California Privacy statement

01 January 2020


Ernst & Young LLP and its affiliated U.S. entities (“we,” “us,” or “our”) are part of the global organization of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity.

This addendum to the Privacy Statement explains the categories of personal data that we collect from you and how we collect and use personal data that is subject to the California Consumer Privacy Act of 2018 (the “CCPA”).  It further describes the rights that California residents have with respect to their personal data. This addendum should be read together with the Privacy Statement, and in case of any conflict the terms of this addendum will prevail as to personal data of California residents that is subject to the CCPA.  For purposes of this addendum, the term “personal data” includes all “personal information” as defined in the CCPA. 

Your legal rights

Under certain circumstances, California residents have the following rights in relation to their personal data:

  • Right of access and data portability: You may have the right to request that we disclose to you information about our collection and use of your personal data in the preceding 12 months, including: (a)  the categories and specific pieces of personal data we collect; (b) the categories of sources from which we collect or sell personal data; (c) the business or commercial purpose for which we collect personal data; (d) the categories of third parties with whom we share personal data; and (e) the categories of personal data disclosed for a business purpose or sold to third parties and the categories of third parties to whom such personal data was sold or disclosed. 
  • Right to deletion: You may request that we delete certain personal data that we have collected about you.  The foregoing is subject to our right to maintain your personal data for specific purposes permitted under CCPA.  If we are unable to comply with any such request, we will notify you. 
  • Right to opt-out: You may have the right to request that your personal data not be sold to third parties.
  • Right to non-discrimination: You have the right to exercise any of the rights listed above (and any other rights under CCPA) without discrimination by us.

Sources of, purposes for collecting, and categories of personal data collected and disclosed

We collect and process personal data for a variety of business or commercial purposes. The Privacy Statement describes in greater detail the specific pieces of personal data that we collect, the categories of sources from which we collect or sell personal data, and the categories of third parties with whom we share or may share personal data.

In the preceding twelve (12) months, we have collected the following categories of personal data from California residents. Please note that the following list represents categories of personal data across all California residents whose personal data we may have collected or received and does not necessarily represent information we have collected specifically about you. Please also note that the definition of “personal information” under CCPA is subject to certain exceptions as set forth therein and does not include information that is publicly available or has been aggregated or deidentified in accordance with CCPA. 

  • Identifiers: This includes information such as name, postal address, email address, internet protocol address, driver’s license number and other similar identifiers.
  • Personal information as defined by Cal. Civ. Code § 1798.80(e): The types of personal data in this category include several of the identifiers described above but also includes, among other things, information such as insurance policy number, employment history, bank account number, credit card number, debit card number, medical information, or health insurance information.
  • Certain protected classifications: Information under this category may include race, color, national origin, marital status, religion or creed or other similar information that is generally protected under California or federal law.
  • Commercial information: Commercial information is information such as records of personal property, products or services purchased or other consumer history or tendencies.
  • Biometric information: Information under this category includes measurements or technical analysis of human body characteristics, such as fingerprints or a retina image, which are used to authenticate an individual so that they can access an EY site.   
  • Internet or network activity: The types of information in this category includes information that relates to browsing or search history, or information regarding visitors’ interaction with an internet website. 
  • Geolocation data: In general, geolocation data relates to information regarding the physical location of an internet connected device.  
  • Sensory information: Information under this category can include audio, electronic, visual, thermal, olfactory, or other similar sensory information.
  • Professional or employment-related information: This includes information such as job history.
  • Education Information: Information under this category is non-public education information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99).

We may have collected and processed personal data for various business purposes in the preceding 12 months, including:

  • Auditing related to interactions with consumers in connection with the professional services EY provides.
  • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and taking appropriate action as a result of any such detected activity.
  • Debugging to identify and repair errors that impair existing intended functionality.
  • Short-term, transient uses where the personal data is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the relevant interaction.
  • Performing professional services for our clients.
  • Undertaking internal research for technological development and demonstration.
  • Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.

In the preceding 12 months, we may have disclosed to third parties for a business purpose the categories of personal data listed above. In addition, we may have shared your personal data with the following categories of third parties: other EY member firms; affiliates and subsidiaries; vendors and suppliers that provide services on our behalf; professional services organizations such as law firms, tax advisors, and auditors; and other third parties such as advisors, insurers, joint marketing partners, business partners, ad networks, internet service providers, data analytics providers, operating systems and platforms, providers of identity and credit verification services, regulatory and other professional bodies, and government authorities. 

Sales of personal data

We do not sell your personal data for monetary consideration. We may allow certain third parties (such as online advertising services) to collect your browsing activity and certain other personal data via automated technologies on in exchange for non-monetary consideration.  We may share the categories of personal data listed below in order to improve the performance of, to enhance your browsing experience, to provide you a more personalized browsing experience, and to improve our advertising efforts. You can view a full listing of those third-party cookies and opt out of their use via the Cookie Settings page here.  Please note that to the extent you are accessing across multiple devices or platforms or if you clear your browser settings, you may have to opt out again. 

In the preceding 12 months we may have sold the following categories of personal data in connection with such third-party cookies:

  • Identifiers: This includes visitors’ internet protocol (“IP”) addresses.
  • Internet or network activity: This includes information about visitors’ interaction with, including information about the visitor’s web browser, page location, referrer, and person using the website; cookie-specific data such as cookie ID and the cookie; and button and field data, such as any buttons clicked by site visitors, the labels of those buttons, any pages visited as a result of the button clicks, and the names of any website fields filled in by visitors.

Exercising your rights in relation to personal data

If you would like to exercise any of the rights you may have with respect to personal data under the CCPA as listed above, please contact us by either:

  • Completing and submitting a request form here, or
  • Contacting us via our toll-free number at 1 866 608 0644.  

As part of processing your request, we require you to provide certain personal data about you in order to verify your identity in accordance with the CCPA requirements. This information includes your first and last name, email address, physical address, telephone number, and description of relationship to EY, but may also include additional information based on the nature of your request and your relationship with us.

Additionally, in accordance with your rights under the CCPA, you may designate an authorized agent to make a request on your behalf. In order to comply with your request, we will require the personal data referenced above to be used for identity verification purposes, as well as the name, email address, and telephone number of your authorized agent.

After we verify your identity and the validity of your request, we will take the following action free of charge:

  • In the case of an access request, provide you any required personal data covering the twelve (12)-month period preceding your request; and
  • In the case of a deletion request, delete personal data that we have collected about you, subject to our right to maintain your personal data for specific purposes permitted under CCPA. 

We will endeavor to comply with your verified request within forty-five (45) days, but may extend that period when reasonably necessary, in which case we will notify you.  Please note that you may only make an access request to us for your personal data up to two (2) times in any twelve (12) month period. 

Contact for more information

If you have any questions regarding the processing of your personal data, please contact the EY Data Protection team