TIAA privacy notice for TIAA employees residing in California

This TIAA California Employee Privacy Notice (this "Notice") is for TIAA employees residing in California and is made available pursuant to the California Consumer Privacy Act and its implementing regulations, as subsequently amended by the California Privacy Rights Act (collectively, the "CCPA"). TIAA, in this Notice, refers to Teachers Insurance and Annuity Association of American and its subsidiaries and affiliates, including but not limited to TIAA Trust, N.A., Nuveen Services, LLC, and CAM HR Resources LLC (collectively, "TIAA" or the "TIAA Companies"). Capitalized terms used but not defined in this Notice shall have the meanings set forth in the CCPA.

If you are a TIAA employee residing in California, please review this Notice carefully, as it applies to the personal information we collect about you solely in your capacity as a TIAA employee and as a participant in TIAA employment benefits other than health care and retirement.  Please refer to the HIPAA Privacy Notice on the HR Services homepage for data practices relating to your health care benefits, and to the TIAA Privacy Notice at TIAA.org for data practices relating to your TIAA retirement account. We encourage you to read those notices together with this Notice to have a full description of our online and offline information practices.

Please refer to the notices and requests for your consent for a background check that you received when you initially applied for a job at TIAA to refresh your recollection on our information practices relating to your information as a job applicant.

Under the CCPA, personal information includes information that identifies and describes who you are; as well as information that relates to, is capable of being associated with, or could reasonably be linked to you, one of your devices and/or a member of your household. In this Notice, we refer to the personal information subject to the CCPA as "Employee Personal Information."

Your rights under the CCPA

If you are a California resident, you have the following rights with respect to your Employee Personal Information:

  • Receive information on our privacy and information practices, including why we collect Employee Personal Information about you, from whom, for what purposes, and with whom we share or "sell" it. This information is contained in the chart below. You are also entitled to know how long we expect to retain your Employee Personal Information. Our retention period for Employee Personal Information is generally the duration of your employment and ten years thereafter, and can be extended under some circumstances, such as anticipated or ongoing litigation or regulatory activities.
  • Request access to Employee Personal Information that we have collected about you in the twelve months prior to your request. Please note that we are not required to disclose any Employee Personal Information that may compromise the security of your account(s) or put you at risk of identity theft; for example, we will not disclose to you your specific Social Security Number if we have collected it.
  • Request the deletion of your Employee Personal Information, if we use it outside our business purposes (which are explained below).
  • Request the correction of your Employee Personal Information.
  • Limit the use of your sensitive Employee Personal Information if we use it outside our business purposes.  We may collect sensitive Employee Personal Information that you voluntarily provide to us for self-identification purposes including: race, gender identity/expression, sexual orientation, military status.  We also collect your age, date of birth, government issued identification numbers (such as Social Security or Driver's License); we use this information to administer payroll and benefits, and to comply with our obligations as your employer. All of these use cases are considered to be "business purposes" under CCPA. Therefore, the right to limit our use of your sensitive Employee Personal Information is not available at this time
  • Opt-out of certain automated decision-making. Until the California regulators define automated decision making, we are not yet able to offer this right to you. We do not use automated decision-making in a way that will materially impact your legal rights or discriminate against you.
  • Receive information whether we "sell or share" your Employee Personal Information with vendors that provide cross-context digital advertising or cannot assure us that your Employee Personal Information is used only to deliver services we have hired them to provide us.  You are also entitled to opt-out of any such "sale or sharing." We do not sell or share with anyone any of your Employee Personal Information.
  • Not be discriminated against for exercising these rights.

Our business purposes

Certain activities we perform require the use of your Employee Personal Information and/or your sensitive Employee Personal Information. Under the CCPA, you may not request that we (i) delete it; (ii) limit our use of your Employee Personal Information or sensitive Employee Personal Information; or (iii) limit our sharing with our service providers when our activities fall within our "business purposes".

We require our service providers to contractually agree to use your personal and sensitive Employee Personal Information only to render us the services we have hired them to perform, to protect it with technical, administrative and physical measures appropriate to its sensitivity, not to use it for their own purposes or collect further Employee Personal Information with respect to it, to tell us if they cannot comply with such requirements, and to allow us to make sure that they are complying with their obligations.

The activities constituting our "business purposes" are:

  • Maintaining our employment relationship with you, including paying your salary, administering your benefits, and complying with our obligations as your employer.
  • Completing a transaction for which the Employee Personal Information was collected, providing a product or service requested by you, taking actions reasonably anticipated within the context of our ongoing employment relationship with you, or otherwise performing our contract(s) with you.
  • Preventing, detecting, and investigating security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible for such activities.
  • Debugging products to identify and repair errors that impair existing intended functionality.
  • Short-transient use relating to our current business interaction with you.
  • Exercising free speech, ensuring the right of other consumers to exercise their free speech rights, or exercising another right provided for by law.
  • Enabling solely internal uses that are reasonably aligned with your expectations based on your relationship with us.
  • Complying with a legal obligation, including our records retention obligations, to answer subpoenas or requests from regulators.

Making other internal and lawful uses of that information that are compatible with the context in which you provided it.

Category and Sources of Personal Information

Contact Information

We collect this type of information from:

  • You, when you apply for employment with us, set up your employee profile, or otherwise provide us with such information for employment-related use

Examples of Types of Data Elements:

  • Full name, title, preferred form of address
  • Mailing address
  • Residential address
  • Email address
  • Telephone number
  • Mobile number

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this type of information:

  • To identify you and stay in touch with you in the course of our employment relationship
  • When you agree to participate in media campaigns highlighting corporate news, we may disclose a message or video including your name, title, voice, and image.
  • For our business purposes

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may disclose this type of information to other TIAA Companies, for their business purposes, and to service providers since they have agreed to use your information solely to render services to us and protect it.

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Government-issued Identification Numbers

We collect this type of information from:

  • You

Examples of Types of Data Elements:

  • A government issued identifier, such as a Social Security or Driver's License Number

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this type of information:

  • To identify you
  • For authentication
  • For security and risk management, fraud prevention and similar purposes
  • For our business purposes

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may disclose this type of information to our service providers and to other TIAA Companies for our business purposes.

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Network Access Information

We collect this type of information from:

  • You, when you establish an account or change your password in an online portal that you need pursuant to your employment

Examples of Types of Data Elements:
Data elements in this category include:

  • Usernames and passwords
  • Account recovery information

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this type of information:

  • To identify and authenticate you
  • To permit you to access the online portals that you need pursuant to your employment
  • For security and similar purposes

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may disclose this type of information to service providers that we have hired for IT services and for our business purposes.

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Online & Technical Information

We collect this type of information from:

  • You and from your connected devices when you interact with our websites and mobile applications. For example, when you visit our websites, our server logs record your IP address and other information.
  • Through digital tracking technologies such as cookies, pixels, and beacons,

We also associate information with you using unique identifiers collected from your devices or browsers.

Examples of Types of Data Elements:
Employee Personal Information collected by our use of digital tracking technology on our websites is information that, on its own, might not identify you; however, when such information is combined with other information about you, it may be possible to identify you or your household.  In the context of digital tracking technology, such information may include:

  • your identifiers, including your cookie identifier, Internet Protocol address, hashed email address, device identifier, mobile ad identifier, and similar online and unique personal identifiers
  • your geolocation data
  • your internet or other electronic network activity information, such as the time you spent on the website, your navigation throughout the site, and other information regarding your interaction with an internet website, application, or advertisement)

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this type of information:

  • To make our websites and applications usable by enabling basic functions, like page loading, account sign-in, and filling out forms
  • To monitor traffic and activity
  • To maintain security, enable fraud detection, and provide trouble-shooting and support
  • To facilitate an action initiated by you, such as setting or detecting your privacy settings
  • To authenticate and remember usernames upon login
  • To establish and maintain a logged-in connection while you are in the secure section(s) of our website
  • To enable us to personalize your web experience by remembering your online preferences including, but not limited to, your preferred language, web layout, or location settings
  • To detect your browser and device capabilities for displaying website content
  • To measure the level of engagement with the TIAA HR Portal in the TIAA Intranet
  • To deliver content to you as an employee
  • For our business purposes

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may disclose this type of information to:

  • TIAA Companies
  • Service providers
  • Third parties who assist with our information technology and security programs, including companies such as network security services who retain information on malware threats detected
  • Third parties who assist with fraud prevention, detection, and mitigation
  • Third party network advertising companies
  • Other third parties as required by law

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Biometric Information

We collect this type of information from:

  • You

Examples of Types of Data Elements:

  • Depending on your job function, we may collect biometric information such as fingerprints and faceprints

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this information to comply with regulatory requirements related to your employment with us.

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may share your Employee Personal Information with vendors who have agreed to use it only to render contracted services to us and keep it confidential.

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

Background, Professional, and Employment Information

We collect this type of information from:

  • You
  • Third party service providers who are able to verify your background, professional and employment information.

Examples of Types of Information/Data Elements:

  • Information about your educational and professional background
  • Personal characteristics
  • Performance related information including skills, interests, competencies, certifications, and achievements
  • For employees in certain roles, investigative consumer reports

Purpose for Collecting and Disclosing the Employee Personal Information:
We use this information to comply with employment laws, and federal and regulatory requirements. Additionally, we use this information in Workday to enhance your employment experience:

  • To provide learning recommendations that match your interests and development goals
  • To highlight short-term work opportunities that align with your interests and skills
  • To highlight open roles that align with your interests and skills
  • To help you build your network by recommending coworker connections 
  • To help match mentees with available mentors

Categories of Third Parties to whom this type of Employee Personal Information is Disclosed for a Business Purpose:
We may share your Employee Personal Information with vendors who have agreed to use it only to render contracted services to us and keep it confidential.

Categories of Third Parties with whom this type of Employee Personal Information is Sold or Shared:
We do not sell this information for money or share this personal information with third parties for cross-context behavioral advertising or other activities from which you are entitled to opt-out.

What to Expect When You Exercise an Available CCPA Right

Verification & Response Process

We take protecting your Employee Personal Information very seriously. When you make a request, we will first take steps to verify that it is really you who is making the request. Depending on the sensitivity of your Employee Personal Information, we may request that you provide us with additional documentation to verify your identity and may decline your request if we are unable to verify your identity.

Access to Employee Personal Information

Once we have verified your request, we will provide information from our records for the preceding 12 months, including the business purpose for our collection. We will also direct our service providers to do the same if they are holding your Employee Personal Information. Please note, we may decline your request if we are unable to verify your identity. We also decline to provide you with any of your Employee Personal Information that may put you at risk of ID theft or create a security risk. For example, we would not disclose to you a specific government-issued ID number.

Deletion of Employee Personal Information

If you are a current employee, a CCPA deletion right is not applicable to your personal information at TIAA. Should your employment with us end, we will maintain your personal information to comply with our legal and records retention obligations, as permitted by the CCPA.

Appointing a designated agent

CCPA allows you to exercise your rights through a designated agent. Please submit to us at our address below a duly notarized California power of attorney appointing the individual whom you have designated to act on your behalf for this purpose. We will verify your identity and the identity of your attorney-in-fact.

TIAA
Privacy Fulfillment
P.O. Box 1259
Charlotte, NC 28201

Exercising rights and verifiable requests

To exercise the access and deletion rights described above, please submit a request by either:

  • Calling us at 877-554-1001 weekdays, 8 a.m. to 10 p.m. (ET); or
  • Visiting TIAA.org/public/support/privacy

You can also visit Workday through the HR Services portal on the TIAA Intranet to access the personal information TIAA has about you relating to your employment at TIAA and log in to TIAA.orgOpens in a new window for information we have related to your retirement plan.

You can access the personal information collected with respect to other employment benefits through the providers that you have chosen.

Correction of inaccurate Employee Personal Information

  • To correct or update your Employee Personal Information please visit the TIAA Intranet, access Workday, Ask HR (HR Services), or call our National Contact Center at 800-842-2776 weekdays, 8 a.m. to 10 p.m. (ET).

To provide a "verifiable request" you must provide enough information that allows us to reasonably confirm and verify you are the person about whom TIAA collected Employee Personal Information or you are the attorney-in-fact of a CA resident.

Questions

If you have any questions about this Notice or the ways in which TIAA collects and uses your Employee Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at 877-554-1001.

Non-Discrimination

TIAA will not discriminate against you for exercising any of your CCPA rights as described in this Notice. Unless permitted by the CCPA, we will not:

  • Deny you goods or services;
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of goods or services; or
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Changes to this privacy notice

We reserve the right to amend this Notice at our discretion and at any time. When we make substantive changes to this Notice, we will inform you through a notice on our website.

April 2023