OC Register: Top Workplaces 2018, 2019
blue arc over top left corner of photo

California Consumer Privacy Act


California Consumer Privacy Act - Consumer Privacy Policy For California Residents

Effective January 1, 2020

Pacific Mercantile Bank (Bank) and Pacific Mercantile Bancorp (collectively, “Bank,” “we,” or “us”) have adopted this Consumer Privacy Policy for California Residents (“California Privacy Policy”) to comply with the California Consumer Privacy Act of 2018 (“CCPA”). Your privacy is important to us. This California Privacy Policy explains how we collect, use, and disclose personal information relating to California residents covered by the CCPA. This California Privacy Policy is provided pursuant to, and terms described within are consistent with, those terms as defined by the CCPA and its implementing regulations under California Civil Code Section 1798.100 et seq. This notice supplements the information contained in the Bank’s Online Privacy Policy Statement and the Privacy Notice pursuant to the federal Gramm-Leach-Bliley-Act. This California Privacy Policy information collected, processed or disclosed pursuant to the federal Gramm-Leach-Bliley-Act or the California Financial Information Privacy Act.

Introduction

Pacific Mercantile Bank collects Personal Information (“PI”), as defined by the CCPA, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household. The specific Personal Information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual. For example, this Disclosure does not apply with respect to information that we collect about California residents who apply for or obtain our financial products and services for personal, family, or household purposes.

Notice of Collection, Use and Sharing of Personal Information

We may collect the following categories of PI from you and about you and use these categories of personal information for certain business or commercial purpose(s) as described in our Privacy Policies as well as for CCPA. We may have collected and used your personal information during the twelve (12) month period prior to the effective date of this California Privacy Policy. The Bank may also disclose your personal information to a third party/service provider for a business purpose. When we disclose personal information for a business purpose, we enter into a contract with a service provider that describes the purpose and requires the service provider to both keep that personal information confidential and prohibits the service provider from retaining, using, or disclosing the information for any purpose other than the specific purpose of performing the services specified in the contract for the Bank.

For each category of personal information collected during the preceding twelve (12) months, we describe in the below table: a) the categories of sources from which we have obtained the personal information; b) the business purpose(s); and, c) the categories of third party/service providers with whom we have shared the information.

Categories of Sources From
Whom We Collected PI
Purposes Categories of Third Parties to Whom We Disclosed PI
Identifiers: Real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Consumer Reporting Agencies
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Personal information listed in the California Customer Records statute - CA Civil Code §1798.80(e): Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Consumer reporting agencies
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Protected classifications under California or federal law: Citizenship, Sexual orientation, Gender identity and gender expression, Race, Color, Ancestry, National origin, Religion, Sex (including pregnancy, childbirth, and related medical conditions), Medical conditions, AIDS/HIV, Disability: physical or mental, Age (40 and older), Genetic information, Marital Status, Military or Veteran status, Political affiliations or activities
  • Directly from you
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Consumer reporting agencies
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Government entities
Commercial Information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Consumer reporting agencies
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Biometric information: Physiological, biological or behavioral characteristics, including an individual’s deoxyribonucleic acid (DNA), used singly or in combination with each other or with other identifying data, to establish individual identity, including: iris imagery, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Vendors who provide services on our behalf
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Internet or electronic network activity: Browsing history, search history, and information on a consumer’s interaction with website, application, or advertisement
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Vendors who provide services on our behalf
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Auditing related to a current interaction with you and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Geolocation: Physical location or movement, generally
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Vendors who provide services on our behalf
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking internal research for technological development and demonstration
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers
Sensory data: Sensory data: Audio, electronic, visual, thermal, olfactory, or similar information
  • Directly from you
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Government entities
Professional or employment-related information: Current or past employment history
  • Directly from you
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Consumer reporting agencies
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Government entities
Non-public education Information (defined in Family Educational Rights and Privacy Act - 20 USC §1232g, 34 CFR Part 99): Education records directly related to a student and maintained by an educational agency/institution or by a party acting on their behalf.
  • Directly from you
  • From your devices, such as when you visit our website, online and mobile applications
  • Other individuals such as authorized agents or family members
  • Vendors who provide services on our behalf
  • Government entities and other publicly-available sources
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Government entities
Inferences drawn from other personal information: Profile created reflecting behaviors, preferences, characteristics, attitudes, abilities, aptitudes, psychological trends, predispositions, intelligence, etc.
  • From your devices, such as when you visit our website, online and mobile applications
  • Vendors who provide services on our behalf
  • Performing services including maintaining or servicing accounts; providing customer service, processing or fulfilling orders and transactions; verifying customer information; processing payments, providing analytics services; or providing similar services
  • Auditing related to a current interaction with you and concurrent transactions and auditing compliance
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity
  • Debugging to identify and repair errors that impair existing intended functionality
  • Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by us
  • Our affiliate
  • Vendors who provide services on our behalf
  • Professional services organizations, such as auditors and law firms
  • Our business partners
  • Internet service providers
  • Data analytics providers
  • Government entities
  • Operating Systems and platforms
  • Consumer data resellers

In the past twelve (12) months, we have not sold any personal information subject to the CCPA, including personal information of minors under the age of 16. In addition, the Bank will not sell any personal information subject to the CCPA. For purposes of this disclosure, “sold” means the disclosure of personal information to a third party for monetary or other valuable consideration.

Consumer Rights and Notices

Consumer Access to Personal Information

If you are a California resident, you have the right to request, twice in a twelve (12) month period, that we disclose to you free of charge certain information about our collection and use of your personal information over the past twelve (12) month period:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you.

The Bank will disclose to you the information specified above once we have received and confirmed your verifiable consumer request. Additionally, the Bank must associate the information provided by you in the verifiable consumer request to any personal information previously collected by us about you and identify by category or categories the personal information collected about you in the preceding twelve (12) months by reference to categories enumerated in California Civil Code Section 1798.130(c) that most closely describes the personal information collected.

Consumer Disclosures of Personal Information Sold or Disclosed for Business Purpose

If we sold or disclosed your personal information for a business purpose, you have the right to request that we will disclose to you in two separate lists the following:

  • Sales, identifying the personal information categories that each category of recipient purchased; and,
  • Disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained

The Bank will disclose to you the information specified above once we have received and confirmed your verifiable consumer request. Additionally, the Bank must identify you and associate the information you provided in the verifiable consumer request to any personal information previously collected by us about you and identify by category or categories your personal information that we sold in the preceding twelve (12) months by reference to the categories enumerated in California Civil Code Section 1798.130(c) that most closely describe the personal information, and provide the categories of third parties to whom your personal information was sold in the preceding twelve (12) months by reference to the same enumerated categories.

Consumer Rights to Deletion of Personal Information

If you are a California resident, you have the right to request that we delete certain personal information we have collected from you and retained. Once we have received and confirmed your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

  • Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  • To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
  • Comply with a legal obligation.
  • Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information

How to Submit a Request

If you are a California resident, you may submit a request for access, disclosures of personal information sold or disclosed for a business purpose, or deletion by:

  1. Clicking on the “Submit a Request” at the bottom of the page, completing and printing the form, and returning the completed form to us by mail:
    Pacific Mercantile Bank
    Attn: Compliance Department
    949 South Coast Drive, Suite 300
    Costa Mesa, CA 92626
  2. Calling us toll-free at 1-877-450-2265 (Request Bank’s Compliance Department)

We will acknowledge receipt of your request and advise you how long we expect it will take to respond if we are able to verify your identity. To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to your personal information or complying with your request. Requests for specific pieces of personal information will require additional information to verify your identity. Additionally, if you ask us to provide you with specific pieces of information, we will require you to sign a declaration under penalty of perjury that you are the consumer whose personal information is subject to the request.

In some instances, we may not be able to honor your request. For example, we will not honor your request if we cannot verify your identity or if we cannot verify that you have the authority to make a request on behalf of another individual. Additionally, we will not honor your request where an exception applies, such as where the disclosure of Personal Information would adversely affect the rights and freedoms of another consumer or where the Personal Information that we maintain about you is not subject to the CCPA’s access or deletion rights.

We will advise you in our response if we are not able to honor your request. We will not provide social security numbers, driver’s license numbers or government issued identification numbers, financial account numbers, health care or medical identification numbers, account passwords or security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

We will work to process all verified requests within 45 days pursuant to the CCPA. If we need an extension for up to an additional 45 days in order to process your request, we will provide you with an explanation for the delay.

To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

Authorized agent

If you submit a request on behalf of another person, we may require proof of authorization and verification of identity directly from the person for whom you are submitting a request.

Consumer Right to Equal Services and Price

The Bank will not discriminate against you for exercising any of your rights under the CCPA, including, but not limited to:

  • Denying you goods or services
  • Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties.
  • Providing you a different level or quality of goods or services.
  • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to Our Privacy Notice

We reserve the right to amend this California Privacy Policy at our discretion and at any time. When we do, we will post the revised policy on our website. This California Privacy Policy is effective on January 1, 2020.

Questions or Concerns

You may contact us with questions or concerns about this Disclosure and our practices by writing us at:

Pacific Mercantile Bank
Attn: Compliance Department
949 South Coast Drive, Suite 300
Costa Mesa, CA 92626