California Consumer Privacy Act Disclosure

This California Consumer Privacy Act (“CCPA”) Disclosure supplements the information contained in the Eastern Bank Privacy Policy (Eastern Bank, collectively with its subsidiaries and affiliates, “Eastern,” “we,” or “us”) and applies solely to California residents. This notice is provided pursuant to the CCPA.

Under the CCPA ‘Personal Information’ is information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked directly or indirectly with a particular California resident. The CCPA does not apply to certain information, such as information subject to the Gramm-Leach-Bliley Act (“GLBA”).

The specific personal information that we collect, use, and disclose relating to a California resident covered by the CCPA will vary based on our relationship or interaction with that individual.


Collection of Personal Information

In the past twelve months (12) we may have collected for our business purposes the following categories of personal information:

  • Identifiers, such as name, e-mail address, or other similar identifiers;
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e), such as address or telephone number (some personal information included in this category may overlap with other categories);
  • Characteristics of protected classifications under California or federal law, such as sex and marital status;
  • Commercial information, such as records of personal property or purchase history;
  • Geolocation data, such as device location or Internet Protocol (IP) location;
  • Professional or employment-related information, such as current or past work history;

Personal information does not include:

  • Publicly available information from government records
  • Deidentified or aggregated consumer information
  • Other information excluded from CCPA’s scope, such as:
    • Personal information covered by certain specific privacy laws, including the Fair Credit Reporting Act (FCRA) and GLBA.
    • Exemptions for personal information obtained through employment or through business-to-business transactions.

We may obtain the categories of information listed above from the following categories of sources:

  • Directly or indirectly from individuals, our customers, consumers, or their representatives;
  • From service providers and vendors;
  • From our affiliates;
  • Public record sources.


Use of Personal Information For Business Purposes

We may use or disclose personal information we collect to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives, including the following:

  • Performing services, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services;
  • Undertaking activities to verify or maintain the quality of a service or product that is controlled by us, and to improve, upgrade, or enhance the service or product that is controlled by us;
  • Undertaking internal research for technological development and demonstration;
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity and prosecuting those responsible for that activity;
  • Debugging to identify and repair errors that impair existing intended functionality;
  • Auditing related to a current interaction and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying position and quality of ad impressions, and auditing compliance with this specification and other standards;
  • Short-term, transient use, provided that the personal information is not disclosed to a third party and is not used to build a profile or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction;
  • Complying with laws and regulations and to comply with other legal process and law enforcement requirements (including any internal policy based on or reflecting legal or regulatory guidance).


Sharing of Personal Information

We may disclose your personal information only for a business purpose to the following categories of third parties:

  • Our affiliates;
  • Service providers and vendors;
  • Government agencies as required by laws and regulations.

In the preceding twelve (12) months, we may have disclosed the following categories of personal information to one or more of the categories of third parties listed above for a business purpose:

  • Identifiers;
  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code §1798.80(e));
  • Characteristics of protected classifications under California or federal law;
  • Commercial information; 
  • Geolocation data;
  • Professional or employment-related information.

In the past twelve (12) months, we have not “sold” personal information subject to the CCPA. For purposes of this Disclosure, “sold” means the disclosure of personal information to a third-party for monetary or other valuable consideration.


Rights Under the CCPA

The CCPA provides California residents with certain rights regarding their personal information. California residents have the right to:

  • Request that we disclose to you certain information about Eastern’s collection and use of your personal information over the past twelve (12) months, including:
    • The categories of personal information about you that we collected;
    • The categories of sources from which the personal information was collected;
    • The purpose for collecting personal information about you;
    • The categories of third parties with whom we shared personal information about you and, if applicable, the categories of personal information that were disclosed; and
    • The specific pieces of information of personal information we collected about you.
  • Request we delete personal information we collected from you, unless the CCPA recognizes an exemption.
  • Be free from unlawful discrimination for exercising your rights under the CCPA.

Upon receipt of a request from you, we will provide acknowledgement within 10 business days and advise you how long we expect it to take to respond if we are able to verify your identity. Additional information may be required to verify your identity if you request specific pieces of personal information. An authorized agent may submit a request on behalf of another person. In those situations, we may require proof of authorization and verification of identity directly from the person for whom you are submitting a request. Each request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or if we cannot verify that you have authority to make the request on behalf of another individual. In addition, we will not process your request where an exception under the CCPA applies. We will advise you in our response if we are not able to process your request. Please note that, in response to a request, we will not provide social security numbers, driver’s license numbers, other government issued identification numbers, financial account numbers, health care or medical identification numbers, account passwords, security questions and answers, or any specific pieces of information if the disclosure presents the possibility of unauthorized access that could result in identity theft or fraud or unreasonable risk to data or systems and network security.

We aim to respond to a verified request within 45 days of its receipt, as required under the CCPA. If we require additional time (up to an additional 45 days), we will inform you of the extension in writing and explain the reason for the delay.

You may only make a request for access to personal information twice within a twelve (12) month period. We will not charge a fee to you or your authorized representative to process your request unless it is duplicative, repetitive, or manifestly burdensome. If it is determined that a fee is warranted, we will disclose the amount of the fee to you prior to processing your request.

We reserve the right to amend this privacy notice at our discretion and at any time.


Exercising Your Rights

If you are a California resident and would like to exercise the rights described above, please submit a verifiable request by:

If you have any questions or comments about this notice or the ways in which we collect and use your personal information, you may contact us at:

  • E-mail: [email protected]
  • Mail: Eastern Bank
            195 Market Street
            EP 5-10
            Lynn, MA 01901
            Attn: Legal Department

Date of last revision: January, 2024