EY US State Law Privacy Statement

29 July 2024

Introduction

Ernst & Young LLP and its affiliated US entities (EY US, we, us, or our) are part of the global organization of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity.

This addendum to the ey.com Privacy Statement applies with respect to California, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia residents and explains the categories of personal data that we collect from you and how we collect and use personal data that is subject to consumer privacy laws in California, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia.

It further describes the rights that residents of California, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia (residents, consumers, or you) have with respect to their personal data. This addendum should be read together with the ey.com Privacy Statement, and in case of any conflict, the terms of this addendum regarding personal data subject to your state’s law will prevail. For purposes of this addendum, the term “personal data” includes all “personal data” or “personal information” and the term “sensitive personal data” includes all “sensitive personal information” or “sensitive data” as defined in the applicable US state consumer privacy law (i.e., California, Colorado, Connecticut, Oregon, Texas, Utah, or Virginia). The terms “advertising” and “marketing” are used interchangeably.  

Sources of personal data; purposes for collecting, processing, and disclosing personal data; and categories of personal data collected, processed, and disclosed

We collect and process personal data for a variety of business or commercial purposes. The ey.com Privacy Statement describes in greater detail the specific pieces of personal data that we collect or process, the purposes for collecting and processing personal data, the categories of sources from which we collect personal data, and the categories of third parties to whom we disclose or may disclose personal data.

Categories of personal data we collect or process:

We collect or process (or may have collected or processed in the preceding 12 months) the following categories of personal data from or about consumers. Please note that the following list represents categories of personal data across all California, Colorado, Connecticut, Oregon, Texas, Utah, and Virginia consumers whose personal data we may have collected or received and does not necessarily represent information we have collected specifically about you. Please also note that the definitions of “personal data” or “personal information” under your state’s consumer privacy laws are subject to certain exceptions and may not include information that is publicly available or that has been aggregated or de-identified in accordance with the laws.  

• Identifiers. Information under this category includes name, postal address, email address, internet protocol (IP) address, driver’s license number, and other similar identifiers.
• Certain protected classifications. Information under this category may include race, color, national origin, marital status, religion or creed, or other similar information that is generally protected under state or federal law.
• Commercial information. Information under this category includes records of personal property, products or services purchased, or other consumer history or tendencies.
• Biometric information. Information under this category includes measurements or technical analysis of human body characteristics, such as fingerprints or a retina image, that are used to authenticate an individual so that they can access an EY site.
• Internet or network activity. Information under this category includes information that relates to browsing or search history, or information regarding visitors’ interaction with an internet website.
• Geolocation data. Information under this category relates to the physical location of an internet-connected device.
• Sensory information. Information under this category can include audio, electronic, visual, thermal, olfactory, or other similar sensory information.
• Professional or employment-related information. Information under this category includes employment history.
• Education information. Information under this category is nonpublic education information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99).
• Financial information. Information under this category includes an individual’s personal credit card number, debit card number, bank account number, bank personal identification number (PIN), credit or financial statements, and other information relating to an individual’s personal finances.
• Medical or health information. Information under this category includes medical history, including symptoms, diagnoses, procedures, outcomes, health insurance information, and lab results.

Sensitive personal data

Some of the personal data we collect might be considered “sensitive,” such as protected classifications (e.g., race, color, national origin, citizenship/immigration status, sexual orientation, religion or creed, or other similar information), medical information, health insurance information, biometric information when processed for the purpose of uniquely identifying a consumer, and geolocation data. Under California law, sensitive personal information also includes Social Security number, passport number, trade union membership, and driver’s license number. Under Oregon law, sensitive personal information also includes an individual’s status as transgender or nonbinary and status as a victim of crime.

Purposes for collecting and processing personal data:

We may collect and process (or may have collected and processed in the preceding 12 months) all of the categories of personal data listed above for various business purposes:

• Performing professional services for our clients
• Undertaking activities to verify or maintain the quality or safety of our services and to improve, upgrade, or enhance our services
• Undertaking internal research for technological development and demonstration
• Auditing related to interactions with consumers in connection with the professional services EY US provides
• Detecting security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; and taking appropriate action as a result of any such detected activity
• Debugging to identify and repair errors that impair existing intended functionality
• Short-term, transient uses where the personal data is not disclosed to a third party and is not used to build a profile about you or otherwise alter your experience outside the relevant interaction

Purposes for disclosing personal data and categories of third parties to whom we disclose or may disclose personal data:

We may disclose (or may have disclosed in the preceding 12 months) the categories of personal data listed above to third parties for a business purpose listed above. In addition, we may disclose (or may have disclosed in the preceding 12 months) your personal data to the following categories of third parties: EY US clients; other EY member firms; affiliates and subsidiaries; vendors and suppliers that provide services on our behalf; professional services organizations, such as law firms, tax advisors, and auditors; and other third parties, such as advisors, insurers, joint marketing partners, business partners, ad networks, internet service providers, data analytics providers, operating systems and platforms, providers of identity and credit verification services, regulatory and other professional bodies, and government authorities.

Sales of personal data, targeted advertising, and profiling:

We may disclose information about your browsing activity to certain third parties (such as online advertising services) via automated technologies on ey.com (e.g., third-party cookies) in exchange for nonmonetary consideration. Depending on your state’s consumer privacy laws, this may be considered a “sale” or “share” of data. We may use your data for targeted advertising and profiling. EY US’s profiling activities do not produce legal or similarly significant effects, such as denial of employment opportunities, or other effects as defined under applicable state law. Any information regarding your browsing activities that EY US discloses or uses for targeted advertising or profiling will not include sensitive personal data. 

We may disclose the categories of personal data listed below to improve the performance of ey.com, to enhance your browsing experience, to provide you a more personalized browsing experience, and to improve our advertising efforts. You can view a full listing of the third-party cookies we use and opt out of their use via the ey.com Cookie policy page here. Please note that if you are accessing ey.com across multiple devices or platforms or if you clear your browser settings, you may have to opt out again.

We may disclose (or may have disclosed in the preceding 12 months) the following categories of personal data in connection with such third-party cookies, including for targeted advertising or profiling purposes:

• Identifiers. This includes ey.com visitors’ IP addresses.
• Internet or network activity. This includes information about visitors’ interaction with ey.com, including information about the visitor’s web browser, page location, referrer, and person using the website; cookie-specific data, such as cookie ID and the cookie; and button and field data, such as any buttons clicked by site visitors, the labels of those buttons, any pages visited as a result of the button clicks, and the names of any website fields filled in by visitors.

We may also disclose email addresses of contacts in our CRM system with third parties for the purpose of delivering targeted advertising on those third parties’ platforms, where such contacts have agreed to our Privacy Statement covering such use of data. Contacts in our CRM systems may opt out of such targeted advertising by managing their preferences here.

We do not sell or share for cross-context behavioral advertising any of the personal data collected through EY Virtual Meetings to third-parties, as defined by the California Consumer Privacy Act (CCPA).

Global Privacy Control

You may opt out of the targeted advertising, “sharing,” and “selling” described above by sending certain browser-enabled opt-out signals. Specifically, if we detect that you have enabled the Global Privacy Control signal in your browser, we will automatically disable marketing/targeting cookies. You may learn more about how to set the Global Privacy Control here: https://globalprivacycontrol.org/. 

Data retention

EY US’s records, including personal data, are retained based on regulatory, legal and business requirements and obligations, including applicable professional standards. EY US preserves all documents, including personal data, that are relevant to any actual or reasonably anticipated claim, litigation, investigation, subpoena, or other government proceeding.

De-identified data

We may create, collect, maintain, and use de-identified data to analyze and improve our and our clients’ products and services. EY US will not attempt to reidentify you if your personal data has been de-identified, aggregated, or otherwise rendered anonymous in such a way that you are no longer reasonably identifiable. This information will be treated as nonpersonal data and is not subject to the terms of this Privacy Statement.

Your legal rights

Under certain circumstances, depending on your state of residence, you may have rights in relation to your personal data. More detail is listed in the Appendix below.

• California (effective January 1, 2023)
• Colorado (effective July 1, 2023)
• Connecticut (effective July 1, 2023)
• Oregon (effective July 1, 2024)
• Texas (effective July 1, 2024)
• Utah (effective December 31, 2023)
• Virginia (effective January 1, 2023)

Exercising your rights in relation to personal data

Except as described otherwise, if you would like to exercise any of the rights you may have with respect to personal data under your state’s consumer privacy law as listed above, please contact us by either: 

• Submitting a request through this form
• Contacting us at +1 866 608 0644 

As part of processing some of your requests, we require you to provide certain personal data about you to verify your identity in accordance with legal requirements. This information includes your first and last name, email address, physical address, telephone number, and description of relationship to EY US, but may also include additional information based on the nature of your request and your relationship with us.

Additionally, you may designate an authorized agent to make a request on your behalf. To comply with your request, we will require the personal data referenced above to be used for identity verification purposes, as well as the name, email address, and telephone number of your authorized agent.

After we verify your identity and the validity of your request, we will take the following action free of charge:

• In the case of an access request, we will provide you any required personal data in a manner that is readily usable and portable, when technically feasible, consistent with the requirements of your state consumer privacy law. 
• In the case of a correction or deletion request, we will correct or delete personal data that we have collected about you (requests for deletion and correction are subject to our right to maintain your personal data for specific purposes permitted under your state consumer privacy law). 
• In the case of requests to opt out of the sale of your personal data, we will cease any sale of your personal data subject to any exceptions under your state consumer privacy law.
• In the case of requests to opt out of the use of your personal data for targeted advertising, we will cease any use of your personal data for targeted advertising subject to any exceptions under your state consumer privacy law. 

We will endeavor to comply with your verified request within 45 days (or a shorter period, if required) but may extend that period when reasonably necessary, in which case we will notify you.

Contact for more information

If you have any questions regarding the processing of your personal data, please contact the EY Data Protection team.

Appendix: Legal rights under each US state privacy law

You have the right to exercise any of the rights listed below for your state of residence (and any other rights under your state law) without discrimination by us: