Effective Date: July 20, 2022
PRIVACY POLICY
Welcome to www.acord.org (the “Site”), a website provided by ACORD Corporation, a not-for profit, Delaware corporation (“ACORD”) that enables the success of the global insurance industry by leveraging the flow of data and information across all insurance stakeholders through relevant and timely data standards. ACORD respects your privacy, and this policy covers ACORD’s handling, use and disclosure of information collected from you through the Site, your use of software products licensed from ACORD (“Software”) or other sources in the ordinary course of ACORD’s business.
1) Acceptance
You should review this policy carefully, and be sure you understand it, prior to using the Site or any Software, or otherwise providing any information to ACORD. If you do not agree to this policy, you should not use, and should immediately terminate your use of, the Site or such Software, as applicable, and not otherwise provide any information to ACORD. ACORD will update this policy as ACORD adjusts its procedures in relation to your information. Please return to this page if you use the Site or the Software to check whether this policy has been updated. The effective date of the policy is noted above.
2) Definitions
In this policy:
(a) “Analytical Information” means information obtained through the use of cookies (or other code) and server log files (including, but not limited to, (i) your search terms, (ii) your computer’s access date and time, browser, connection speed, Internet protocol address, Internet service provider, language, location, manufacturer, visit details, and operating system, and (iii) whether or not you opened email messages or other electronic communications from ACORD, and if you did, the times they were opened);
(b) “Collected Information” means all (i) Personal Information (including, but not limited to, name, e-mail address, physical address, phone number, photographs, credit card processing information, human resource data from employees and independent contractors of ACORD, and insurance information relating to third-party individuals provided by clients of ACORD), and (ii) Analytical Information;
(c) “Personal Information” means all information collected by ACORD, whether electronically or manually, through (i) the Site, (ii) any Software, (iii) e-mail messages and other electronic communications that you may send to ACORD, and (iv) other sources in the ordinary course of ACORD’s business, that relates to an individual and that identifies, or can be used in conjunction with other information to reasonably identify, such individual;
(d) “Sensitive Information” means all Personal Information of an individual that reveals (i) racial or ethnic origin, (ii) political opinions, religious or philosophical beliefs, (iii) trade union membership, (iv) genetic data, (v) biometric data; (vi) physical or mental health data or (vii) the sex life or sexual orientation of such individual; and
(e) “Privacy Shield Information” means all Personal Information processed by ACORD concerning individuals in the European Economic Area (“EEA”), the United Kingdom or Switzerland that is covered by Privacy Shield. For more information concerning Privacy Shield, please visit https://www.privacyshield.gov/.
3) Collected Information
Collected Information is obtained from you by the following means: (i) you provide it to us voluntarily, like when you sign up as staff members of an ACORD member at https://www.acord.org/membership-participation/participate/join, (ii) we obtain it automatically through the Site as set forth in this policy or through use of the Software, (iii) we obtain it through third parties in the ordinary course of our business, such as through ACORD members or customers, or (iv) we obtain it through other legal means. Regardless of the method used to obtain Collected Information, ACORD will collect and retain Personal Information only to an extent that is necessary and relevant to the purposes for which was collected and for ACORD's other legitimate business purposes (including, but not limited to, marketing). You are responsible for obtaining any approvals, authorizations, consents and permissions that are required in connection with your providing ACORD with any information (including, but not limited to, any information relating to a third party).
4) Choice
You may refuse to provide any information to ACORD at any time by terminating your use of the Site and all Software. You may also, in certain circumstances, request deletion of or otherwise limit processing of your Personal Information by contacting ACORD as set forth in Section 17. If you refuse to provide any information when requested to do so by ACORD, the Site or any Software, you may not be able to access, or otherwise enjoy the benefits of, certain services from ACORD, features of the Site or functionality of such Software. For example, membership benefits are only available from ACORD to individuals that sign up as staff members of ACORD member.
5) Electronic Communications
ACORD may, in compliance with applicable laws and regulations, send you e-mail messages and other electronic communications (i) in connection with your use of the Site or any Software, (ii) in the ordinary course of business, or (iii) for any other legitimate business purpose (including, but not limited to, marketing). You can unsubscribe from such e-mail messages or other electronic communications at any time by contacting ACORD as set forth in Section 17 or by following the directions contained in such e-mail messages or other electronic communications.
6) Analytical Information
When you access the Site or use any Software, ACORD may collect Analytical Information. For more information about our use of cookies via the Site, and to exercise the choices available to you concerning our use of cookies, please visit: https://www.acord.org/privacy-policy/cookie-policy. Your browser may also provide you with the ability to not accept cookies, as well as the ability to delete already-existing cookies. If you refuse, or delete previously existing, cookies, you may not be able to enjoy some features of the Site or functionality of any Software.
ACORD may also utilize third party tracking software or utilities, such as Google Analytics. This analytics data collected by Google is not tied to any personally identifiable data. This helps us analyze data and improve our Site, as well as tailor it to client needs. For more information about Google Analytics, visit: https://policies.google.com/technologies/partner-sites. You can opt out of Google’s collection and processing of data generated by your use of our website by going to: https://tools.google.com/dlpage/gaoptout.
ACORD does not respond to web browser “do not track” signals or other similar mechanisms.
Analytical Information will only be used by ACORD (i) to record your use of the Site or any Software, (ii) to diagnose problems with the Site or any Software, (iii) to improve the Site or any Software and make the Site or such Software, as applicable, more useful to you and other users, and (iv) for other legitimate business purposes of ACORD (including, but not limited to, marketing). ACORD will collect Analytical Information either directly or through third parties acting on its behalf.
7) Sensitive Information
ACORD will only process Sensitive Information, also known as “special categories of personal data,” as allowed by law, which includes situations where you have given your explicit consent, where such processing is necessary in the field of employment, social security, or social protection law, or where such processing is necessary for the establishment, exercise or defense of legal claims. Other allowable bases for the processing of Sensitive Information may apply under applicable law.
8) Location of Processing and Transfers
All electronic Personal Information is processed by ACORD on servers residing at ACORD’s place of business in Pearl River, New York, Little Falls, New Jersey, London, England and on servers residing at off-site data centers in the United States and other locations. ACORD may transfer Collected Information to a third-party processor, such as an IT services provider or others that support ACORD in its ordinary course operations, as further described in Section 11 below.
9) Privacy Shield
Some of the information collected by ACORD may relate to individuals located in the EEA, United Kingdom or Switzerland. The EEA and Switzerland have adopted requirements for the protection of such information, and in order to satisfy such requirements, ACORD has (i) agreed to comply with the E.U.-U.S. Privacy Shield Framework Principles, including the Supplemental Principles, designed by the U.S. Department of Commerce and the European Commission, and the Swiss-U.S. Privacy Shield Framework Principles, including the Supplemental Principles, designed by the U.S. Department of Commerce and Swiss Administration, regarding the collection, use, and retention of personal data transferred from the EEA, the United Kingdom and/or Switzerland, as applicable, to the United States in reliance on Privacy Shield and (ii) elected to self-certify under the E.U.-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework administered by the U.S. Department of Commerce (the “Privacy Shield”). In particular, ACORD has agreed, with respect to all Privacy Shield Information, to adhere to the Privacy Shield’s principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability. For purposes of enforcing compliance with the Privacy Shield, ACORD is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission, which can impose sanctions consisting of administrative orders and civil penalties. ACORD is listed at https://www.privacyshield.gov/list as having certified its compliance with the Privacy Shield. For more information regarding the Privacy Shield, please see the U.S. Department of Commerce’s website at http://privacyshield.gov.
ACORD also utilizes Standard Contractual Clauses to provide sufficient safeguards concerning data protection for personal data to be transferred outside of the EEA, United Kingdom or Switzerland.
Currently, the status of the Privacy Shield is in flux due to, among other things, the July 16, 2020 decision by the Court of Justice of the European Union (CJEU) in Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, Case No. C-311/18 [2020] (Grand Ct.) (Ir.) (Schrems II), invalidating the EU-U.S. Privacy Shield as an approved data transfer framework. ACORD continues to adhere to Privacy Shield principles but does not rely on Privacy Shield exclusively for third country data transfers, and will enter into Standard Contractual Clauses where necessary. Where appropriate, we will rely on the direct collection of personal data from individuals for transfer of personal data outside the EEA, U.K., or Switzerland.
10) Protection
ACORD will use commercially reasonable efforts to protect Collected Information, including Personal Information, from loss, misuse and unauthorized access, alteration, destruction and disclosure. Certain Personal Information posted by you on the Site may be accessible to the general public, and ACORD is not responsible for protecting such Personal Information from loss, misuse or unauthorized access, alteration, destruction or disclosure. For example, if you participate in a public forum on the Site, any information disclosed by you when doing so may be available to the general public. Also, since no transmission of information over the Internet or electronic storage of information is completely secure, it is possible that Collected Information could be lost, misused or accessed, altered, destroyed or disclosed without authorization, even though ACORD uses such reasonable efforts. In providing information to ACORD, you must assume the risk that Collected Information could be lost, misused or accessed, altered, destroyed or disclosed without authorization.
11) Use and Transfer of Collected Information
All Collected Information may be used by ACORD for any legitimate business purpose (including, but not limited to, marketing). If ACORD expressly states that any Collected Information will only be used for a specific purpose, ACORD will only use such Collected Information for such purpose, unless you subsequently consent to its being used for another purpose.
Any Collected Information obtained by ACORD, whether or not for a specific purpose, may be disclosed to third parties retained by ACORD (including, but not limited to, any distributors, sub-contractors or vendors of ACORD) for any purposes for which ACORD could use such Collected Information, except that, in the case of Privacy Shield Information only, (i) such third party’s right to use Privacy Shield Information is limited to such purposes, (ii) such third party is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield, (iii) ACORD will take commercially reasonable and appropriate steps to verify that such third party effectively processes Privacy Shield Information in a manner consistent with ACORD’s obligations under the Privacy Shield, (iv) such third party is required to notify ACORD if such third party makes a determination that it can no longer meet its obligation to provide the same level of privacy protection as required under the Privacy Shield, (v) upon such notice, ACORD will take commercially reasonable and appropriate steps to stop and remediate unauthorized processing of Privacy Shield Information, and (vi) upon the request of the U.S. Department of Commerce (or its designee), ACORD must provide a summary or representative copy of the relevant privacy provisions of its agreements with such third party. In the event that ACORD transfers Collected Information to a third party it remains liable consistent with applicable law if the third party processes Collected Information in a manner inconsistent with the Privacy Shield Principles, unless ACORD is not responsible for the event giving rise to the damage.
ACORD may also at any time, in its sole discretion, disclose and use any Collected Information (including, but not limited to, a computer’s Internet protocol addresses), whether or not you furnished such Collected Information for a specific purpose, to (i) comply with, or as permitted by, any applicable law or government request, (ii) cooperate with law enforcement, and other third parties, in investigating a claim of fraud, illegal activity or infringement of intellectual property rights, (iii) protect the rights, property or legitimate business interests of ACORD or a third party, or (iv) transfer such Collected Information to a third party purchasing all, or substantially all, of ACORD’s assets.
ACORD does not and will not sell your personal information. ACORD does not and will not sell the personal information of a California resident it has actual knowledge is under the age of 16.
12) Third-Party Sites
The Site and any Software may contain links to, or be accessible from, websites provided by third parties (individually a “Third-Party Site”). Your use of a Third-Party Site will be subject to its terms of use and other provisions, and you are responsible for complying with such terms and other provisions. This policy does not cover the privacy policies or practices of any Third-Party Site, and ACORD is not responsible for any information you submit to, or otherwise collected by, any Third-Party Site. You should consult each Third-Party Site for its privacy policy or practice before submitting any information to, or otherwise using, such Third-Party Site.
13) Data Rights
Subject to applicable law, you may have the right to request and obtain information about, or copies of, your Personal Information that we process, where we obtained your information, the business or commercial purpose for collecting your information, and the third parties with whom your information is shared. Lastly, you may, in certain circumstances, ask us to correct or delete Personal Information concerning you, depending on the situation and applicable laws.
All of our processing is in support of our business. Where we process your data based upon your consent, you may withdraw consent if you wish to do so.
Residents of California have the following rights with respect to their Personal Information, in certain circumstances:
• The right to know the categories and specific pieces of Personal Information we have collected about you in the past 12 months, the sources from which the Personal Information was collected, and the business purpose for collecting such information;
• The right to know whether and how we sell or disclose your Personal Information, to whom we sell or disclose your Personal Information, and the business purpose for selling or disclosing your Personal Information;
• The right to request a copy of the specific pieces of Personal Information we have collected about you in the past 12 months;
• The right to request that we not sell your Personal Information;
• The right to request that we delete the Personal Information that we have collected from you, in certain circumstances; and
• The right not to receive discriminatory treatment for the exercise of your privacy rights.
You may inquire about these rights by contacting us as laid out in Section 17. Currently, the majority of Personal Information that ACORD collects is not subject to the rights noted above, but it may be in the future. If that occurs, we will provide you appropriate notice in a revised Privacy Policy.
Upon receipt of a request to exercise your rights, we may request additional information in order to verify your identity. To the extent possible, we will utilize information already in our possession to verify your identity. Any information you provide in connection with such verification will be deleted as soon as practicable following your request.
You may designate an authorized agent to make a request on your behalf. If you submit a request through an authorized agent, we may require that the authorized agent provide proof that the authorized agent has been authorized by you to act on your behalf and may still require you to verify your identity in accordance with the above.
In relation to California residents, ACORD may function as a service provider to its customers, and follows the express written and contractual instructions of its customers in relation to Personal Information. If a consumer wishes to make a request in relation to data that ACORD processes as a service provider, it should contact ACORD’s customer directly.
The chart below summarizes our practices in relation to your personal information over the preceding 12 months.
Category of Information Collected | Source of Information | Purpose for Collection | Third Parties to whom Information is Disclosed |
Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name or other similar identifiers. | You, your company, and/or your use of the Site, as well as ACORD customers. | To contact you; provide you your company, or other ACORD customers, with goods, services, or information you or your company request; or to make our products and services better. To provide services to ACORD customers. | We may disclose your information to service providers, such as cloud computing providers, to allow ACORD to conduct its business. In our role as a service provider, we may disclose Personal Information as required by ACORD customers. |
Other identifiers such as signature, telephone number, credit card number, or debit card number. | You, your company, and/or your use of the Site, as well as ACORD customers. | See above. | See above. |
Commercial information, including records of products or services purchased, obtained or considered. | You, your company, and/or your use of the Site. | See above. | See above. |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with the Site, an application, or advertisement. | You, your company, and/or your use of the Site. | See above. | See above. |
Inferences we draw from any of the information identified above to create a profile about you reflecting your preferences. | You, your company, and/or your use of the Site. | See above. | See above. |
14) Children
We do not knowingly collect or sell information from children under the age of 16. Our Site and Software is not directed at persons under the age of 16 and should not be used by them. In no event should children under the age of 16 provide any Personal Information through our Site or Software. In our role as service provider we may obtain information regarding children under the age of 16; such information is only used pursuant to ACORD’s contract as a service provider and is not sold or used for marketing purposes. More information about the Children’s Privacy Protection Act (COPPA) and how it protects children who use the Internet may be found at www.ftc.gov. If a parent or guardian of a child who is under 16 years of age informs ACORD that the child’s Personal Information has been submitted to ACORD through the Site or Software without the parent’s or guardian's consent, ACORD will use commercially reasonable efforts to remove such information from the Site and ACORD’s servers at the parent’s or guardian's request. To request the removal of Personal Information of a child under 16 years of age, the parent or guardian should contact ACORD as set forth in Section 17, and provide information necessary to ACORD to assist it in identifying the information to be removed.
15) Independent Recourse Mechanism
If you have a complaint that relates to any Privacy Shield Information, ACORD offers an independent recourse mechanism to resolve your complaint that you may use in lieu of the process described in Section 16. The independent recourse mechanism offered by ACORD is more fully described at https://www.privacyshield.gov/article?id=7-RECOURSE-ENFORCEMENT-AND-LIABILITY. In order to access the independent recourse mechanism, you must file a complaint with the International Centre for Dispute Resolution of the American Arbitration Association (“ICDR”), and after receiving your complaint, ICDR will resolve the dispute between you and ACORD by following the ICDR Dispute Resolution Procedures located at http://go.adr.org/privacyshield.html. All fees of ICDR in connection with your use of its independent recourse mechanism described in this Section will be paid by ACORD.
If all other options available to you for resolving a complaint are unsuccessful, and upon satisfaction of certain other conditions, you can lodge your complaint with the Privacy Shield Panel, which is an “arbitration mechanism” of three neutral arbitrators. Any decision of the Privacy Shield Panel is binding and enforceable in courts of the United States.
With respect to human resources data that is Privacy Shield Information and that is used in the context of the employment relationship, ACORD will, as applicable, cooperate with, and comply with the advice given by, the applicable data protection authorities.
16) Revisions
ACORD may revise this policy from time to time by posting the revised policy on the Site. Any such revision will take effect immediately upon such posting, and will apply to all Collected Information obtained by ACORD after such posting. We encourage you to periodically check this policy on the Site for revisions.
17) Contacting ACORD
If you have any questions or comments, desire additional information regarding ACORD’s handling of any Collected Information, or would like to submit a request to access or delete your Personal Information, please promptly contact:
ACORD Corporation
Attn: General Counsel
150 Clove Road, 11th Floor
Little Falls, New Jersey 07424
United States of America
Telephone: (800) 444-3341 (Toll Free)
Email: legalwork@acord.org