collected, used, and shared in connection with your employment, please review the TIAA Privacy Notice For TIAA Applicants Residing In California.

Access:

Current employees: You can visit Workday through the HR Services portal on the TIAA Intranet to access the personal information TIAA has about you relating to your employment at TIAA.

Former employees: You may visit WorkdayOpens in a new window to access the personal information TIAA has about you relating to your employment at TIAA.

Current and former employees: You may also log in to TIAA.org for information we have related to your retirement plan. You can access the personal information collected with respect to other employment benefits through the other benefit providers you have chosen.

Delete: Should your employment with us end, we will maintain your personal information to comply with our legal and records retention obligations, as permitted by the CCPA. If you are a current employee, a CCPA deletion right is not applicable to your personal information at TIAA. If you are a former employee and our legal and records retention obligations with respect to your specific personal information have expired, we have either deleted your information or it remains archived without further use on our part or the ability to reasonably access it.

Correct:

Current employees: Please visit the TIAA Intranet and / or Ask HR (HR Services) to request correction to the personal information TIAA has about you related to your employment.

Former employees: Please call our National Contact Center at 800-842-2776 (weekdays 8am – 10 pm ET) to request correction to the personal information that TIAA has about you related to your prior employment.

We collect personal information about independent contractors through your employer.  Please contact your employer directly with respect to your CCPA access, deletion and correction rights.

We collect personal information about you if you conduct business with TIAA or a TIAA affiliate on behalf of the business entity you represent. This includes: (i) with respect to TIAA, plan sponsors and administrators, third party administrators, third party financial advisors to the plans or individuals and financial consultants; (ii) with respect to Nuveen, global investors and financial consultants; and (iii) with respect to TIAA Bank, business contacts relating to vendor equipment financing, business banking, commercial real estate financing and specialty and lender financing.

If you don't have a relationship with TIAA or a TIAA affiliate, we may have collected personal information about you for the purpose of making you aware of our financial products and services.

Access: If you would like to make a CCPA access request, please note that (i) we will verify your identity to make sure that applicable personal information is only disclosed to you or your authorized representative; (ii) we may need to take the 45-day initial and renewal periods permitted under the CCPA to reply to you and (iii) only personal information disclosable under the CCPA, if any, will be made available to you.
Proceed with your request

Delete: If you would like to make a CCPA deletion request, please note that (i) we will verify your identity to make sure that applicable personal information pertaining only to you is deleted; (ii) we may need to take the 45-day initial and renewal periods permitted under the CCPA to confirm such deletion and (iii) only personal information that is not permitted by the CCPA retained for a business purpose, including to comply with our legal obligations, will be deleted.
Proceed with your request 

Correct: Please call TIAA at 800-842-2776 (weekdays 8am – 10 pm ET) to correct your personal information.