California Consumer Privacy Notice

This Privacy Notice describes the categories and uses of personal information M&T Bank and its Affiliates, including Wilmington Trust (sometimes referred to as “M&T Bank Corporation”) collect from consumers residing in the state of California. This Notice also describes the rights that residents of California may have under applicable law including the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”). This Notice constitutes our Notice at Collection and our online California Privacy Notice.

Last Updated: December 6, 2023

This Privacy Notice may be amended or updated from time to time to reflect changes in our Personal Information processing activities, or changes in applicable law. When a change is made, we will post the updated version of this Privacy Notice to the following sites: mtb.com/ccpa or wilmingtontrust.com/privacy-security/privacy-notices. All changes will become effective as of the Last Updated date listed at the top of the Notice. We encourage you to regularly check these websites to review any changes which we may make, and to review our M&T Digital Privacy Notice or the Wilmington Trust Digital Privacy Notice, which covers our collection and use of information when you visit those websites.

To obtain a version of this notice in larger print, please call 1-800-724-2440.

Section 1: Categories of Personal Information We Currently Collect and Have Collected Within the Last 12 Months

Category

Examples

Purpose

Access Data 

Username, passwords, any required security or access code, or credentials, Personal Identification Number (PIN), tokens, and other authentication information, including security question response(s), which allow access to an account

We collect this information to help us identify and authenticate you, for fraud prevention and similar purposes.

Account Data 

Account number, mortgage number, credit card number, debit card number, insurance policy number

We collect this Personal Information to help us service your account.

Biometric Data 

Voiceprint, signature

We collect this information for authentication purposes prior to disclosing any information about your account.

Communications Data

The contextualized information, in digital or physical form, involved in an exchange between one or more parties, including call logs, call recordings, text or e-mail messages 

We collect communications data as needed to service your account and do business with you, and for fraud prevention and similar purposes.

Contact Details 

The information required to contact an individual or an organization, e.g., address, phone numbers, e-mail address

We collect contact details as needed to identify you, contact you and do business with you.

Demographic Data

Gender, ethnicity, nationality, place of birth, marital status, residency status, military/veteran status, education, professional or employment history/information

We collect demographic We collect demographic information as needed to identify you, contact you and do business with you.

Financial Information

Information for our financial review to service your account or from payments processing pertaining to executed transactions. For example, transaction date, transaction amount, product account transactions, purchasing history. Also, information such as tax documentation, income information, paystubs

We collect financial information in order to provide you the financial products and services you request.

Geolocation 

Precise geolocation, physical locations or movements, such as device location

We may collect geolocation data to perform the services or provide the goods reasonably expected by an average California resident who requests those goods or services. For example, a California resident's precise geolocation may be used by a mobile application that is providing them with directions on how to get to a specific location.

Government Issued Identification/Personal Identifiers

Information used to identify and verify relevant individuals. Examples include name, passport number information, state-issued drivers’ license (and physical characteristics and descriptions within those items), state issued number or ID numbers, Social Security Number/ Taxpayer Identification Number, Alien Registration Number

We collect this information to help us identify and authenticate you, for fraud prevention and similar purposes.

Health Data 

Information collected surrounding an individual's health, medical information, disability data, genetic information, health insurance information

We collect health data as needed to service your account and do business with you.

Legal / Court Data 

Legal/court case, docket numbers, personal property registration information

We collect legal / court data as needed to service your account and do business with you.

Name 

Individual's first, middle and last name

We collect this Personal Information as needed to identify you, contact you, and do business with you.

Online / Digital Data 

IP address, Web browsing history, Unique Device Identifier, Cookie data, Apps downloaded or used, geographic tracking, internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an internet website application, or advertisement information

We collect online and digital data to personalize our interactions with you and to administer and optimize our sites.

Sensitive Personal Data

Social Security Number, driver’s license, state identification card, state identification number, passport number, date of birth, gender identity, racial or ethnic origin, precise geolocation, biometric information, health information, and account log-in, financial account, debit card, or credit card numbers in combination with any required security or access code, password, or credentials which allow access to an account, citizenship or immigration status.

We collect sensitive personal data  with the intention of developing a complete and accurate “Know Your Customer” (KYC) profile in line with regulatory requirements, to identify you, contact you and do business with you.

We obtain the categories of Personal Information listed above from:

  • you or your authorized agents directly at account opening;
  • documents that you provide to us;
  • third parties that interact with us in connection with the services we perform (e.g., credit bureaus);
  • during account maintenance from you or your authorized agent on forms as required by law.
  • We may also obtain your Personal Information from advertising networks, internet service providers, data analytics providers, government entities, operating systems and platforms, and social networks.

We do not collect the following pieces of information on our consumers in scope for CCPA: commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; sensory data; or inferences drawn from other Personal Information (personal preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes). We also do not collect or process sensitive personal information for the purpose of inferring characteristics about a consumer.

We retain your Personal Information for the life of your customer relationship with us. Once your customer relationship is terminated, we will continue to retain your Personal Information only for as long as it is needed for the purposes set forth in this Privacy Notice, and for no longer than the maximum time period allowable under applicable law and regulation.

 

Section 2: Disclosure of Personal Information

We use and disclose for our business purposes the categories of Personal Information, including Sensitive Personal Information, relating to California residents as cited in Section 1 of this Notice to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business or commercial purposes, including the following:

  • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services providing analytic services, facilitating event management and execution, managing our real estate portfolio, or providing similar services reasonably expected by the consumer who requests those services;
  • To prevent, detect and investigate security incidents that compromise the availability, authenticity, integrity or confidentiality of stored or transmitted personal information;
  • To resist malicious, deceptive, fraudulent, or illegal actions directed at the business and to prosecute those responsible for those actions;
  • Helping to ensure security and integrity to the extent the use of Personal Information is reasonably necessary and proportionate for these purposes;
  • For short-term, transient use such as locating a branch or ATM;
  • To ensure the physical safety of natural persons;
  • To verify or maintain the quality or safety of a product, service, and to improve, upgrade, or enhance the product or service;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Undertaking internal research for technological development and demonstration; and
  • Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance, codes or opinions).

With respect to each category of Personal Information that we disclosed for a business purpose, the categories of persons or entities to whom we disclose that Personal Information are:

  • M&T Bank Affiliates;
  • Service Providers and Contractors who provide services such as website hosting, data analysis, payment processing, order fulfillment, information technology and related infrastructure, customer service, email delivery, auditing, marketing, marketing research activities, credit financing, event management, and real estate management;
  • Other Service Providers and Contractors who provide services such as payment, banking and communication infrastructure, storage, legal expertise, tax expertise, real estate expertise, appraisal expertise, notaries and auditors, who promote the bank and its financial services and products to customers and other prospective buyers;
  • Other Service Providers and Contractors who enable customers to conduct transactions online and via mobile devices, support mortgage and fulfillment services, vehicle loan processes and aggregators (at the direction of the customer);
  • Other persons or entities to whom we transfer Personal Information as an asset that is part of a merger, acquisition or other transaction in which such other person or entity assumes control of all or part of the business;
  • Government Agencies as required by laws and regulations; and
  • Other persons or entities with which you may use or direct us to intentionally interact or to which you may use or direct us to intentionally disclose your Personal Information.

We do not disclose Personal Information to any other categories of third parties.

M&T Bank Corporation does not sell or share your Personal Information, therefore any rights that may be afforded to you under CCPA related to the selling or sharing of your Personal Information do not apply. 

Section 3: Your Legal Rights

Subject to applicable law, you may have the right to exercise the following:

  • The right to request access to, or copies of, your Personal Information that we have collected, used, or disclosed for the previous 12 months.
  • The right to request deletion of your Personal Information that we process subject to certain exemptions.
  • The right to correct inaccurate Personal Information

Household Requests - We currently do not collect household data. If multiple members of the household make a right to access or right to deletion request, we will respond as if the requests are individual requests.

To exercise rights under the CCPA, you must be a current resident of State of California. Only you, your authorized agent (a person or business entity registered with the California Secretary of State to conduct business in that state), or a person or entity to whom you have granted Power of Attorney to act on your behalf, may make a verifiable consumer request related to your Personal Information. You may also make a verifiable consumer request on behalf of your minor child.

To exercise your access, correction or deletion rights:

We must verify your identity in order to process your request. We do this by verifying your name, address, and the last four digits of your Social Security Number, so please include this information in your request. We may reach out for additional information to complete this process.

Please also include your email address if you wish to receive your response via email, as well as the nature of your request (access to, correction or deletion of your data). We will acknowledge receipt of your request within ten days and will provide a response to your request within 45 days. 

Authorized Agent

You may appoint an Authorized Agent to submit a request on your behalf. In order to do so, you must provide the appropriate documentation to M&T Bank or Wilmington Trust (Power of Attorney or proof of filing with the Secretary of State). In order for your authorized agent to act on your behalf, they must supply the appropriate documentation and verify their identity at the time they place the requst.

Please note there are instances in which M&T Bank or Wilmington Trust is required to maintain, or otherwise is not required to delete, your Personal Information. For example, M&T Bank is not required to delete your information if it is being used:

  • To complete a transaction or provide a good or service requested by you;
  • To detect security incidents or protect against malicious, deceptive, fraudulent, or illegal activity;
  • To enable solely internal uses based on your relationship with us, such as a Do Not Solicit request;
  • To comply with a legal obligation, such as federal recordkeeping requirements; or
  • Internally, in a lawful manner that is compatible with the context in which you provided the information.

California Non-Discrimination

California prohibits businesses from discriminating against you for exercising any rights under the CCPA, including, but not limited to, by:

  • Denying you goods or services;
  • Charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
  • Providing you a different level or quality of goods or services; or
  • Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Consumer Rights Requests Metrics

M&T Bank, Wilmington Trust and M&T Bank’s subsidiaries have received five (5) access, correction, or deletion requests, and have denied five (5) requests, as of December 6, 2023.

Section 4: Defined Terms

Personal Information

Any information that can be used to identify an individual, directly or indirectly. Personal Information does not include:

  • publicly available information from government records;
  • deidentified or aggregated consumer information;
  • other information excluded from the CCPA's scope, such as:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994

Processing

​Operations, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction

California Resident

​An individual that resides in the State of California and whose personal income is taxed by the State of California

​Verifiable Consumer Request

​A request made by a consumer, on behalf of the consumer’s minor child, or by a natural person or a person registered with the California Secretary of State as a consumer’s authorized agent.

 

Questions about our Privacy Practices

If you have questions or concerns about our privacy notices or practices, please contact us at:

  • For customers of M&T Bank Corporation, call toll-free 1-800-724-2440.
  • For customers of Wilmington Trust, contact your relationship manager, or call toll-free 1-866-771-7777