Privacy Notice for California Residents

LAST UPDATED: January 2024

Privacy Notice for California Residents

This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS is provided by Columbia Banking System, Inc. (“COLB”) and its subsidiaries, and affiliates (collectively, “Columbia”, “we”, “us” or “our”) to provide additional information about our processing of personal information subject to the California Consumer Privacy Act (“CCPA”). Except as otherwise specified, “residents” or “you” when used throughout this notice refers to any individual residing in California, including those acting as a job applicant, employee, independent contractor, owner, director, or officer of Columbia and those we interact with in our business-to-business relationships. This notice explains how we collect, use, disclose, and otherwise process information that relates to you (“personal information”). If you have a disability that prevents or limits your ability to access this notice, please contact us at 1-833-427-5227 (however, for employees, contact HR); we will work with you to provide this notice in an alternative format.

Your Rights

Subject to certain limitations, California residents have the following rights regarding their personal information:

the right to know what personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information (as may be applicable), the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you
the right to request deletion of your personal information that we collected
the right to request the correction of your inaccurate personal information we may maintain
the right to request that we limit the use and/or disclosure of your sensitive personal information, except for the purposes that you would reasonably expect are necessary to provide our services and products, and as otherwise authorized by law. We only use sensitive personal information for these purposes. Because our use and disclosure of sensitive personal information is already limited in accordance with applicable law, you do not need to take any further action to limit the disclosure or use of your sensitive personal information. Please note that we do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
the right not to be discriminated against for exercising any of these rights.
The right to opt-out of the “Selling” or “Sharing” of your personal information. We, our services providers, and third parties engaged on our behalf may use cookies, pixel tags, or similar tracking technologies (collectively, “Collection Technologies”) to gather personal information when you use, access, or otherwise interact with our websites, mobile applications, or other digital properties. While we do not disclose your personal information in exchange for money, our use of these collection technologies may be considered a “Sale” or “Sharing” under California Law. As noted above, California residents have the right to opt out of such selling/sharing activity. For more information about our use of collection technologies, please visit our Digital and Mobile Privacy Notice.

Personal Information We Collect

We may have collected your personal information in the preceding 12 months. The California Consumer Privacy Act (CCPA), however, does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act (“GLBA”). The personal information we may have collected depends on our relationship to you. Please see below for examples of types that may have been collected:

Categories of personal information	Representative Data Elements	Do we collect?
Identifiers	Real name Postal address Unique identifier or unique personal identifier Social Security number Passport number Driver’s license number Telephone number Email address	Yes
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code§ 1798.80(e))	Name Signature Physical characteristics or description State or government issued identification card number Insurance policy number Employment information and history Bank account number Credit or Debit Card Number Other financial information Medical Information Health insurance information	Yes
Protected classification characteristics under California or federal law	Date of birth/age Gender, including gender identity Military or veteran status Marital status Race Ethnicity or National Origin Religion Disability	Yes
Commercial information	Records of personal property Products or services purchased, obtained, or considered Other purchasing or consuming histories or tendencies	Yes
Biometric Information	Fingerprints Faceprints or face imagery Voiceprints and/or voice recordings that can be extracted	Yes
Internet or other similar network activity	Browsing history Search history Information regarding interaction with a website, application, or advertisement	Yes
Device Information *Note: Some information included in this category may overlap with other categories.	Device identifier or identifying information, characteristics, or settings about the device you use to access our online services IP Address Information in cookies, pixel tags or from collection technologies Mobile ad identifiers Mobile device information (with permission, such as location, contacts, camera)	Yes
Geolocation data	Physical Location Movements Precise geolocation	Yes
Sensory data	Audio Visual Electronic For example, in the employment context, this may include: Information captured from video, audio, monitoring or surveillance systems Employee photographs Note: these data types are typically collected during phone and in-person for security and training purposes.	Yes
Professional / Employment Information	Current or past job history or performance evaluation For example, in the employment context, this may include: Personnel records, including salary/wage information, occupation, and disciplinary notices and actions Job application and resume Employment contracts or independent contractor agreements Information from background checks Employment offer detail Other information you provide during screening and recruitment Records of involvement in company-sponsored events or community involvement as an employee Note: Some information included in this category may overlap with other categories and may apply to all employees and their dependents, beneficiaries, and emergency contacts.	Yes
Non-public education information (per the Family Educational Rights and Privacy Act)	Education records, such as, enrollment, grades, transcripts, student schedules Student financial information, including tuition costs and reimbursement	Yes
Inferences drawn from other personal information	Inferences based on information about an individual to create a summary about, for example, an individual’s preferences and characteristics Note: Inferences are not performed based on any sensitive personal information collected	Yes
Sensitive Personal Information	Government identifiers (Social security, driver’s license, state identification card, or passport number) Complete account access credentials (usernames, account numbers or card numbers, combined with any security or access code, password, or credential required for allowing access to an account) Precise geolocation Racial or ethnic origin, Religious or philosophical beliefs, or Union Membership Biometric information when used for the purpose of uniquely identifying a consumer Personal information collected and analyzed concerning your health, including from employees certain medical conditions. For example, in the employment context, this may include: Employee benefit plan information, including dependents and beneficiaries Emergency contact information Employee leave information related to benefits (vacation), family and medical leave, or other disability leave Personal information collected and analyzed concerning your sex life or sexual orientation Note: Some information included in this category may overlap with other categories.	Yes

Sources of Personal Information

We obtain the categories of personal information listed above from the following sources:

Directly from you – For example, from documents that you provide us related to the product(s) or service(s) for which you engage or use us or purchase from us, including when you apply for employment or during the course of your employment.
Indirectly from you – For example, through information we collect from you while providing business services or interactions, including human resource services.
Directly and indirectly from activity on our websites (www.umpquabank.com and www.finpac.com) – For example, from submissions through our website portal or website usage details collected automatically through our use of Collection Technologies.
From third parties, outside companies or organizations that interact with us in connection with the services we perform and products we provide or other business relationships. For example, we may collect employment related information from credit bureaus, former employers, schools, or references to process and evaluate applications for positions with the Bank or for other administrative purposes.

Purposes for Collection and Use of Personal Information

The purposes for which we collect and use each category of personal information and sensitive personal information depend on, among other things, our relationship or interaction with specific CA residents. We may use the personal information we collect for the following business or commercial purposes:

Purpose for Collection and Use	Example
Provide and manage products and services	Establish your account(s) and/or preferences, process transactions for our products and services including checking accounts, credit cards, loans, investment accounts, as well as additional products for businesses such as commercial financing and payment services. Support the ongoing management and maintenance of our products and services including to provide account statements, online banking access, online services, customer service, payments and collections, and account notifications. To respond to your inquiries and fulfill your requests. To provide important information regarding the products or services for which you apply or may be interested in applying for, or in which you are already enrolled, changes to terms, conditions, and policies and/or other administrative information. To allow you to apply for products or services (for example, to prequalify for a mortgage, apply for a credit card, or to open an account) and evaluate your eligibility for such products or services.
Provide and manage human resource services for hiring and performance	Talent planning and recruitment Hiring practices, such as processing applications, pre-employment screening, onboarding, employment agreements and establishing your employee account(s) and/or preferences Support employee training, education, and development Employee performance management
Support employment benefits administration	Provide benefits to employees, including dependents and beneficiaries, including healthcare or medical, retirement, insurance, and other benefit plans Support benefit claims processing
Support our everyday human resource operations, including to meet risk, legal, and compliance requirements	Manage pay and compensation activities Administer employee performance management and corrective actions. Perform accounting, monitoring, and reporting Comply with policies, procedures, and contractual obligations, including compliance requirements such as reporting Enable information security and anti-fraud operations and verify your identity Support audit and investigations, complete legal requests and demands, as well as exercise and defend legal claims Enable the use of service providers, third parties and contractors for business purposes
Support our everyday operations, including to meet risk, legal, and compliance requirements	Perform accounting, monitoring, and reporting. Enable information security and anti-fraud operations, verify your identity, as well as credit, underwriting, and due diligence. Support audit and investigations, legal requests and demands, as well as exercise and defend legal claims. Enable the use of service providers for business purposes. Manage our business relationships. Comply with policies, procedures, and contractual obligations. Verify or enforce our terms of use or other applicable policies. For purposes of compliance, fraud prevention, technical support, and safety, including emergency response and protecting the security of account and personal information. Collect information through our social media pages and other online interactions with you to assist in verifying your identity and account status. We may combine this online information with information collected from offline sources or information we already have. Defend or protect us, you, our client, or third parties, from harm or in legal proceedings. Respond to court orders, lawsuits, subpoenas, and government requests.
Manage, improve, and develop our business	Personalize, develop, as well as improve our products and services. Support customer relationship management. To personalize your experience on our websites and enhance websites. To allow you to participate in surveys and other forms of market research, sweepstakes, contests, and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Personal Information is used and shared. Conduct research and analysis, including to drive innovation in recruiting, retention, and employee management Support employee relationship management
Research and Analytical Purposes	Understand how you use our websites, mobile applications, and other digital properties (collectively, the “Sites”). The methods and devices you use to access our Sites. Make improvements to our Sites. Conduct research and analysis, identify usage trends, determine effectiveness of promotional campaigns, and to drive product and services innovation.
Marketing and Advertising Purposes	Send you marketing and advertising communications about our products and services, tailored to your interests or more general in nature.
Provide and manage digital and mobile products and services	Information stored on your device, such as location, camera, contacts, or other features you are enrolled in to enrich and simplify your own user experience and improve our services, as well as provide additional security to protect your account.

Please note:

We only use and disclose sensitive personal information to third parties, service providers, and contractors for the business purposes outlined in this notice and have ensured the purposes are what you would reasonably expect are necessary to provide our products and services, including to provide those individuals acting in the employment context with human resource services. We do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
We may also use data that we collect on an aggregate or anonymous basis (such that it does not identify any individual customers) for various business purposes, where permissible under applicable laws and regulations.

Retention of Personal Information

We retain your personal information, including sensitive personal information, for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law. Please note that in many situations we must retain all, or a portion, of your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, to protect against fraudulent, deceptive, or illegal activity, or for another one of our business purposes.

Information Disclosure

The information below lists the categories of recipients we may disclose personal information to for our business or commercial purposes:

Affiliates. We may disclose your personal information with our subsidiaries and affiliates for purposes consistent with this Privacy Notice. This includes affiliated websites and businesses to bring you improved service across our family of products and services, when permissible under relevant laws and regulations; we do not disclose information about your credit worthiness to affiliates.

Service Providers and Contractors. We may disclose personal information with third-party service providers and contractors subject to appropriate confidentiality and use restrictions, as part of providing products and services, completing transactions, supporting everyday operations or business management and development. This includes disclosing personal information to support human resource activities and workforce management, such as employee training and development, recruiting, employment eligibility, onboarding, compensation analysis, payroll, and other transactions involving employees and to employee benefits service providers including companies who provide healthcare, retirement, insurance or other benefits plans.

Advertising or Analytics Providers. As mentioned above, we may use personal information in support of our: (1) advertising and marketing efforts, including to serve interest-based advertisements across the Internet; and track and categorize your activity, interests and device(s) used over time on our websites and applications, and on third-party websites and mobile applications; and (2) research and analytics efforts, including to better understand your use of our websites and applications to improve those technologies and optimize your experience and interactions. To do this, we may disclose your information with certain third-party advertising or analytics providers (collectively, “Analytics and Advertising Providers”) through our use of Collection Technologies. These Analytics and Advertising Providers may use Collection Technologies on our digital properties to collect and store information about you and your use of our websites, applications, and other digital properties.

Representatives of California Residents. We may disclose personal information with companies or individuals that represent California residents, such as accountants, financial advisors, or individuals with power of attorney.

For Routine or Required Reporting. We may disclose personal information for routine or required reporting, including to consumer reporting agencies or other third parties.

Professional Advisors. We may disclose your personal information to professional advisors, such as lawyers, auditors, and insurers, where necessary in the course of the professional services that they render to us.

Business Partners. We may disclose personal information to our business partners, such as those companies with which we offer co-branded services, products, or programs.

For Risk, Legal, and Compliance. We may disclose your personal information to third parties, including regulators, government agencies, and law enforcement, for the risk, legal, and compliance purposes described in the section above.

Business Transfers. We may transfer or disclose some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.

Your Consent or Instruction. We may disclose your personal information in situations where we have your consent or instruction to do so.

The table below identifies: (1) the categories of personal information we may have disclosed in the preceding 12 months for our business or commercial purposes; and (2) the categories of recipients, including third parties, to whom we have disclosed such information. Please note, the table below contains shorter descriptions of the recipients. The full descriptions are described above within the “Information Disclosure” section. We may also disclose any of the categories of personal information listed below: (1) for risk, legal, or compliance purposes; (2) to our Professional Advisors; (3) because of a business transfer (or potential business transfer); or (4) based on your consent or instruction.

*Category of Personal Information or () Sensitive Personal Information**	Category of recipients to whom we disclose personal information
Identifiers	Affiliates, Service Providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code§ 1798.80(e))	Service Providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Protected classification characteristics under California or federal law	Service Providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Commercial Information	Service Providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance
Biometric Information	Service Providers and Contractors
Internet or other similar network activity	Service Providers and Contractors Advertising or Analytics Providers For Risk, Legal and Compliance
Device Information	Advertising or Analytics Providers
Geolocation Data	Service Providers and Contractors
Sensory Data	Service Providers and Contractors
Professional or employment related information	Service Providers and Contractors Representatives of CA residents For Risk, Legal and Compliance
Non-public education information (per the Family Educational Rights and Privacy Act)	Service Providers and Contractors
Inferences drawn from other personal information	Service Providers and Contractors
(*Sensitive Category) Government identifiers (Social Security, driver’s license, state identification card, or passport number) Complete account access credentials (usernames, account numbers or card numbers, combined with any security or access code, password, or credential required for allowing access to an account) Precise geolocation Racial or ethnic origin, religious or philosophical beliefs, or union membership Biometric information when used for the purpose of uniquely identifying a consumer Personal information collected and analyzed concerning your health Personal information collected and analyzed concerning your sex life or sexual orientation Note: Some employee information included in this category may overlap with other categories.	Service Providers and Contractors Representatives of CA residents, Professional Advisors, Business Partners In connection with performing routine or required reporting For Risk, Legal and Compliance

Please note:

We only use and disclose sensitive personal information to third parties, service providers, and contractors for the business purposes outlined in this notice. The business purposes are what you would reasonably expect are necessary to provide our products and services, including provide those individuals acting in the employment context with human resource services. We do not collect or use your sensitive personal information for the purpose of inferring characteristics about you.
We may disclose anonymous or aggregated information with third parties to help deliver products, services, and content that are tailored to the users of our online services and for other purposes
The categories of personal information we may sell, or share through Collection Technologies, includes, Internet or other similar network activity, Device Information and Unique identifiers. The business purposes for selling or sharing are to:
- Support our everyday operations, including to meet risk, legal, and compliance requirements
- Manage, improve, and develop our business
- Research and Analytical Purposes
- Marketing and Advertising Purposes
- Provide and manage digital and mobile products and services

Exercising Your Rights

To exercise your rights to access, deletion, and correction, please submit a verifiable consumer request to us by either:

Calling us at 1-833-427-5227
Visiting our website www.umpquabank.com/privacy/ccpa-individual

Once a request to access, delete, or correct has been submitted, we will attempt to verify that you are the consumer the request applies to. We do that by taking the identifying information you provide (e.g., name, email address, account-related information) and using a combination of the information we have on file and our identity verification engine. We attempt to match a minimum of three of the data points you submitted. If we are unable to verify your request with the materials you provided, we may reach out to you for additional information.

Only you or a person authorized to act on your behalf may make a valid consumer request related to your personal information. An authorized agent can submit a request by clicking here. You may also make a verifiable consumer request on behalf of your minor child.

You may only submit a verifiable consumer request twice within a 12-month period. The verifiable request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and,
Describe your request with enough detail that allows us to properly understand, evaluate, and respond to it.

Additional information regarding your right to correct inaccurate information: You may be able to review or update certain account information by logging in and accessing your online account(s). If you cannot change the incorrect information online, or you prefer to request changes offline, please use the Contact Us option on our site, call or write to us using the contact information listed on your account statements, records, or other account materials, or submit a verifiable consumer request to us on our website. You can also speak to one of our branch representatives, your financial advisor, or your digital banking representative.

You can exercise your right to opt-out of the “sale” or “sharing” of your personal information by either:

Modifying Your Cookie Preferences. When you first visit our website, you will be presented with a banner which offers you a choice about whether to accept or reject our use of cookies and similar tracking technologies, the use of which may constitute a “sale” or “share” of personal information under applicable law. If you wish to amend your choices, select Manage My Cookie Preferences. Please note that your request to opt-out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access our sites, you will need to renew your cookie management choices.
Global Privacy Control. You may exercise your opt-out right by broadcasting an opt-out preference signal, such as the Global Privacy Control (GPC) (on the browsers and/or browser extensions that support such a signal). Please note that your request to opt-out of sale/sharing will be linked to your browser identifier only. If you use a different computer or Internet browser to access our sites, you will need to renew your opt-out request.

For more information on how we use Collection Technologies, please visit our Digital and Mobile Privacy Notice.

We do not knowingly sell or share the personal information of consumers under 16 years of age.

For Financial Pacific California customers:

If you wish to opt out of our affiliate sharing, please email privacy@finpac.com or call us at 1-833-427-5227. Please provide your name, email, phone number, and/or mailing address that you wish to not receive marketing communications to.

Request Responses

Privacy and data protection laws, other than the CCPA, apply to much of the personal information that we collect, use, and disclose. When these laws apply, personal information may be exempt from, or outside the scope of, the CCPA, including with respect to access and deletion requests. As a result, in some instances, we may decline all or part of an access request or deletion request related to this personal information.

Linking to Third-Party Websites

Columbia Banking System, Inc. may provide links to websites that are owned or operated by other companies ("third-party websites"). When you use a link online to visit a third-party website, you will be subject to that website’s privacy and security practices, which may differ from ours. You should familiarize yourself with the privacy policy, terms of use and security practices of the linked third-party website before providing any information on that website.

Children’s Online Privacy Protection Act (COPPA)

The Federal Trade Commission adopted a regulation (16 CFR 312) to implement the Children's Online Privacy Protection Act (COPPA), which governs the collection and use and/or disclosure of personal information from and about children on the internet.

We do not operate a website or online service directed to children that collects or maintains personal information about children under the age of 13 or operate a general audience website or online service and knowingly collect or maintain personal information online from a child under the age of 13.

For more information about the Children’s Online Privacy Protection Act (COPPA), visit the FTC website: www.ftc.gov

Security

We use reasonable physical, electronic, and procedural safeguards that comply with federal standards to protect and limit access to personal information. This includes device safeguards and secured files and buildings.

Please note that information you send to us electronically may not be secure when it is transmitted to us. We recommend that you do not use unsecure channels to communicate sensitive or confidential information (such as your SSN) to us.

Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by appropriate means, such as email, through a notice on our website homepage or by posting a revised policy on this page with a new “Last Updated” date. If no ad-hoc changes are warranted, this privacy notice will be reviewed annually.

Contact Information

If you have any questions or comments about this notice, our Privacy Statement, Digital and Mobile Privacy Notice, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights, please do not hesitate to contact us at:

Phone: 1-833-427-5227

Website: http://www.umpquabank.com/privacy

Jun	SEP	Jan
	12
2023	2024	2025

Privacy at Columbia Banking Systems, Inc.