EY US State Law Privacy Statement
13 December 2023
Introduction
Ernst & Young LLP and its affiliated US entities (“EY US,” “we,” “us” or “our”) are part of the global organization of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity.
This addendum to the ey.com Privacy Statement applies with respect to California, Colorado, Connecticut, Utah, and Virginia residents, and explains the categories of personal data that we collect from you and how we collect and use personal data that is subject to consumer privacy laws in California, Colorado, Connecticut, Utah and Virginia.
It further describes the rights that residents of California, Colorado, Connecticut, Utah and Virginia (“residents,” “consumers” or “you”) have with respect to their personal data. This addendum should be read together with the ey.com Privacy Statement, and in case of any conflict, the terms of this addendum regarding personal data subject to your state’s law will prevail. For purposes of this addendum, the term “personal data” includes all “personal data” or “personal information” and the term “sensitive personal data” includes all “sensitive personal information” or “sensitive data” as defined in the applicable US state consumer privacy law (i.e., California, Colorado, Connecticut, Utah or Virginia). The terms “advertising” and “marketing” are used interchangeably.
Sources of personal data, purposes for collecting, processing, and disclosing personal data, and categories of personal data collected, processed, and disclosed
We collect and process personal data for a variety of business or commercial purposes. The ey.com Privacy Statement describes in greater detail the specific pieces of personal data that we collect or process, the purposes for collecting and processing personal data, the categories of sources from which we collect personal data, and the categories of third parties to whom we disclose or may disclose personal data.
Categories of personal data we collect or process:
We collect or process (or may have collected or processed in the preceding 12 months) the following categories of personal data from or about consumers. Please note that the following list represents categories of personal data across all California, Colorado, Connecticut, Utah and Virginia consumers whose personal data we may have collected or received and does not necessarily represent information we have collected specifically about you. Please also note that the definitions of “personal data” or “personal information” under your state’s consumer privacy laws are subject to certain exceptions and may not include information that is publicly available or that has been aggregated or deidentified in accordance with the laws.
- Identifiers. Information under this category includes name, postal address, email address, internet protocol address, driver’s license number, and other similar identifiers.
- Certain protected classifications. Information under this category may include race, color, national origin, marital status, religion or creed or other similar information that is generally protected under state or federal law.
- Commercial information. Information under this category includes records of personal property, products or services purchased, or other consumer history or tendencies.
- Biometric information. Information under this category includes measurements or technical analysis of human body characteristics, such as fingerprints or a retina image, which are used to authenticate an individual so that they can access an EY site.
- Internet or network activity. Information under this category includes information that relates to browsing or search history, or information regarding visitors’ interaction with an internet website.
- Geolocation data. Information under this category relates to physical location of an internet- connected device.
- Sensory information. Information under this category can include audio, electronic, visual, thermal, olfactory, or other similar sensory information.
- Professional or employment-related information. Information under this category includes employment history.
- Education information. Information under this category is non-public education information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99).
- Financial information. Information under this category includes an individual’s personal credit card number, debit card number, bank account number, bank personal identification number (PIN), credit or financial statements, and other information relating to an individual’s personal finances.
- Medical or health information. Information under this category includes medical history, including symptoms, diagnoses, procedures, outcomes, health insurance information, and lab results.
Sensitive personal data
Some of the personal data we collect might be considered “sensitive,” such as protected classifications (e.g., race, color, national origin, citizenship/immigration status, sexual orientation, religion or creed or other similar information), medical information, health insurance information, biometric information when processed for the purpose of uniquely identifying a consumer, and geolocation data. Under California law, sensitive personal information also includes Social Security number, passport number, trade union membership, and driver’s license number.
Purposes for collecting and processing personal data:
We may collect and process (or may have collected and processed in the preceding 12 months) all of the categories of personal data listed above for various business purposes:
- Performing professional services for our clients
- Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services
- Undertaking internal research for technological development and demonstration
- Auditing related to interactions with consumers in connection with the professional services EY US provides
- Detecting security incidents; protecting against malicious, deceptive, fraudulent or illegal activity; and taking appropriate action as a result of any such detected activity
- Debugging to identify and repair errors that impair existing intended functionality
- Short-term, transient uses where the personal data is not disclosed to a third party and is not used to build a profile about you or otherwise alter your experience outside the relevant interaction
Purposes for disclosing personal data and categories of third parties to whom we disclose or may disclose personal data:
We may disclose (or may have disclosed in the preceding 12 months) the categories of personal data listed above to third parties for a business purpose listed above. In addition, we may disclose (or may have disclosed in the preceding 12 months) your personal data to the following categories of third parties: EY US clients; other EY member firms; affiliates and subsidiaries; vendors and suppliers that provide services on our behalf; professional services organizations such as law firms, tax advisors and auditors; and other third parties such as advisors, insurers, joint marketing partners, business partners, ad networks, internet service providers, data analytics providers, operating systems and platforms, providers of identity and credit verification services, regulatory and other professional bodies, and government authorities.
Sales of personal data, targeted advertising, and profiling
We may disclose information about your browsing activity to certain third parties (such as online advertising services) via automated technologies on ey.com (e.g., third-party cookies) in exchange for non-monetary consideration. Depending on your state’s consumer privacy laws, this may be considered a “sale” or “share” of data. We may use your data for targeted advertising and profiling. EY US’s profiling activities do not produce legal or similarly significant effects such as denial of employment opportunities, or other effects as defined under applicable state law. Any information regarding your browsing activities that EY US discloses or uses for targeted advertising or profiling will not include sensitive personal data.
We may disclose the categories of personal data listed below to improve the performance of ey.com, to enhance your browsing experience, to provide you a more personalized browsing experience and to improve our advertising efforts. You can view a full listing of the third-party cookies we use and opt out of their use via the ey.com Cookie Settings page here. Please note that if you are accessing ey.com across multiple devices or platforms or if you clear your browser settings, you may have to opt out again.
We may disclose (or may have disclosed in the preceding 12 months) the following categories of personal data in connection with such third-party cookies, including for targeted advertising or profiling purposes:
- Identifiers. This includes ey.com visitors’ internet protocol (IP) addresses.
- Internet or network activity. This includes information about visitors’ interaction with ey.com, including information about the visitor’s web browser, page location, referrer and person using the website; cookie-specific data such as cookie ID and the cookie; and button and field data, such as any buttons clicked by site visitors, the labels of those buttons, any pages visited as a result of the button clicks, and the names of any website fields filled in by visitors.
Global Privacy Control
You may opt out of the targeted advertising, “sharing” and “selling” described above by sending certain browser-enabled opt-out signals. Specifically, if we detect that you have enabled the Global Privacy Control signal in your browser, we will automatically disable marketing/ targeting cookies. You may learn more about how to set the Global Privacy Control here: https://globalprivacycontrol.org/.
Data retention
EY US’s records, including personal data, are retained based on regulatory, legal and business requirements and obligations, including applicable professional standards. EY US preserves all documents, including personal data, that are relevant to any actual or reasonably anticipated claim, litigation, investigation, subpoena or other government proceeding.
De-identified data
We may create, collect, maintain, and use de-identified data to analyze and improve our and our clients’ products and services. EY US will not attempt to re-identify you if your personal data has been de-identified, aggregated or otherwise rendered anonymous in such a way that you are no longer reasonably identifiable. This information will be treated as non-personal data and is not subject to the terms of this Privacy Statement.
Your legal rights
Under certain circumstances, depending on your state of residence, you may have rights in relation to your personal data. More detail is listed in the Appendix below.
- California (Effective January 1, 2023)
- Colorado (Effective July 1, 2023)
- Connecticut (Effective July 1, 2023)
- Utah (Effective December 31, 2023)
- Virginia (Effective January 1, 2023)
Exercising your rights in relation to personal data
Except as described otherwise, if you would like to exercise any of the rights you may have with respect to personal data under your state’s consumer privacy law as listed above, please contact us by either:
- Submitting a request through this form.
- Contacting us at +1 866 608 0644
As part of processing some of your requests, we require you to provide certain personal data about you to verify your identity in accordance with legal requirements. This information includes your first and last name, email address, physical address, telephone number and description of relationship to EY US, but may also include additional information based on the nature of your request and your relationship with us.
Additionally, you may designate an authorized agent to make a request on your behalf. To comply with your request, we will require the personal data referenced above to be used for identity verification purposes, as well as the name, email address and telephone number of your authorized agent.
After we verify your identity and the validity of your request, we will take the following action free of charge:
- In the case of an access request, we will provide you any required personal data in a manner that is readily usable and portable, when technically feasible, consistent with the requirements of your state consumer privacy law.
- In the case of a correction or deletion request, we will correct or delete personal data that we have collected about you (requests for deletion and correction are subject to our right to maintain your personal data for specific purposes permitted under your state consumer privacy law).
- In the case of requests to opt out of the sale of your personal data, we will cease any sale of your personal data subject to any exceptions under your state consumer privacy law.
- In the case of requests to opt out of the use of your personal data for targeted advertising, we will cease any use of your personal data for targeted advertising subject to any exceptions under your state consumer privacy law.
We will endeavor to comply with your verified request within 45 days (or a shorter period, if required), but may extend that period when reasonably necessary, in which case we will notify you.
Contact for more information
If you have any questions regarding the processing of your personal data, please contact the EY Data Protection team.
Appendix: Legal rights under each US State Privacy Law.
You have the right to exercise any of the rights listed below for your state of residence (and any other rights under your state law) without discrimination by us:
California (effective January 1, 2023)
Under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020 (CPRA), which goes into effect January 1, 2023) (CCPA), California residents have the following rights around EY US’s collection, use, and disclosure of their personal data. For purposes of exercising the rights in this section, the listed terms are defined as follows:
Definitions
- Cross-context behavioral advertising means the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across different companies’ websites and/or platforms.
- Profiling means any form of automated processing of personal information, to evaluate a consumer’s personal aspects, in particular to analyze or predict aspects about that consumer’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Selling means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating personal information for monetary or other valuable consideration.
- Share, shared, sharing means sharing, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally a consumer’s personal information for cross-context behavioral advertising, even if no money is exchanged.
Rights
- Right of access and data portability. You may have the right to request that we provide you a copy of the personal data EY US has collected about you. In addition, you may have the right to request that we disclose to you information about our collection and use of your personal data in the preceding 12 months, including: (a) the categories and specific pieces of personal data we collect; (b) the categories of sources from which we collect personal data; (c) the business or commercial purpose for which we collect, sell or share personal data; (d) the categories of third parties to whom we disclose personal data; and (e) the categories of personal data disclosed for a business purpose or sold to third parties and the categories of third parties to whom such personal data was sold or disclosed. Please note that you may only make an access request to us for your personal data up to two times in any 12-month period.
- Right to deletion. You may have the right to request that we delete certain personal data that we have collected about you. The foregoing is subject to our right to maintain your personal data for specific purposes permitted under the CCPA. If we are unable to comply with any such request, we will notify you.
- Right to correction. You may have the right to request that we correct inaccuracies in the personal data we have collected about you.
- Right to limit the use and disclosure of sensitive personal data. The CCPA grants you the right to instruct a business to limit its use or disclosure of your sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by you in your request for those goods or services and to perform certain activities permitted by the CCPA. Please note that EY US does not use or disclose sensitive personal data for any purposes other than those necessary to provide the relevant services or as permitted by the CCPA.
- Right to opt-out. You may have the right to request that your personal data not be sold to or shared (as such terms are defined above) with third parties.
Colorado (effective July 1, 2023)
Under the Colorado Privacy Act, which goes into effect July 1, 2023, Colorado residents have the following rights around EY US’s collection, use, and disclosure of their personal data. For purposes of exercising the rights in this section, the listed terms are defined as follows:
Definitions:
- Profiling means any form of automated processing to evaluate, analyze or predict personal aspects related to a person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale, Sell, or Sold means the exchange of personal data for monetary or other valuable consideration by a controller to a third party.
- Targeted advertising means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.
Rights
- Right of access. You may have the right to confirm whether EY US is processing your personal data and to access your personal data.
- Right of data portability. You may have the right to request that we provide you a copy of your personal data.
- Right to correction. You may have the right to request that we correct inaccuracies in the personal data we have collected about you.
- Right to deletion. You may have the right to request that we delete certain personal data that we have collected about you. The foregoing is subject to our right to maintain your personal data for specific purposes permitted under applicable state law. If we are unable to comply with any such request, we will notify you.
- Right to opt out. You may have the right to request that your personal data not be sold to third parties or used for targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
Connecticut (effective July 1, 2023)
Under the Connecticut Personal Data Privacy and Online Monitoring Act, which goes into effect July 1, 2023, Connecticut residents have the following rights around EY US’s collection, use, and disclosure of their personal data. For purposes of exercising the rights in this section, the listed terms are defined as follows:
Definitions
- Profiling means any form of automated processing to evaluate, analyze or predict personal aspects related to a person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of personal data means the exchange of personal data for monetary or other valuable consideration.
- Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet web sites or online applications to predict such consumer’s preferences or interests.
Rights
- Right of access. You may have the right to confirm whether EY US is processing your personal data and to access your personal data.
- Right of data portability. You may have to the right to request that we provide you a copy of your personal data.
- Right to correction. You may have the right to request that we correct inaccuracies in the personal data we have collected about you.
- Right to deletion. You may have the right to request that we delete certain personal data that we have collected about you. The foregoing is subject to our right to maintain your personal data for specific purposes permitted under applicable state law. If we are unable to comply with any such request, we will notify you.
- Right to opt out. You may have the right to request that your personal data not be sold to third parties or used for targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you.
- Appeal. You may have the right to appeal EY US’s denial of any of the above-listed rights. You may do so by responding to the message in which EY has communicated its denial and indicating you would like to appeal that denial.
Utah (effective December 31, 2023)
Under the Utah Consumer Privacy Act, which goes into effect December 31, 2023, Utah residents have the following rights around EY US’s collection, use and disclosure of their personal data. For purposes of exercising the rights in this section, the listed terms are defined as follows:
Definition
- Sale, Sell or Sold means the exchange of personal data for monetary consideration by a controller to a third party.
- Targeted advertising means displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.
Rights
- Right of access. You may have the right to confirm whether EY US is processing your personal data and to access your personal data.
- Right of data portability. You may have the right to request that we provide you a copy of the personal data that you previously provided to EY US.
- Right to deletion. You may have the right to request that we delete your personal data that you provided to EY US. The foregoing is subject to our right to maintain your personal data for specific purposes permitted under applicable state law. If we are unable to comply with any such request, we will notify you.
- Right to opt-out. You may have the right to request that your personal data not be sold to third parties or used for targeted advertising. Additionally, you may have the right to request that EY US not process your sensitive personal data.
Virginia (effective January 1, 2023)
Under the Virginia Consumer Data Protection Act, which went into effect January 1, 2023, Virginia residents have the following rights around EY US’s collection, use and disclosure of their personal data. For purposes of exercising the rights in this section, the listed terms are defined as follows:
Definitions
- Profiling means any form of automated processing to evaluate, analyze or predict personal aspects related to a person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
- Sale of personal data means the exchange of personal data for monetary consideration.
- Targeted advertising means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across non-affiliated websites or online applications to predict such consumer’s preferences or interests.
Rights
- Right of access. You may have the right to confirm whether EY US is processing your personal data and to access your personal data.
- Right of data portability. You may have the right to request that we provide you a copy of the personal data that you previously provided to EY US.
- Right to correction. You may have the right to request that we correct inaccuracies in the personal data we have collected about you.
- Right to deletion. You may have the right to request that we delete certain personal data that we have collected about you. The foregoing is subject to our right to maintain your personal data for specific purposes permitted under applicable state law. If we are unable to comply with any such request, we will notify you.
- Right to opt-out. You may have the right to request that your personal data not be sold to third parties or used for targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
- Appeal. You may have the right to appeal EY US’s denial of any of the above-listed rights. You may do so by following the procedures set forth in the “Exercising your rights in relation to personal data” section above and/or by responding to the message in which EY US has communicated its denial and indicating you would like to appeal that denial.