Skip to Main Content

Privacy Policy

  1. Privacy Policy

Effective Date:  August 23, 2023

 

PRIVACY POLICY

Welcome to www.acord.org (the “Site”), a website provided by ACORD Corporation, a not-for-profit Delaware corporation that enables the success of the global insurance industry by leveraging the flow of data and information across all industry stakeholders through relevant and timely data standards (“ACORD”).  ACORD respects your privacy, and this policy covers ACORD’s handling, use and disclosure of information collected from you through the Site, your use of software products licensed or otherwise furnished from ACORD (“Software”) or other sources in the ordinary course of ACORD’s business.

 

1) Acceptance

You should review this policy carefully, and be sure you understand it, prior to using the Site or any Software, or otherwise providing any information to ACORD.  If you do not agree to this policy, you should not use, and should immediately terminate your use of, the Site or such Software, as applicable, and not otherwise provide any information to ACORD.  ACORD will update this policy as ACORD adjusts its procedures in relation to your information.  Please return to this page if you use the Site or the Software to check whether this policy has been updated.  The effective date of the policy is noted above.

 

2) Definitions

In this policy:

(a) “Analytical Information” means information obtained through the use of cookies (or other code) and server log files (including, but not limited to, (i) your search terms, (ii) your computer’s access date and time, browser, connection speed, Internet protocol address, Internet service provider, language, location, manufacturer, visit details, and operating system, and (iii) whether or not you opened email messages or other electronic communications from ACORD, and if you did, the times they were opened);

(b) “Collected Information” means all (i) Personal Information (including, but not limited to, name, e-mail address, physical address, phone number, photographs, credit card processing information, human resource data from employees and independent contractors of ACORD, and insurance information relating to third-party individuals provided by clients of ACORD), and (ii) Analytical Information;

(c) “Personal Information” means all information collected by ACORD, whether electronically or manually, through (i) the Site, (ii) any Software, (iii) e-mail messages and other electronic communications that you may send to ACORD, and (iv) other sources in the ordinary course of ACORD’s business, that relates to an individual and that identifies, or can be used in conjunction with other information to reasonably identify, such individual;

(e) “Sensitive Information” means all Personal Information of an individual that reveals (i) racial or ethnic origin, (ii) political opinions, religious or philosophical beliefs, (iii) trade union membership, (iv) genetic data, (v) biometric data; (vi) physical or mental health data or (vii) the sex life or sexual orientation of such individual; and

(f) “Privacy Framework Information” means all Personal Information processed by ACORD concerning individuals in the European Economic Area (“EEA”), the United Kingdom or Switzerland that is covered by the Data Privacy Framework.  For more information concerning the Data Privacy Framework, please visit https://www.dataprivacyframework.gov.

 

3) Collected Information

Collected Information is obtained from you by the following means:  (i) you provide it to us voluntarily, like when you sign up as staff members of an ACORD member or participant at https://www.acord.org/membership-participation/participate/join, (ii) we obtain it automatically through the Site as set forth in this policy or through use of the Software, (iii) we obtain it through third parties in the ordinary course of our business, such as through ACORD members or participants, or (iv) we obtain it through other legal means.  Regardless of the method used to obtain Collected Information, ACORD will collect and retain Personal Information only to an extent that is necessary and relevant to the purposes for which was collected and for ACORD's other legitimate business purposes (including, but not limited to, marketing).  You are responsible for obtaining any approvals, authorizations, consents and permissions that are required in connection with your providing ACORD with any information (including, but not limited to, any information relating to a third party).

 

4) Choice

You may refuse to provide any information to ACORD at any time by terminating your use of the Site and all Software.  You may also, in certain circumstances, request deletion of or otherwise limit processing of your Personal Information by contacting ACORD as set forth in Section 17.  If you refuse to provide any information when requested to do so by ACORD, the Site or any Software, you may not be able to access, or otherwise enjoy the benefits of, certain services from ACORD, features of the Site or functionality of such Software.  For example, membership benefits are only available from ACORD to individuals that sign up as staff members of an ACORD member or participant.

 

5) Electronic Communications

ACORD may, in compliance with applicable laws and regulations, send you e-mail messages and other electronic communications (i) in connection with your use of the Site or any Software, (ii) in the ordinary course of business, or (iii) for any other legitimate business purpose (including, but not limited to, marketing).  You can unsubscribe from such e-mail messages or other electronic communications at any time by contacting ACORD as set forth in Section 17 or by following the directions contained in such e-mail messages or other electronic communications.

 

6) Analytical Information

When you access the Site or use any Software, ACORD may collect Analytical Information.  For more information about our use of cookies via the Site, and to exercise the choices available to you concerning our use of cookies, please visit:  https://www.acord.org/privacy-policy/cookie-policy.  Your browser may also provide you with the ability to not accept cookies, as well as the ability to delete already-existing cookies.  If you refuse, or delete previously existing, cookies, you may not be able to enjoy some features of the Site or functionality of any Software.

ACORD may also utilize third party tracking software or utilities, such as Google Analytics. This analytics data collected by Google is not tied to any personally identifiable data. This helps us analyze data and improve our Site, as well as tailor it to client needs.  For more information about Google Analytics, visit: https://policies.google.com/technologies/partner-sites. You can opt out of Google’s collection and processing of data generated by your use of our website by going to:  https://tools.google.com/dlpage/gaoptout.

ACORD does not respond to web browser “do not track” signals or other similar mechanisms.

Analytical Information will only be used by ACORD (i) to record your use of the Site or any Software, (ii) to diagnose problems with the Site or any Software, (iii) to improve the Site or any Software and make the Site or such Software, as applicable, more useful to you and other users, and (iv) for other legitimate business purposes of ACORD (including, but not limited to, marketing).  ACORD will collect Analytical Information either directly or through third parties acting on its behalf.

 

7) Sensitive Information

ACORD will only process Sensitive Information, also known as “special categories of personal data,” as allowed by law, which includes situations where you have given your explicit consent, where such processing is necessary in the field of employment, social security, or social protection law, or where such processing is necessary for the establishment, exercise or defense of legal claims.  Other allowable bases for the processing of Sensitive Information may apply under applicable law.

 

8) Location of Processing and Transfers

All electronic Personal Information is processed by ACORD on servers residing at ACORD’s places of business in Little Falls, New Jersey and London, England, and on servers residing at off-site data centers in the United States, England and other locations.  ACORD may transfer Collected Information to a third-party processor, such as an IT services provider or others that support ACORD in its ordinary course operations, as further described in Section 11 below.  ACORD remains liable for the integrity of your Personal Information in the event of onward transfers to third parties, and ensures protection of Personal Information by way of appropriate contractual measures.

 

9) Privacy Framework

ACORD complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  ACORD has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  ACORD has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.  

ACORD adheres to Data Privacy Framework principles but does not rely on these principles exclusively for third country data transfers, and will enter into Standard Contractual Clauses where necessary.  Where appropriate, we will rely on the direct collection of personal data from individuals for transfer of personal data outside the EEA, U.K., or Switzerland.

 

10) Protection

ACORD will use commercially reasonable efforts to protect Collected Information, including Personal Information, from loss, misuse and unauthorized access, alteration, destruction and disclosure.  Certain Personal Information posted by you on the Site may be accessible to the general public, and ACORD is not responsible for protecting such Personal Information from loss, misuse or unauthorized access, alteration, destruction or disclosure.  For example, if you participate in a public forum on the Site, any information disclosed by you when doing so may be available to the general public.  Also, since no transmission of information over the Internet or electronic storage of information is completely secure, it is possible that Collected Information could be lost, misused or accessed, altered, destroyed or disclosed without authorization, even though ACORD uses such reasonable efforts.  In providing information to ACORD, you must assume the risk that Collected Information could be lost, misused or accessed, altered, destroyed or disclosed without authorization.

 

11) Use and Transfer of Collected Information 

All Collected Information may be used by ACORD for any legitimate business purpose (including, but not limited to, marketing).  If ACORD expressly states that any Collected Information will only be used for a specific purpose, ACORD will only use such Collected Information for such purpose, unless you subsequently consent to its being used for another purpose.

Any Collected Information obtained by ACORD, whether or not for a specific purpose, may be disclosed to third parties retained by ACORD (including, but not limited to, any distributors, sub-contractors or vendors of ACORD) for any purposes for which ACORD could use such Collected Information, except that, in the case of Privacy Framework Information only, (i) such third party’s right to use Privacy Framework Information is limited to such purposes, (ii) such third party is obligated to provide at least the same level of privacy protection as is required by the Data Privacy Framework, (iii) ACORD will take commercially reasonable and appropriate steps to verify that such third party effectively processes Privacy Framework Information in a manner consistent with ACORD’s obligations under the Data Privacy Framework, (iv) such third party is required to notify ACORD if such third party makes a determination that it can no longer meet its obligation to provide the same level of privacy protection as required under the Data Privacy Framework, (v) upon such notice, ACORD will take commercially reasonable and appropriate steps to stop and remediate unauthorized processing of Privacy Framework Information, and (vi) upon the request of the U.S. Department of Commerce (or its designee), ACORD must provide a summary or representative copy of the relevant privacy provisions of its agreements with such third party. 

ACORD may also at any time, in its sole discretion, disclose and use any Collected Information (including, but not limited to, a computer’s Internet protocol addresses), whether or not you furnished such Collected Information for a specific purpose, to (i) comply with, or as permitted by, any applicable law or government request, (ii) cooperate with law enforcement, and other third parties, in investigating a claim of fraud, illegal activity or infringement of intellectual property rights, (iii) protect the rights, property or legitimate business interests of ACORD or a third party, or (iv) transfer such Collected Information to a third party purchasing all, or substantially all, of ACORD’s assets. 

ACORD does not and will not sell your Personal Information.  ACORD does not and will not sell the Personal Information of a California resident it has actual knowledge is under the age of 16.

 

12) Third-Party Sites

The Site and any Software may contain links to, or be accessible from, websites provided by third parties (individually a “Third-Party Site”).  Your use of a Third-Party Site will be subject to its terms of use and other provisions, and you are responsible for complying with such terms and other provisions.  This policy does not cover the privacy policies or practices of any Third-Party Site, and ACORD is not responsible for any information you submit to, or otherwise collected by, any Third-Party Site.  You should consult each Third-Party Site for its privacy policy or practice before submitting any information to, or otherwise using, such Third-Party Site.

 

13) Data Rights

US Data Rights

Depending on where you reside, you may have the following rights with respect to your Personal Information, in certain circumstances:

The right to know the categories and specific pieces of Personal Information we have collected about you in the last 12 months, the sources from which the Personal Information was collected, and the business purpose for collecting such information;

The right to know whether and how we sell or disclose your Personal Information, to whom we sell or disclose your Personal Information and the categories of Personal Information sold or disclosed, and the business purpose for selling or disclosing your Personal Information;

  • The right to request a copy of the specific pieces of Personal Information we have collected about you in the last 12 months;
  • The right to request that we not sell your Personal Information;
  • The right to request that we delete the Personal Information that we have collected from you, in certain circumstances;
  • The right to opt out of targeted advertising;
  • The right not to receive discriminatory treatment for the exercise of your privacy rights; and
  • The right to appeal denial of your request.

You may make a request to exercise these rights by contacting us at legalwork@acord.org.

Currently, some of the Personal Information that ACORD collects is not subject to the rights noted above.

Upon receipt of a request to exercise your rights, we may request additional information in order to verify your identity.  You may also be required to confirm your identity under relevant law or regulation.  To the extent possible, we will utilize information already in our possession to verify your identity.  Any information you provide in connection with such verification will be deleted as soon as practicable following your request and not used for any other purpose.

You may be able to designate an authorized agent to make a request on your behalf.  If you submit a request through an authorized agent, we may require that the authorized agent provide proof that the authorized agent has been authorized by you to act on your behalf, and we may still require you to verify your identity in accordance with the above and directly confirm that you provided the authorized agent with permission to submit the request.

We will respond to your request in the time frame required by law, which is usually between one month and 45 days, depending on where you reside.  We may extend the time to respond to your request for up to 90 days, or three months, in total.

You have the right to not be discriminated against for exercising any of your rights.  For example, ACORD will not deny you goods or services; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services to you; suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

California law permits consumers who are California residents to request and obtain from us once a year, free of charge, information about the Personal Information, if any, we disclosed to third parties for direct marketing purposes within the immediately preceding calendar year.  Currently, we do not disclose Personal Information in this way.

ACORD may function as a service provider to its members and participants, and follows the express written and contractual instructions of its members and participants in relation to Personal Information. If a consumer wishes to make a request in relation to data that ACORD processes as a service provider, it should contact ACORD’s member/participant directly.

The chart below summarizes our practices in relation to your Personal Information over the preceding 12 months.

Category of Information CollectedSource of InformationPurpose for CollectionThird Parties to whom Information is Disclosed
Identifiers, such as real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name or other similar identifiers.You, your company, and/or your use of the Site, as well as ACORD members/participants.To contact you; provide you your company, or other ACORD members/participants, with goods, services, or information you or your company request; or to make our products and services better. To provide services to ACORD members/participants. We may disclose your information to service providers, such as cloud computing providers, to allow ACORD to conduct its business. In our role as a service provider, we may disclose Personal Information as required by ACORD members/participants. 
Other identifiers such as signature, telephone number, credit card number, or debit card number.You, your company, and/or your use of the Site, as well as ACORD members/participants.See above.See above.
Commercial information, including records of products or services purchased, obtained or considered.You, your company, and/or your use of the Site.See above.See above.
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding your interaction with the Site, an application, or advertisement.You, your company, and/or your use of the Site.See above.See above.
Inferences we draw from any of the information identified above to create a profile about you reflecting your preferences.You, your company, and/or your use of the Site.See above.See above.

 

We retain the categories of information identified above for as long as they are needed for a business purpose; for example, we retain contact information for current and former ACORD members/participants, so we can serve them better.

EU Data Rights

You may have the following statutory rights with regards to your Personal Data under the General Data Protection Regulation (“GDPR”) or U.K. GDPR:

  • you can request access to your Personal Information, including the provision of a copy of the Personal Information subject to processing;
  • you can ask us to update or correct any inadequate, incomplete or inaccurate data;
  • you can request erasure of your Personal Information;
  • you can restrict the processing of Personal Information;
  • where processing is based on our legitimate interests including profiling, you have the right to object to such processing;
  • where we process your Personal Information for direct marketing purposes, you have the right to object to such processing at any time;
  • where processing is based on your consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; and
  • where processing is based on consent or on a contract, you have the right to data portability, meaning that you can ask us to provide your Personal Information in a structured, commonly used and machine-readable format for your use or transfer to another controller.

If you wish to exercise any of the rights described above or you have any questions or concerns about how we treat your Personal Information, please contact us via these methods:

If you believe that our processing of personal data concerning you is unlawful, you have the right to complain to the relevant supervisory authority.  Our supervisory authority is the UK Information Commissioner’s Office, which can be reached at https://ico.org.uk/. If you are a resident of the European Economic Area, you can contact the supervisory authority of your country. With respect to our U.S. operations, we are subject to the investigatory and enforcement powers of the Federal Trade Commission.

You may also have the right to invoke binding arbitration against us, by delivering notice and following the procedures and conditions set forth in Annex I of the Data Privacy Framework principles.  For more information, please visit https://www.dataprivacyframework.gov/s/.

 

14) Children

We do not knowingly collect or sell information from children under the age of 16.  Our Site and Software is not directed at persons under the age of 16 and should not be used by them.  In no event should children under the age of 16 provide any Personal Information through our Site or Software.  In our role as service provider we may obtain information regarding children under the age of 16; such information is only used pursuant to ACORD’s contract as a service provider and is not sold or used for marketing purposes.  More information about the Children’s Privacy Protection Act (COPPA) and how it protects children who use the Internet may be found at www.ftc.gov.  If a parent or guardian of a child who is under 16 years of age informs ACORD that the child’s Personal Information has been submitted to ACORD through the Site or Software without the parent’s or guardian's consent, ACORD will use commercially reasonable efforts to remove such information from the Site and ACORD’s servers at the parent’s or guardian's request.  To request the removal of Personal Information of a child under 16 years of age, the parent or guardian should contact ACORD as set forth in Section 17, and provide information necessary to ACORD to assist it in identifying the information to be removed.

 

15) Complaints, Independent Recourse Mechanism

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ACORD commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ACORD commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to ICDR/AAA, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.icdr.org/dpf for more information or to file a complaint.  The services of ICDR/AAA are provided at no cost to you.

 

16) Revisions

ACORD may revise this policy from time to time by posting the revised policy on the Site.  Any such revision will take effect immediately upon such posting, and will apply to all Collected Information obtained by ACORD after such posting.  We encourage you to periodically check this policy on the Site for revisions.

 

17) Contacting ACORD

If you have any questions or comments, desire additional information regarding ACORD’s handling of any Collected Information, or would like to submit a request to access or delete your Personal Information, please promptly contact:

ACORD Corporation
Attn: General Counsel
150 Clove Road, 11th Floor
Little Falls, NJ 07424
United States of America

legalwork@acord.org