Important Information for California Residents

Effective date: December 29, 2019

Visa is providing this supplemental privacy notice to give California residents the additional information required by the California Consumer Privacy Act (the “CCPA”) and other California laws.

At Visa, we are committed to protecting the privacy and security of all the personal information that is entrusted to us. Visa has a Global Privacy Program to help ensure your information is handled properly, and your personal information is protected. It also reflects the requirements of the privacy laws in all the countries and states where Visa operates. Our Global Privacy Notice describes our privacy and security practices in detail.

In the United States, the payment transaction information that Visa collects when it operates its payment networks is regulated by existing federal financial privacy laws. The CCPA recognizes that such financial information is already protected by federal privacy law, so the CCPA does not apply to this information. Visa’s privacy program reflects the sensitivity of the financial and other information we handle. If you have questions about how we handle your Visa payment card data, please visit Additional Privacy Information and review the section on Card Transaction Data.

Beyond financial information, Visa does collect certain information that is subject to the CCPA. The CCPA applies (1) to our marketing data, which we collect when consumers sign up for marketing from Visa, attend Visa-sponsored events, or interact with our websites and apps, and (2) to information collected from individuals who use Visa (formerly Visa Checkout) and other Visa Solutions secure checkout services. This supplemental privacy notice explains our practices for this CCPA-covered information.

As a global payments technology company, Visa fulfills many roles. When we act as a service provider for Visa card issuers and merchants, we only collect and use personal information as authorized by our contracts with our clients. If you have questions about how these companies handle your personal information, or wish to exercise your rights, please contact them directly. For example, if you have signed up for cash-back or loyalty offers with your financial institution or a merchant, please contact that company for more information.

The CCPA provides California residents with specific privacy rights, including the right to receive a privacy notice, the right to know what information we have collected about you during the past 12 months and the right to know what categories of personal information we have shared with third parties. CCPA gives California residents the right to opt-out of having their personal information sold¹. CCPA also gives California residents the right to request deletion of their personal information.

For information that Visa collects subject to the CCPA, this notice describes the categories of information that we collect from California residents generally, the sources of the information, the purposes for which we use the information, and the categories of third parties to whom we disclose the information for business purposes. Visa does not sell personal information.

As described below, Visa may share personal information with its Affiliates² and service providers. We may also disclose personal information to third parties for business purposes as permitted by CCPA, such as to our auditors, for compliance or security, or in connection with mergers and acquisitions.

We may also share personal information with third parties based on your consent, such as if you enroll in a co-branded marketing program or if you explicitly accept our use of third-party advertising cookies, as described in our Cookie Notice.

¹ Personal information of children under 16 cannot be sold without affirmative consent. Visa does not sell children’s information.
² Visa's Affiliates are companies that are directly or indirectly controlled by Visa U.S.A. Inc. or its parent company Visa Inc. through ownership—for example, Visa International Service Association, Visa Worldwide Pte. Limited, Visa Canada Corporation, Visa International Servicios de Pago España, S.R.L., Visa Europe Limited, Visa do Brasil Empreendimentos Ltda.

If you are a California resident, you may exercise your rights or authorize another person to act on your behalf by:

Visiting our Privacy Rights Page
Calling Visa at 1-844-909-1620
Email us: [email protected]
Please do not include sensitive information, such as your account number, in emails.
Mailing us a letter:
Visa Global Privacy Office
900 Metro Center Blvd.
Foster City, CA, 94404

Please note that we will need to verify your identity before we can fulfill your CCPA-related request. The information that we maintain is subject to CCPA generally consists of marketing information, we will generally verify your identity using your email address. We will respond to requests using the email address that is associated with the information we maintain.

If you would like to designate an agent, please send an email from your own email address to [email protected] indicating the name and email address of your agent. We will respond to that’s person’s requests using both your email address and the agent’s email address.

Please understand that your rights are subject to some limitations:

For security reasons and to prevent unauthorized disclosure of personal information, cardholders should contact their payment card issuers to access their Card Transaction Data. This helps ensure that access to the information is only provided to the authorized individuals, subject to the issuer’s verification processes.
CCPA provides that service providers should refer access and deletion requests to the companies with whom the individual has the direct relationship. In many cases, we act as a service provider for card issuers and merchants, including rewards networks. If you have questions about how your issuer or a rewards network handles your personal information, please check the privacy notices provided by these companies and contact them directly for assistance with your relevant privacy requests.
CCPA also prohibits companies from including certain elements of sensitive personal information, such as payment card number, in their access reports, even if you have provided those data elements to use for marketing.
If you request that we delete your personal information, we will do so except in those situations where our retention is required for our internal business purposes or otherwise permitted by CCPA (such as for fraud prevention or legal compliance). In these situations, we will retain your information in accordance with our records retention program and securely delete it at the end of the retention period.

Visa collects personal information in order to deliver offers and promotions and to enable loyalty programs. While we cannot calculate the precise value of your information to us, our offers and incentives generally reflect the value of the relationships that we have with the individuals who participate in the program.

We will not discriminate against you if you exercise your rights under CCPA. However, if you ask us to delete your information, you will not be able to receive additional offers or promotions for which the deleted information was needed for program participation. Any offers or promotions sent to you previously will continue to be honored according to their original terms.

Contact Information

Category and Sources of Personal Information

We collect this type of information from you when you voluntarily give it to us. For example, you may:

Sign up for offers, marketing programs, or co-branded promotions
Enter a sweepstakes or contest
Attend a Visa-sponsored event
Enroll in a Visa secure checkout solution (such as Visa)

Representative Data Elements

Data elements in this category include:

Name
Username
Mailing address
Email address
Telephone number
Mobile number

Purpose for Collecting and Sharing the PI

We use this type of information to identify you and communicate with you, including:

To send transactional messages (such as confirmations)
To send marketing communications, surveys, and invitations
To personalize our communications and provide customer service
For our Everyday Business Purposes ³

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and to:

Service Providers, including to social media companies that use the data only to identify which of our customers use their platforms so that we can deliver ads to you on the platform
Third parties who deliver our communications, such as the postal service and couriers
Third parties who assist us with address hygiene and fulfillment
Other third parties as required by law

Government-issued Identification Numbers

Category and Sources of Personal Information

We collect this type of information from you when you voluntarily give it to us. For example, you may:

Attend a Visa-sponsored event that requires us to collect your passport data
Win a contest prize that requires us to collect your Social Security number for tax reporting

Representative Data Elements

Data elements in this category include:

Social security number
Driver’s license number
Passport number

Purpose for Collecting and Sharing the PI

We use this type of information:

To identify you
To maintain the integrity of our records
For security and risk management, fraud prevention, and similar purposes
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Our lawyers, auditors, consultants
Other third parties as required by law

Biometric Identifiers

Category and Sources of Personal Information

We collect this type of information from you when you enroll in a biometric identity program or biometric payment solution.

Representative Data Elements

Data elements in this category include:

Biometric identifier

Purpose for Collecting and Sharing the PI

We use this type of information:

To identify and authenticate you
For security and similar purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties who assist with our information technology and security programs
Third parties who assist with fraud prevention, detection and mitigation
Our lawyers, auditors and consultants
Other third parties as required by law

Relationship Information

Category and Sources of Personal Information

We collect this type of information from:

You
Third parties that provide access to information you make publicly available, such as social media
Third parties that provide information that helps us understand our customers, including data aggregators and public records providers.

We may also infer information about you based on information that you have given us and your past interactions with us and other companies.

Representative Data Elements

Data elements in this category include:

Personal characteristics and preferences, such as your age range, marital and family status, shopping preferences
Loyalty and rewards program data
Household demographic data, including census data
Data from social media profiles
Hobbies and interests
Propensity scores obtained from third parties (such as likelihood that you may be interested in certain purchases or experiencing life events)

Purpose for Collecting and Sharing the PI

We use this type of information:

To better understand you and to understand our customers generally
To design products, services and programs that delight our customers, including loyalty programs
To identify prospective customers
For internal business purposes, such as quality control, training and analytics
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties with whom we have joint marketing and similar arrangements
Our lawyers, auditors and consultants
Other third parties as required by law

Transaction and Interaction Information

Category and Sources of Personal Information

We collect this type of information from:

You
Third parties that process transactions for us

Representative Data Elements

Data elements in this category include:

Records collected in connection with use of a secure checkout solution (such as Visa)
Rewards program account information, qualification data, and related records
Records related to use of our websites and apps
Non-biometric data collected for consumer authentication (passwords, account security questions)
Customer service records
Visitor logs

Purpose for Collecting and Sharing the PI

We use this type of information:

To fulfill our business relationship with you, including customer service
For recordkeeping and compliance, including dispute resolution
For internal business purposes, such as finance, quality control, training, reporting and analytics
For risk management, fraud prevention and similar purposes
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties with whom we have joint marketing and similar arrangements
Third parties as needed to complete the transaction, including delivery companies, agents and manufacturers
Our lawyers, auditors and consultants
Customers, in connection with their audits of Visa
Other third parties as required by law

Inferred and Derived Information

Category and Sources of Personal Information

We create inferred and derived data elements by analyzing our relationship and transactional information.

Representative Data Elements

Data elements in this category include:

Propensities, attributes and/or scores generated by internal analytics programs and used for marketing
Propensities, attributes and/or scores generated by internal analytics programs and used for information security and fraud purposes

Purpose for Collecting and Sharing the PI

We combine inferred data with other relationship information and use this type of information:

To better understand you and to understand our customers generally
To design products, services and programs that delight our customers, including loyalty programs
To identify prospective customers
For internal business purposes, such as quality control, training and analytics
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties with whom we have joint marketing arrangements
Our lawyers, auditors and consultants
Other third parties as required by law

Online & Technical Information

Category and Sources of Personal Information

We collect this type of information from:

You and from your computer or devices when you interact with our platforms, websites and applications. For example, when you visit our websites, our server logs record your IP address and other information.
Automatically, via technologies such as cookies, web beacons, when you visit our website or other websites.
Third parties, including computer security services and advertising partners.

We also associate information with you using unique identifiers collected from your devices or browsers.

Representative Data Elements

Data elements in this category include:

IP Address
Device identifiers and characteristics
Advertising ID
Web Server Logs
First Party Cookies
Third Party Cookies
Web beacons, clear gifs and pixel tags
Server log records
Activity log records

Purpose for Collecting and Sharing the PI

We use this type of information:

For system administration, technology management, including optimizing our websites and applications
For information security and cybersecurity purposes, including detecting threats
For recordkeeping, including logs and records that maintained as part of Transaction Information
To better understand our customers and prospective customers and to enhance our Relationship Information, including by associating you with different devices and browsers that they may use
For online targeting and advertising purposes
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers including to companies’ search engines that use the data collected by cookies and similar means to help us with our online advertising programs, and to:

Third parties who assist with our information technology and security programs, including companies such as network security services who retain information on malware threats detected
Third parties who assist with fraud prevention, detection and mitigation
Third party network advertising partners
Our lawyers, auditors and consultants
Other third parties as required by law

We also disclose this information with your consent, if you explicitly allow us to place third party advertising cookies. To learn more and review your cookie settings, please read our Cookie Notice.

Audio Visual Information

Category and Sources of Personal Information

We collect this type of information from:

You
Automatically, such as when we record calls to our call center and use CCTV cameras in our facilities
Third parties that provide access to information you make publicly available, such as social media

Representative Data Elements

Data elements in this category include:

Photographs
Video images
CCTV recordings
Call center recordings and call monitoring records
Voicemails

Purpose for Collecting and Sharing the PI

We use this type of information:

For internal business purposes, such as call recordings used for training, coaching or quality control
For relationship purposes, such as use of photos and videos for social media purposes
For premises security purposes and loss prevention
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties who assist with our information technology and security programs, and our loss prevention programs
Our lawyers, auditors and consultants
Other third parties as required by law

Financial Information

Category and Sources of Personal Information

We collect this type of information from you, if you enroll in card-link offer programs from Visa or a co-promotion partner or enroll in a Visa secure checkout solution (such as Visa)

Representative Data Elements

Data elements in this category include:

Payment card information

Purpose for Collecting and Sharing the PI

We use this type of information:

To enable your transactions
To provide offers and promotions you requested, including calculating rewards earned and for related account purposes
For recordkeeping and compliance, including dispute resolution
For internal business purposes, such as finance, audits, training, reporting and analytics
For risk management, fraud prevention and similar purposes
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Payment processors, financial institutions and others as needed to complete the transactions and for authentication, security and fraud prevention
Our lawyers, auditors and consultants
Customers, in connection with their audits of Visa
Other third parties as required by law

Geolocation Data

Category and Sources of Personal Information

We collect this type of information automatically from your mobile device if you opt-in to allow us to collect it.

Representative Data Elements

Data elements in this category include:

Precise location and GPS information

Purpose for Collecting and Sharing the PI

We use this type of information:

To provide the information, products or services requested
For information security and fraud prevention
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Third parties who assist with our information technology and security programs
Third parties who assist with fraud prevention, detection and mitigation
Our lawyers, auditors and consultants
Other third parties as required by law

Compliance Data

Category and Sources of Personal Information

We collect this type of information from:

You
Third parties, including companies that help us conduct internal investigations
Third parties, such as consumer reporting agencies and data aggregators who conduct background screening for us

Representative Data Elements

Data elements in this category include:

Compliance program data, such as records maintained to demonstrate compliance with CCPA and other applicable laws
Records related to consumer preferences, such as your opt-ins and opt-outs of marketing programs
Records related to CCPA rights requests

Purpose for Collecting and Sharing the PI

We use this type of information:

To comply with and demonstrate compliance with applicable laws
For legal matters, including litigation and regulatory matters, including for use in connection with civil, criminal, administrative, or arbitral proceedings, or before regulatory or self-regulatory bodies, including service of process, investigations in anticipation of litigation, execution or enforcement of judgments and orders
For internal business purposes, such as risk management, audit, internal investigations, reporting, and analytics
For our Everyday Business Purposes

Categories of Third Parties to whom this type of Personal Information is Disclosed for a Business Purpose

We may disclose this type of information to our Affiliates and Service Providers and to:

Our lawyers, auditors and consultants
Marketing partners, in connection with their audits of Visa
Other third parties (including government agencies, courts and opposing law firms, consultants, process servers and parties to litigation) in connection with legal matters

³ Everyday Business Purposes encompasses the Business Purposes (as defined in the CCPA) and following related purposes for which personal information may be used:

To provide the information, product or service requested by the individual or as reasonably expected given the context in which with the personal information was collected (such as customer credentialing, providing customer service, personalization and preference management, providing product updates, bug fixes or recalls, and dispute resolution);
For identity and credential management, including identity verification and authentication, and system and technology administration;
To protect the security and integrity of systems, networks, applications and data, including detecting, analyzing and resolving security threats, and collaborating with cybersecurity centers, consortia and law enforcement about imminent threats;
For fraud detection and prevention;
For legal and regulatory compliance, including all uses and disclosures of personal information that are required by law or reasonably needed for compliance with company policies and procedures, such as: anti-money laundering programs, security and incident response programs, intellectual property protection programs, and corporate ethics and compliance hotlines;
For corporate audit, analysis and reporting;
To enforce our contracts and to protect against injury, theft, legal liability, fraud or abuse, and to protect people or property, including physical security programs;
To de-identify the data or create aggregated datasets, such as for consolidating reporting, research or analytics;
To make back-up copies for business continuity and disaster recovery purposes; and
For corporate governance, including mergers, acquisitions and divestitures.

The CCPA requires certain businesses to compile and disclose information each year regarding their compliance with the CCPA for the previous twelve-month period. Visa has elected to provide a report for the period of January 1, 2021 - December 31, 2021.

CCPA Reporting requirements and totals.

Total CCPA Requests Received	424
Number of Unverified Request Received^*	41
Verifiable CCPA Requests Received from Consumers by Category
Number of Requests to Know Received	191
Number of Requests to Know Fulfilled	191
Number of Requests to Know Denied	0
Number of Requests to Delete Received	177
Number of Requests to Delete Fulfilled	177
Number of Requests to Delete Denied^**	0
Number of Do Not Sell Requests Received	56
Number of Do Not Sell Requests Granted in Fulfilled^***	N/A
Average Number of Days for Visa to Respond to Verifiable Requests	29

^* Requests which could not be validated due to insufficient location information or individuals failed to verify their identity in the OneTrust tool. These requests are not included in the totals above.
^** Data retained in accordance with CCPA.
^*** Visa does not sell Personal Information.