ACA Group Global Privacy Notice
Effective January 3, 2014
Updated January 1, 2023
Foreside Financial Group, LLC and its subsidiaries (hereinafter referred to collectively as “ACA,” “we” or “us”) are committed to respecting your privacy. ACA has developed this Global Privacy Notice (this “Notice”) to advise you of the ways in which ACA collects, uses, shares and protects information you share with ACA, including through (a) ACA’s website, www.acaglobal.com; (b) ACA’s Software-as-a-Service (“SaaS”) products including ComplianceAlpha®; (c) ACA’s retention of you or your services as an employee, independent contractor, or vendor; (d) receipt of information from ACA clients or their employees; and (e) through any other website or application where this Notice is posted (each place information is shared individually, a “Site”). Any person accessing, browsing, or otherwise using a Site, either manually or via an automated device or program, is a “User” for purposes of this Notice.
This Notice also explains how we comply with applicable privacy statutes, rules, and regulations, potentially including, but not limited to: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation, or “GDPR”); (b) the Data Protection Acts of the EEA Member States; (c) the GDPR as saved into UK law by virtue of section 3 of the UK's European Union (Withdrawal) Act 2018 (“UK GDPR”) and the UK Data Protection Act 2018; (d) Swiss Federal Act on Data Protection of June 19, 1992, and its corresponding ordinances (“Swiss DPA”); (e) California Consumer Privacy Act of 2018 (“CCPA”), including, the California Privacy Rights Act, or (“CPRA”); (f) Brazilian Law 13,709/2018 (General Personal Data Protection Law, or “LGPD”); (g) other Data Protection Laws that may be applicable based on your location or residency; and (h) regulations or other laws that implement or amend (a)-(g).
This Notice sets forth how we handle personal information we collect via a Site (a) when individuals engage with us or use our products or services, including SaaS products or services (our “Services”); (b) in connection with providing Services to our clients; (c) as part of a current or former employment relationship; (d) from applicants for employment opportunities with us; (e) through use of our website; or (f) through any other interaction with a Site.
For the purposes of this Notice, “personal information” and “personal data” may be used interchangeably, and both mean information relating to or being capable of being associated with an identified or identifiable person, consumer, or household.
Your privacy rights may vary based on your location or your relationship to ACA. Certain sections of this Notice, as indicated and noted below, may or may not apply to you.
User Consent to Notice
By accessing, browsing, or using a Site, or following links through a Site for any reason, each User acknowledges that he or she has read, understands, agrees, and consents to the terms and conditions of this Notice. Each User consents to the collection, use, and disclosure of his or her information, including personal information, non-personal information, personal data, and anonymous browsing information (“Information”), pursuant to the terms of this Notice. If you do not consent to these terms and conditions, you should not access, browse, or use any Site or otherwise provide any Information to ACA.
Individuals Located in (as Residents) the European Union, European Economic Area, United Kingdom, and Switzerland
A. Cross-Border Data Transfers
We will transfer the personal data we collect about you to the United States, where our servers are located, and also may transfer your personal data to the United Kingdom in order to perform Services or as part of an employment policy or procedure. We will only transfer data for the purposes discussed in this Privacy Notice. The United States may not be deemed to provide the same level of data protection as your home country.
B. Rights of Access, Correction, Erasure, Restriction, Portability, and Objection
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes, including personal data provided to ACA in the course of your employment or engagement with us, if any. By law, you may have the right to request access to, correct, and erase the personal data that we hold about you, or object to the processing of your personal data under certain circumstances. Please note that U.S. regulations may prohibit us from erasing your personal data. You may also have the right to request that we transfer your personal data to another party. If you want to review, verify, correct, or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us at email@example.com. Any such communication must be in writing (email is sufficient). We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or made your personal data anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.
Individuals Located in (as Residents) California
California Consumer Rights
The CCPA empowers California residents with the following rights:.
Right to Know: Consumers have the right to know what personal information ACA collected about the consumer, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom ACA discloses personal information, and the specific pieces of personal information ACA has collected about the consumer. ACA’s use of personal information is found within this Notice.
Right to Opt-Out: Consumers have the right to direct businesses to stop the sale or sharing of their personal information to third parties. ACA does not engage in the sale or sharing of personal information it holds.
Right to Limit the Use and Disclosure of Sensitive Information: Consumers have the right to request that ACA limit the use and disclosure of sensitive personal information. However, ACA only uses and discloses sensitive personal information for purposes which are necessary for providing products or services to consumers.
Right to Correct: The right to request that ACA rectify your Personal Data if it is inaccurate, outdate, or incomplete.
Right to Request Deletion: Consumers have the right to request deletion of personal information, but only where that information was collected from the consumer. There are exceptions to what ACA is obligated to delete including, but not limited to, detecting security incidents, exercising free speech, for legal claims, or for internal uses reasonably aligned with consumer expectations.
Right to Equal Services and Prices: ACA is prohibited from discriminating against consumers by denying goods or services, charging different prices for identical services, or providing a lower quality of goods or services.
Exercising your California Consumer Rights
To exercise any of your rights set forth in this Notice, please submit a request by sending an email to firstname.lastname@example.org or calling us at (833) 741-0222.
Information Collected by ACA
A. Personal Information/Personal Data
We may collect personal information directly from you, including through your use of a Site, when you contact us or request information from us, when you apply for an employment opportunity with us, when you engage us for Services, or as a result of your attendance at one of our conferences or digital marketing events. With respect to personal information or personal data collected directly by ACA, including through a Site, we may be the data controller responsible for your personal information or personal data. The information we collect directly from you typically consists of your contact information, including your name, address, business affiliation, business title, email address, and telephone number.
We only use, disclose, or otherwise process personal information or personal data when we have a lawful basis for doing so under applicable law, including fulfilling our contractual obligations, complying with legal obligations, protecting the vital interests of a person, furthering our legitimate interests as a company and employer, and otherwise for reasons you have consented to such processing. The categories of personal information collected and disclosed within the past 12 months can be found in the California Collection Notice.
For example, we use the personal information you provide directly to us to provide you with the information you requested (such as ACA blog posts or other informational materials) or to evaluate your application for employment. To the extent required by law, by providing personal information or personal data to us, you consent to our use of such personal information or personal data as explained herein.
We also may obtain personal information or personal data indirectly from or on behalf of our clients, in which case ACA would be considered a processor or sub-processor. We typically are retained by corporate entities, primarily in the financial services industry. In connection with providing Services pursuant to contracts with our corporate clients, we often obtain personal information or personal data of our clients’ customers, employees, agents, or other individuals that have supplied such information to our clients. The personal information and personal data collected varies based on the Services provided, but may include names, contact information, account numbers, and other similar financial data. With respect to personal information that we receive from or on behalf of our clients in connection with providing Services, our client is the data exporter and ACA acts as the data importer as a processor or sub-processor of such personal information.
B. Non-Individually Identifying Browsing Information
Users can browse a Site without revealing personal information or personal data. In this context, ACA’s servers may collect certain non-individually identifying (i.e., anonymous) browsing information, such as your Internet Protocol address, device screen size, device type (unique device identifiers), browser information, geographic location (country only), the preferred language used to display our website, your computer’s operating system, the name of the domain you used to access the Internet, the website you came from, and the website you visit next. This information is collected passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, or other technologies, examples of which are explained further in Section C below. Anonymous browsing information is not used, nor is it intended to be used, by ACA to personally identify an individual.
C. Passive Gathering of Information Electronically
ACA and any third parties that may advertise or provide other services on a Site may automatically and passively collect certain types of anonymous information whenever you use a Site or certain Site services or click on advertisements on a Site or in ACA’s periodicals. If ACA or such third parties collect this anonymous information, it will be done passively by using certain electronic technologies, such as cookies, web beacons, pixels, clear GIFs, and similar technologies as explained below.
How ACA Uses the Information
ACA uses Information collected from Users to respond to Users’ questions and/or comments, market, develop, or provide products, services or information to Users, process Users’ purchases, evaluate applications for employment with ACA, or provide related account status to the applicable User. Personal information, non-personal information, and anonymous browsing information may be used to gather broad demographic information used in marketing, promotion, analytics, or similar activities. This information may be aggregated to measure the number of visits, average time spent, page views and other statistics about Users of a Site. ACA also may use this Information to monitor Site performance and to make a Site easier and more convenient to use. ACA also may use Information collected from its Users to enforce its agreements with Users, prevent fraud and other prohibited or illegal activities, for other legally permissible purposes and generally to ensure that ACA complies with applicable law.
ACA utilizes cookies for certain of its Sites. This Cookie Notice provision provides you with clear and comprehensive information about the cookies we use and purpose for using cookies.
Definition of “Cookies”: Cookies are small pieces of text used to store information on web browsers. Cookies are widely used to store and receive identifiers and other information on computers, phones, and other devices. We also use other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, including web beacons and pixel tags, for similar purposes.
- Browsing or session (essential) cookies: These cookies are strictly necessary to provide you with our websites and services and to enable essential features. If you disable these cookies, we will not be able to fulfill your requests.
- Performance and functionality cookies: These cookies collect information about how you use our websites and services and allow us to remember the choices you make while browsing. The information these cookies collect allows us to optimize our websites and make them easier for you to use, and it does not personally identify you.
- Analytics and customization cookies: These cookies collect information we use in aggregate form to help us understand how our websites, applications and services are being used and how effective our marketing campaigns are, and to help us customize our websites.
- Advertising (profiling) cookies: These cookies collect information about your browsing or shopping history and are used to make advertising messages more relevant to you. We may share this information with third parties to help create and deliver advertising personalized to you and your interests.
- Social networking cookies: These cookies are used to enable you to share pages and content on our websites and services through third-party social networking and other websites. These cookies may also be used for advertising purposes.
Cookies Placed by Third Parties: You may also encounter cookies on our Sites that are placed by third parties. This Cookie Notice does not apply to the cookies, applications, technologies, or websites that are owned and/or operated by third parties, or such third parties’ practices, even if they use or access our technology to store or collect information.
Changing Your Cookie Settings: Please note that internet browsers allow you to change your cookie settings. These settings are usually found in the 'options' or 'preferences' menu of your internet browser.
Opting out of Cookies: If you wish to withdraw your consent at any time, you will need to delete your cookies using your internet browser settings.
Do Not Track: Some browsers include the ability to transmit “Do Not Track” signals. We do not process or respond to “Do Not Track” signals. Instead, we adhere to the standards described in this Privacy and Cookie Notice.
ACA Sharing of Your Information
ACA will only share Information, including personal information, that it collects or receives with third parties under the following circumstances:
- ACA Lawful Basis: If ACA has a lawful basis to share Information, it may do so.
- ACA Agents Lawful Basis: ACA may utilize other companies and individuals to assist with ACA’s business, and such third parties have access to Information needed to perform their functions but may not use it for other purposes. Such third parties may include the following:
- Sub-contractors we have engaged in connection with providing Services.
- Our professional advisers, including our attorneys and accountants.
- Our insurers and insurance brokers.
- Third parties to which we outsource certain services to assist with operating our business, such as document shredding services, software providers, information storage providers and other related service providers.
- Third parties to which our clients have directed us to share information in connection with our Services, such as our clients’ attorneys and accountants.
- Third-party service providers or subprocessors that assist us with analytics.
- Third-party postal or courier providers that assist us with delivering marketing and other documents to you.
- Aggregate Anonymous Information: ACA may provide to others the aggregate statistics about our Users’ Site activity for purposes of marketing, promotion, analytics, or similar activities. None of these statistics will identify Users personally. Once anonymized and aggregated the information no longer qualifies as personal information/personal data.
- Protection of ACA or Others: ACA may disclose Information about our Users to others if ACA has a good faith belief that it is required or permitted to do so by law or legal process to respond to claims, to protect the rights, property or safety of ACA or others, or take action regarding illegal activities or suspected fraud, or in response to national security or law enforcement requests.
- Business Transfers: If ACA decides to sell all or part or its assets, ACA reserves the right to include Information among the assets transferred to the acquiring company.
- Affiliates: ACA may share Information among its affiliates.
- Conference and Digital Marketing Event Attendees. ACA may provide the names, titles, company names, addresses, phone information, and email addresses of conference, roundtable, and digital marketing event attendees to current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors.
We do not sell or share personal information with unaffiliated third parties, other than for the lawful reasons stated herein.
As described above, we may provide certain third parties (“Sub-Processors”) with your personal information for the sole purpose of providing Services. Our Sub-Processors process personal information for us at our direction. We conduct reasonably appropriate due diligence on our Sub-Processors and include in our contracts with our Sub-Processors provisions requiring them to keep the personal information confidential, to process the personal information in accordance with our written instructions, and to maintain reasonably appropriate information security systems, all in accordance with applicable privacy laws based on the individuals/data subjects/consumers. We may be liable for any unauthorized processing of personal information by our Sub-Processors.
We may appoint new Sub-Processors to assist us with providing Services and/or conducting our business. By using our Services or products, you consent to our use of Sub-Processors, a current list of which can be viewed here. Users may opt-in to update alerts for any change or addition to Sub-Processors at the top of the Sub-Processor list.
Where We Transfer Personal Information
ACA is primarily located in the United States and the United Kingdom. Your personal information could be stored in either or both jurisdictions. ACA also maintains offices in The Republic of Malta and the Republic of India, and a limited amount of your personal information could be shared with ACA employees in The Republic of Malta or the Republic of India if required to perform Services.
For transfers of personal information from the European Economic Area (EEA) to the United States (U.S.) or United Kingdom (UK), and for transfers from the UK to the U.S., we rely on the Standard Contractual Clauses (SCCs), as adopted by the European Commission on 4 June 2021, and as it may be amended or updated from time to time, a copy of which can be viewed here. This version includes a UK Addendum to comply with transfers from the United Kingdom. These SCCs are included as part of all service and product agreements where GDPR, or the UK GDPR, is applicable. If GDPR (or UK GDPR) does not apply to your ACA service or product agreement, then the SCCs will not apply.
Period of Retention
ACA retains personal information in compliance with our obligations under applicable law and any applicable internal policies. We may destroy personal information without notice or liability.
Confidentiality and Information Security
ACA is committed to keeping your personal information secure. We have taken reasonably designed steps to protect personal information from unauthorized access, use or disclosure. We also require our vendors to maintain reasonably appropriate information security policies and procedures and to maintain personal information confidentially.
Accessing, Changing, or Deleting Your Personal Information
ACA allows you to make a request to correct inaccuracies in or make other changes or delete your Information by contacting ACA at (301) 495-7850 or sending an email to: email@example.com. ACA will use commercially reasonable efforts to promptly accommodate such requests.
Please note that ACA may follow a different process in accommodating your request based on whether ACA collected the personal information from you directly, or from another entity (likely your employer) as part of ACA’s Services to an ACA client. If ACA is not the data controller for your personal information, it will assist in relaying your request to the data controller.
Users are responsible for the accuracy of the Information they provide to ACA. ACA will use reasonable efforts to maintain the accuracy and integrity of such Information based on the input received from Users.
Choices for Use or Sharing of Certain Information
ACA values your concerns about the privacy of your Information. Therefore, ACA offers you the opportunity to choose how certain of your Information is used by ACA.
Any emails sent by ACA that are subject to the U.S. CAN-SPAM Act will include an option to unsubscribe from further correspondence. Please note that even if you opt-out from receiving certain emails from ACA, you may continue to receive transactional and/or relationship messages, such as messages confirming a product purchase or your registration for an event.
As stated above, ACA may share names, titles, company names, addresses, phone information, and email addresses of conference and roundtable attendees with current, past, or prospective conference or roundtable attendees, exhibitors, sponsors, or co-sponsors. If you do not wish to receive further communications from these persons, you must contact them directly and make such a request. ACA is not responsible for how such third parties handle such Information.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to firstname.lastname@example.org.
Linked Internet Websites
Each Site may provide hyperlinks, which are highlighted words or pictures within a hypertext document that, when clicked, take you to another place within the document, to another document altogether, or to other websites not controlled by ACA. These hyperlinked websites may contain privacy provisions that are different from those provided herein. ACA is not responsible for the collection, use, or disclosure of information collected through these websites, and ACA expressly disclaims any and all liability related to such collection, use, or disclosure.
Children’s Privacy Protection
No Site or Service is directed towards children under 13 years of age, and ACA does not knowingly collect any Information from children under 13 years of age through any Site or Service. If you are under 13 years of age, you are not permitted to submit any Information to ACA through any Site or Service. If ACA becomes aware that it has collected Information from children under 13 years of age, ACA will take commercially reasonable efforts to promptly purge such Information from its systems.
ACA wants you to feel confident using each Site; however, no system can be completely secure. Therefore, ACA makes no representations or warranties regarding the sufficiency of any Site’s security measures. ACA shall not be responsible for any damages, including without limitation consequential damages, resulting from a lapse in compliance with this Notice as a result of a security breach or technical malfunction. Certain information may be transmitted to you by email. Although it is illegal to intercept or disclose such messages under U.S. Federal law, such transmissions are not necessarily secure. In addition, Users’ communications through each Site are, in most cases, viewed only by you and anyone to whom you address your message. As the operator of each Site, ACA may need to review or monitor your electronic mail and other communications through each Site from time to time as may be required by law or as part of the Services. Therefore, you should not expect to have a right to privacy in any of your electronic communications through any Site.
In the event of a breach of the confidentiality or security of your personal information, ACA will notify you if reasonably possible and as reasonably necessary under applicable law so that you can take appropriate protective steps. ACA may notify you under such circumstances using the email address or addresses that it has on record for you.
Amendments to Privacy Notice
ACA may occasionally update this Notice, as noted by the “updated date” at the beginning of this Notice. ACA encourages you to periodically review this Notice to stay informed about its collection, use, and disclosure of your Information. Your continued use of any Site constitutes your agreement to this Notice and any updates.
Enforcement and Dispute Resolution
If you have any questions, complaints, or disputes regarding how ACA handles or protects your Information, please bring it to ACA’s attention. ACA commits to resolve complaints about your privacy and our collection or use of personal information. Individuals with inquiries or complaints regarding this Notice should first contact ACA (see “How to Contact ACA” below).
ACA retains sole and absolute discretion in resolving all questions relating to the administration, interpretation and application of this Notice, except as required by law or regulation. This authority includes construing the terms of this Notice, including any disputed or doubtful terms.
No Third-Party Rights
This Notice does not create rights enforceable by third parties.
How to Contact ACA
If you have any questions about this Notice, please
Call: (301) 495-7850
CCPA toll-free number: (833) 741-0222
Write: ACA Group
Attn: Legal Department – Privacy
909 Rose Avenue, Suite 950
North Bethesda, MD 20852
California Notice of Collection
This Notice of Collection for California Residents supplements the information contained in ACA’s Global Privacy Notice set forth above and applies solely to residents of the State of California (“California Notice”). We have adopted this California Notice in order to comply with the CCPA as amended and expanded by the CPRA.
This California Notice is intended to fulfill CCPA's objectives of providing California consumers with a comprehensive disclosure of the collection, sharing, disclosure, and sale of their personal information by particular businesses (as CCPA defines those terms), and of the rights that California consumers have regarding their personal information ("California Privacy Rights").
This California Notice specifically sets forth how we handle personal information we collect via a Site (a) when individuals engage with us or use our products or services, including SaaS products or services (our “Services”); (b) in connection with providing Services to our clients; (c) as part of a current or former employment relationship; (d) from applicants for employment opportunities with us; (e) through use of our website; or (f) through any other interaction with a Site.
ACA collects and processes the following types of Personal Information, as described in the table below. ACA does not sell or share your personal information.
|Category of Information||Examples||Collected||Purpose||Disclosed*|
|Identifiers||A real name, alias, postal address, unique personal identifier, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.||Yes||Employee/Applicant Records
Provision of Services
|Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.||Yes||Employee/Applicant Records
Provision of Services
|Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).||Yes||Employee/Applicant Records||Yes|
|Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.||Yes||Provision of Services||Yes|
|Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||No||N/A||No|
|Internet or other similar network activity.||Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.||Yes||Lawful Basis||Yes|
|Geolocation data.||Physical location or movements.||No||N/A||No|
|Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.||No||N/A||No|
|Professional or employment-related information.||Current or past job history||Yes||Employee/Applicant Records||Yes|
|Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||No||N/A||No|
* For a legitimate interest or business purpose. ACA does not sell or share your personal information.
We also collect, or may collect, sensitive personal information such as the following personal information that consists of:
- Government Identifiers, such as Social Security Numbers and driver’s license numbers;
- Account log-in information (e.g., financial account or credit card numbers, potentially in combination with any required access codes or passwords);
- Racial or ethnic origin, religious or philosophical beliefs, or union membership; and
- Contents of postal mail, email, and/or text messages.
We do not use or disclose personal information for purposes other than those disclosed below.
We use the personal information you provide directly to us for a legitimate purpose and to:
• provide requested information;
• evaluate your application for employment;
• maintain employment records; and/or
• provide Services;
• other authorized and lawful legitimate purposes; and
• as otherwise provided in this Notice or by written agreement.
ACA retains personal information in compliance with our obligations under applicable law and any applicable internal policies. We may destroy personal information without notice or liability.