Online Privacy Statement

ICF International, Inc. and its affiliates, subsidiaries, trusted business partners or alliances, agents, subcontractors, third-party vendors or newly acquired companies (also referred to below as "we", "us" and "our") is a privacy conscious organization and strongly committed to respecting, protecting and processing personal data responsibly in compliance with applicable data protection laws and this Privacy Statement.

This Privacy Statement and its sub-pages describe our general privacy and data processing practices, where we collect personal data gathered (1) through use of our websites or mobile apps that post, display or link to this Privacy Statement (“Sites”), (2) through downloadable applications accessed from mobile devices with respect to which this Privacy Statement is posted or linked ("Mobile Apps"), (3) from individuals who engage regarding our or our clients services or individuals within our clients’, business partners’, suppliers’ and other organizations with which we have or contemplate a business relationship (“Services”), or (4) by any other mode of interacting with you relating to our communications, such as online or offline newsletters and magazines (“Communication”) as referenced in this Privacy Statement.

This Privacy Statement also explains the choices and rights individuals have regarding their personal data. We also have implemented global policies, along with standards and procedures, as part of our Global Data Protection & ePrivacy Program for our consistent handling, sharing and protecting personal data. Some of our other websites may include additional or different privacy statements, and if a different privacy statement applies, we will disclose this to you.

This Privacy Statement covers the following areas:


1. Information collection 9. Children's privacy protection
2. Information sources 10. California residents' special notices
3. Purpose, legal basis and use 11. European Economic Area and Canadian residents’ special notices
4. Information recipients 12. Retention
5. International information transfers 13. Personal data accuracy, privacy and security
6. Direct marketing 14. Your rights and choices
7. Cookies, beacons, tags and other technologies 15. Notification of our privacy statement changes
8. Third party websites and links 16. Privacy questions and how to contact us

1. Information collection

1.1  We may collect information, including personal data, that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with our existing or potential employees, clients, client constituents or customers, business contacts, strategic alliances, suppliers, shareholders and Site users. 

1.2  Generally, we collect the below-mentioned information and personal data categories. If the data we collect are not listed in this Privacy Statement, we will give individuals, when required by law, appropriate notice of which other data will be collected and how they will be used. 


Category Examples Collected

Information and personal data collected directly
We may collect—directly from you—personal data about you such as your:

A. Identifiers
  • contact details such as name, address, telephone number, fax number, e-mail address, country of residence, etc.
  • signatures.
  • contact preferences and interests.
  • dietary restrictions, accommodations and other event-related preferences requested when participating in our events.
  • social media account profile pictures, profile information, username, birthday and any information or content you have permitted a social media network to share with us.
  • provided postings on blogs, forums, wikis and other social media applications and services.
  • photographs and videos submitted by you or taken at one of our conferences or similar events.
  • reviews about our tools or services.
  • details you share when contacting us, including through emails or recordings of telephone calls with prior notice.
  • shared details or information concerning another individual. If you provide us with personal data of another person (for instance, a potential employee/referral), you are responsible for ensuring that such person is made aware of the information contained in this Privacy Statement and represent that the person has given you his/her documented authority or consent for sharing the information with us and permitting us to use the information in accordance with this Privacy Statement.
Yes
B. Professional or employment-related information
  • current or past job history or performance evaluations.
  • education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
Yes
C. Commercial information
  • records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
  • company name, company size and sector; company individuals’ contact names and job titles; postal address; telephone and fax numbers; and e-mail addresses.
  • financial information about clients, vendors and end users from third parties in certain circumstances to enable ICF to assess related risks.
Yes
D. Personal information inferences
  • profiles reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Yes
E. Sensitive, special treatment or protected characteristics We do not usually seek to collect the below sensitive personal data through this Site or from users. We will obtain your explicit consent before we collect, use or otherwise process the below sensitive personal data in accordance with applicable data protection and ePrivacy regulatory requirements.
  • General Race or ethnic origin, religious or philosophical or similar beliefs, trade union membership, political opinions, physical, medical or health conditions, biometric or genetic data, or sexual life or sexual orientation, or actual or suspected criminal convictions, offenses or activities
  • California Age, race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
  • European Economic Area Race or ethnicity, political opinions, religion or beliefs, trade- union membership, physical or mental health or sex life
Maybe

Automatically-collected information
In some instances, we and our trusted services providers use cookies, web beacons, log files, pixel tags, local storage objects and other tracking technologies to automatically collect certain types of information such as your

F. Computer, network or Internet activity
  • computer, operating system, IP address, browser type and language, general location information, domain name, a date/time/access stamp, Internet service provider ("ISP"), referring/exit URLs, clickstream data, and other information about pages you view and resources you access or download, including but not limited to, the links clicked, traffic data, weblogs and other communication data, features used, size of files uploaded, streamed or deleted, and similar device and usage information when users access or use the services or visit our Site for system administration, to filter traffic, to look up user domains and to report on statistics. Please see the “Cookies, beacons, tags and other technologies”, section 7 or our Cookie Policy for more information.
Yes
G. Geolocation
  • physical location or movements.
Yes
H. Cookies or similar activity
  • cookies (small text files stored in a user's browser), beacons (electronic images that allow us to count users who have accessed particular content and to access certain cookies), and tags through the Site and through cookies and other tracking technology and use the same technologies for marketing purposes (including Customer Relationship Management (CRM) Databases, Targeted E-mail & Combining and Analyzing Personal Data) to provide individuals with a personalized online experience. Please see the below “Cookies, beacons, tags and other technologies”, section 7 or our Cookie Policy for more information.
Yes
I. Mobile information
  • mobile device, including your device model/type, operating system, browser type, unique device identifier, IP address, phone number, network carrier, location, and the way you are using the mobile application.

Please see the below “Cookies, beacons and other technologies”, section 7 or our Cookie Policy for more information.

Yes
Other sources – collected information:
J. Social network information
  • When you use a social network login to access our services, you will share certain personal data from your social media account with us, for example, your name, email address, photo, list of social media contacts, and any other information that may be or you make accessible to us when you connect your social media account to your services account. The specific information transferred depends on your security settings and the privacy policy of your social media network.
Yes
K. Joint marketing information
  • When joint marketing partners share personal data or other information with us.
Yes
L. Publicly available information
  • Publicly available data bases information.
Yes

1.3  Except for certain information that is required by law, your decision to provide any personal data to us is voluntary. You will therefore not be subject to adverse consequences if you do not wish to provide us with your personal data. However, please note that if you do not provide certain information, we may not be able to accomplish some or all of the purposes outlined in this Privacy Statement, and you may not be able to use certain tools and systems which require the use of such personal data.

1.4  Personal data excludes: publicly available information from government records, deidentified or aggregated information, and automated non-identifiable data that cannot be linked back to an individual.

Back to top

2. Information sources

2.1  Personal data may be collected either directly from you or indirectly from certain third parties (e.g., affiliates, public authorities, public websites and social media, suppliers and vendors) when you:

  • a. access our Services.
  • b. provide personal data by filling in Site forms (e.g., registering an online account, subscribing to Services, newsletters and alerts, registering for a conference or requesting further information).
  • c. submit our online forms or communicate with us on email.
  • d. submit reviews or participate in surveys.
  • e. upload or post any comments or other content to our Sites, on social media, or blogs.
  • f. interact with us on social media.
  • g. sign up for our mailing lists, register for events we host or sponsor, submit information as part of certain online Services, or otherwise provide us information through the Sites.
  • h. participate in a prize promotion or contest, or related event.
  • i. use the Site for online career resources.
  • j. are an individual employee or constituent of our clients and other companies with which we have an existing business relationship.
  • k. have information on public sources, including, for example, content made public at social media websites.

Back to top

3. Purposes, legal basis and use

3.1  We may use, sell or disclose the personal data we collect only where one or more of the below outlined principal legal grounds and specific business purpose justifications exist.


Our Processing Purposes Our Legal Basis
Consent. Where you have consented in a documented manner to our processing of your personal data.
Managing our contractual relationship with you. To fulfill your request for orders, support or Services under an existing or potential contract with you; facilitate you conducting business with us or perform a transaction with you; contact employees of our clients, partners and suppliers. For example, where a transaction involves our suppliers or strategic alliances, this may include sharing information with other parts of ICF, ICF's business partners or alliances, clients, financial institutions and postal or government authorities involved in fulfillment (subject to any confidentiality obligations that may exist). It also may be used to administer and develop our relationship with you.
Facilitating communication with you to provide you with information or Services requested by you. Facilitating communication with you to provide you with information or Services requested by you.
General business management and operations. To ensure the proper functioning of our business operations and administration of our general business, accounting, record-keeping and legal functions.
Monitoring your use of our systems (including monitoring the use of our Site and any apps and tools you use). To monitor user activities on our systems to ensure users are complying with applicable laws and regulations, and aren’t performing activities that would negatively affect our reputation.
Social media environment. To enable online sharing and collaboration among members who have registered to use them; protect our and/or our client assets and our brand on social media; understand sentiment, intent, mood and market trends and our stakeholders’ needs to improve our Services through key-word searches, conversation stream monitoring and analysis; and gain insights in conversation trends over a specified period, but not to identifying an individual.
Protecting or improving the security and functioning of our Site, networks and information. To ensure that you receive an excellent user experience and/or maintaining the safety, security, and integrity of our Site, Services, information, tools, systems, databases and other technology assets and business.
Audit the downloading of information or documents from our Site. To get to know our Site visitors’ preferences better and improve services accordingly.
Analytics and improving our Sites. To better understand how users access and use our Sites and Services, and for research analytical purposes to evaluate our Services; ensure the proper functioning our business operations; improve our Services, business operations, develop services and features; and provide a better user experience.
Anonymous and de-identified information. To assess, improve and develop our business, products and services, and for similar research and analytics purposes.
Historical, statistical or scientific research and development. To analyze personal data in order to better understand historical, statistical or scientific trends subject to appropriate data protection safeguards.
Online account registration or administration. To administer online accounts as part of a contract, authenticate your account and keep it - and our services – secure; enable certain account features; customize your view of the Site or tailor or personalize information you receive from us; register you for a service or program; or help prevent spam, fraud, and abuse.
Marketing communications. To keep you informed about our Services, updates, offers, events, programs, products, tools, and solutions by post, email, SMS, phone and fax; develop aggregate analysis and business intelligence and, where required by law, we will ask for your consent at the time we collect your data to conduct any of these types of marketing. We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us as set out below in section 14.
Event, conference or similar communications (unless you objected against such processing). Facilitate your participation in your requested private or public forum, event or conference.
Contest or prize administration. To fulfill or meet the reason you provided information as part of your participation in prize promotions, contests and other promotional offers that we administrate.
Content creation / production activities. To use your personal data for video, TV, film, marketing, advertising or other related content creation, production and distribution activities where you are involved with our content / production activities based on prior consent and model releases.
Recruitment. To ensure that we recruit appropriate employees, send relevant information about careers and opportunities, and analyze the effectiveness of our recruitment efforts and resources in connection with a job application or inquiry. More information about how we may use your data during the recruitment process will be provided as part of the recruitment process.
Managing our employment contract or relationship with you. To initiate or take steps at the request of our employees before entering into a contract; ensure contract execution; and assess performance of, or terminating an employment contract to which our employees are a party.
Automated Processing of Employee Data. Where automatic processing concerns our employment relationship, or automation of the evaluation of Sensitive Personal Data is part of personnel selection, in compliance with legal requirements and established corporate protocols.
Vital interests. To protect the vital interests of any natural person or ensure proper communication and emergency handling within our organization.
Complying with legal obligations. To comply or fulfill our legal obligations (e.g., law or legal proceedings, employment, labor, tax or similar legal requirements).
Law enforcement requests and harm prevention. To comply with a law, regulation, legal process, order of a court or by any rule of law or governmental request; protect the safety of any person; protect property or the rights or property of those who use our services; prevent or detect crime; apprehend or prosecute offenders. However, nothing in this Privacy Statement is intended to limit any legal defenses or objections that you may have to a third party’s, including a government’s, request to disclose your personal data.
Protect our legal rights and prevent misuse. To protect the Sites and our business operations; to enforce our Terms of Use; to prevent and detect fraud, unauthorized activities and access, and other misuse; establish, exercise or defend legal claims; where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety or legal rights of any person or third party; or violations of our Terms of Use or this Privacy Statement.
Investor Relations. To provide shareholders with necessary or useful services with respect to their investment, such as record keeping, processed trades and mailing information; and send shareholders company relevant information such as invitations to the annual general meeting, annual reports, proxy statements or other information about the company.
Affiliates and Change of Ownership. To facilitate merger, acquisition, reorganization, sale of assets or similar function.

3.2  Where the above table states that we rely on our legitimate interests for a given purpose, it is our understanding that our legitimate interests are not overridden by your interests, rights or freedoms, given (i) the transparency we provide on our data processing activities, (ii) our data protection by design and default approach, (iii) our routine data protection reviews, and (iv) the rights you have in relation to our data processing activities.

3.3  We will process your personal data for the above referenced purposes based on your prior consent, to the extent such consent is mandatory under applicable laws.

3.4  To the extent you are asked to click on/check "I accept", "I agree" or similar buttons/checkboxes/functionalities in relation to a privacy statement, we will consider this step as you providing your consent for us to process your personal data, only in the countries where such consent is required by regulations. In all other countries, such action will be considered as a mere acknowledgement. The legal basis of the processing of your personal data will not be your consent but any other above applicable legal basis.

3.5  We will not collect or use additional personal data categories we collect for materially different, unrelated, or incompatible purposes without providing you notice or, as applicable, your consent; unless it is required or authorized by law, or it is in your own or another person’s vital interest (e.g. in case of a medical emergency) to do so.

Back to top

4. Data recipients

4.1  Personal data collected in the course of our activities, including in connection with some client services, as well as on the Sites may be shared with:

  • a. our subsidiaries or affiliates, clients and strategic alliances on a need-to-know and authorized basis.
  • b. our trusted suppliers or service providers, professional advisors or other third parties on a need-to-know and authorized basis that is necessary for the purposes for which such access is granted and in connection with an existing or potential corporate or commercial transaction. For example, to provide services related to the Sites, our business activities, including in connection with some client services, in the manner agreed upon in our client services agreements, or supporting our interactions with you, including, for example, processing recruitment materials, administering surveys or contests, or communicating with you. When disclosing personal data to third parties, we take into account third parties’ data handling processes, and require these third parties to maintain privacy and security processes designed to ensure that their personal data processing activities are consistent with this Privacy Statement and safeguards the confidentiality, availability and integrity of personal data they process on our behalf.
  • c. with prospective or actual purchasers, or sellers on a need-to-know and authorized basis in the event of a sale, merger, joint venture, reorganization, assignment or other transfer or disposition of all or any portion of our business. It also is our practice to require appropriate protection for personal data under each commercial transaction.
  • d. with government agencies pursuant to a judicial proceeding, court order, or legal process.

4.2  We may make certain non-personal data available to third parties for various purposes, including for business or marketing purposes or to assist third parties in understanding our users’ interest, habits, and usage patterns for certain programs, content, services, advertisements, promotions, and functionality available through the Service. We will not intentionally disclose (and will take reasonable steps to prevent the unauthorized or accidental disclosure of) your personal data you to any third parties for their own direct marketing use.

Back to top

5. International transfers

5.1  As a global organization offering a wide range of Services, with business processes, management structures and technical systems that cross borders, some of our disclosures may involve the transfer of personal data to countries or regions where the local law may grant you fewer rights than you have in your own country. We have designed this Privacy Statement and our practices to provide a globally consistent level of protection for personal data all over the world. This means that before we transfer personal data to those areas, we will take the necessary steps to ensure that your personal data will be given adequate protection as required by applicable data protection, the below section 11.2 (“EEA and Switzerland special notices”) and our Global Data Protection & ePrivacy Program.

Back to top

6. Direct marketing

6.1  As noted, we may send periodic promotional emails to you, and where required by law, we will obtain your consent to do so. You may opt out of such communications at any time by following the opt-out instructions contained in the email or the instructions in the below section 14. If you opt out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about your account or any Services you have requested or received from us.

Back to top

7. Cookies, beacons, tags and other technologies

7.1  We use cookies, web beacons and other technologies on our Sites in order to collect the information described above in “Automatically-collected Information” under above section 1.2, and also to remember your settings and for authentication.

  • a. Cookies. Cookies are alphanumeric identifiers that we transfer to your computer's hard drive through your web browser for record-keeping purposes. Some cookies allow us to make it easier for you to navigate our Site, while others are used to enable a faster log-in process or to allow us to track your activities while using our Site. Most web browsers automatically accept cookies, but, if you prefer, you can edit your browser options to block them in the future. The Help portion of the toolbar on most browsers will tell you how to prevent your computer from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
  • b. Clear GIFs, pixel tags and other technologies. Clear GIFs are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer's hard drive, clear GIFs are embedded invisibly on web pages. We may use clear GIFs (also referred to as web beacons, web bugs or pixel tags), in connection with our services to, among other things, track the activities of users of our services, help us manage content, and compile statistics about usage of our services. We and our third party service providers also use clear GIFs in HTML emails to our customers, to help us track email response rates, to identify when our emails are viewed, and to track whether our emails are forwarded.
  • c. Log files. Most browsers collect certain information, such as your IP address, device type, screen resolution, operating system version, and Internet browser type and version. This information is gathered automatically and stored in log files.
  • d. Third party analytics. We also use automated devices and applications, such as Google Analytics (more info here) to evaluate the use of our services. We use these tools to gather non-personal data about users to help us improve our services and user experiences. These analytics providers may use cookies and other technologies to perform their services, and may combine the information they collect about you on our Sites with other information they have collected for their own purposes. This Policy does not cover such uses of data by third parties.
  • e. Do-not-track signals. Our Site does not respond to do-not-track signals. For more information about do-not-track signals, please click here. You may, however, disable certain tracking as discussed above (e.g., by disabling cookies) and as set out in our Cookie Policy.

7.2  You can manage the use of cookies through your browser. You may still use our Site if you reject cookies, but it may limit your ability to use some areas of our Site or otherwise diminish your experience of the Site. You can learn more about cookies at our Cookie Policy.

Back to top

8. Third party websites and links

8.1  Our Sites may contain links or embed third-party applications to third party websites that are governed by their own terms and privacy statements. We may provide links to these third party sites for your convenience and informational purposes only. For example, these links may allow you to interact with sites on which you may have accounts (such as Facebook and other social media sites) or join communities on sites that allow you to login, post content, or join communities from our Sites.

8.2  Third-party apps and websites have their own privacy statements and disclosures, which we encourage you to read before interacting with such third-party websites or providing information on or through them. If you follow a link to any of those third party websites, please note that we do not accept any responsibility or liability for the their policies, or processing of your personal data. ICF is not responsible for the content, accuracy of, or cookies set by any third-party linked site that is not operated by or on behalf of ICF or for any other links contained in such third-party sites. The inclusion of any link to a website not owned by ICF is not an endorsement by ICF of the site or its contents or accuracy and does not suggest that the opinions expressed on a third-party site are representative of the views or opinions of ICF.

8.3  ICF assumes no responsibility or liability for any links to our Sites from another party's website. You may post a link to any portion of the Site without prior written permission. However, any such links must not use framing techniques or in any way represent the Site or its content as being connected with another organization. In addition, you may not use any meta tags or hidden text in your website that incorporate the ICF name or the names of any ICF affiliate, subsidiary, business, program, or service.

Back to top

9. Children’s privacy protection

9.1  ICF is committed to protecting children's privacy online.

9.2  Our Sites are not intentionally designed for or directed at children under the age of 13 in the U.S and 16 in California or EEA, and requires no such information be submitted to us. ICF will not knowingly or intentionally collect, store, use, or share, personal data of children anyone children under the age of 13 in the U.S and 16 in in California or EEA without prior documented parental or guardian consent.

9.3  If you are under the age of 13 in the U.S and 16 in California or EEA, please do not provide any personal data, even if prompted by the Site to do so. If you are under the age of 13 in the U.S and 16 in California or EEA and you believe you have provided personal data to us, please ask your parent(s) or guardian(s) to notify us and we will delete all such personal data.

9.4  If we become aware that we have inadvertently received personal data from a user under the age of 13 in the U.S and 16 in California or EEA, we will delete these data from our records.

Back to top

10. California residents’ special notices

In addition to the information provided in this Privacy Statement, the below information applies if you are a California resident.

10.1  Disclosures of California Residents’ Personal Information for a Business Purpose. In the preceding twelve (12) months, we have disclosed the following categories of Personal Information for a business purpose:


Categories Disclosed
A. Identifiers Yes
B. Personal information categories listed in the California Customer Records Statute (available here) Yes
C. Protected legal characteristics Yes
D. Commercial information Yes
E. Biometric information No
F. Internet activity Yes
G. Geolocation data Yes
H. Audio, electronic, visual, thermal, olfactory, or similar information Yes
I. Employment information Yes
J. Education information Yes
K. Inferences about personal preferences and attributes drawn from profiling (e.g. via cookies) Yes

10.2  Sales of Personal Information. In the preceding twelve (12) months, we have sold the following categories of Personal Information:


Categories Disclosed
A. Identifiers Yes
B. Personal information categories listed in the California Customer Records Statute (available here) Yes
C. Protected legal characteristics Yes
D. Commercial information Yes
E. Biometric information No
F. Internet activity Yes
G. Geolocation data Yes
H. Audio, electronic, visual, thermal, olfactory, or similar information Yes
I. Employment information Yes
J. Education information Yes
K. Inferences about personal preferences and attributes drawn from profiling (e.g. via cookies) Yes

10.3  Information excluded from the CCPA's scope, like:

  • a. health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • b. personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

Back to top

11. EEA and Switzerland residents’ special notices

In addition to the information provided in this Privacy Statement, the below information applies if you are located in the EEA or Switzerland.

11.1  In addition to the information provided in this Privacy Statement, where we transfer personal data from inside the European Economic Area (EEA) to outside the EEA, we are be required to take specific measures to safeguard the relevant personal data.

11.2  Unless you are otherwise notified, any transfers of your personal data from within the European Economic Area (EEA) to third parties outside the EEA will be based on applicable data protection legislation, an adequacy decision (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm), or are governed by the model contractual clauses approved by the EU Commission, or similar contractual clauses in other jurisdictions to provide appropriate safeguards and an adequate level of protection for personal data. This includes transfers to suppliers or other third parties. You can request a copy of the EU model contractual clauses here. Any other non-EEA related transfers of your personal data will take place in accordance with the appropriate international data transfer mechanisms and standards.

11.3  Please contact us as set out below in section 16 if you would like to see a copy of the specific safeguards applied to the export of your personal data or to obtain a copy of our Data Protection Policy.

11.4  For data subject access requests (DSAR), we kindly ask you to download our DSAR Intake Form, fill in the required details and email it to: dataprotection@icf.com

Back to top

12. Retention

12.1  We retain relevant personal data as long as necessary to meet the criteria outlined in above section 1.2.

12.2  We retain personal data about unsuccessful candidates/applicants for 12 months following submission in the U.S., Canada, and Brazil, and for 6 months in Europe and Asia.

Back to top

13. Personal data accuracy, privacy and security

13.1  We intend to maintain personal data accuracy, completeness, current status, and security. In the event of changes in your personal data, you may inform us to make sure that our information is up-to-date.

13.2  We implement commercially reasonable physical, administrative and technical safeguards to help us protect the confidentiality, security, and integrity of your personal data and prevent the loss, misuse, unauthorized access, unauthorized interception, or information alteration. For example, ICF takes appropriate measures to make sure that the personal data you provide is stored on computer servers in controlled, secure environments.

13.3  All of our partners, employees, consultants, workers and data processors (i.e., those who process your personal data on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of such personal data.

13.4  Your choice to disclose personal data in an email submission or online form is voluntary. Unfortunately, no data transmission over the Internet is 100% secure. While we strive to protect your personal data, we cannot ensure or warranty the security of any such personal data or fully ensure that your private communications and other personal data will not be inadvertently disclosed to third parties by ICF or its business partners, agents, subcontractors, or other third-party vendors. Although we take commercially reasonable precautions to maintain the security of our Sites and servers, third parties may unlawfully intercept or access transmissions or private communications.

Back to top

14. Your rights and choices

14.1  California Residents.

  • a. California residents have the below additional specific rights regarding their personal data. This section describes California residents’ California Consumer Privacy Act (CCPA) rights and explains how to exercise those rights.

  • Categories Rights
    Access to Specific Information and Data Portability. You have the right to request that we disclose certain information to you about our collection and use of your personal data over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
    • a. The categories of personal data we collected about you.
    • b. Our business or commercial purpose for collecting that personal data.
    • c. The categories of third parties with whom we share that personal data.
    • d. The specific pieces of personal data we collected about you (also called a data portability request).
    Deletion Request. You have the right to request that we delete any of your personal data we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records, unless an exception applies.

  • b. We may deny your deletion request if any of the below exceptions require that we retain the information for us or our service providers to:
    • Complete the transaction for which we collected the personal data, provide Services that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    • Debug products to identify and repair errors that impair existing intended functionality.
    • Exercise free speech, ensure the right of another individuals to exercise their free speech rights, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
    • Enable solely internal uses that are reasonably aligned with individual’s expectations based on your relationship with us.
    • Comply with a legal obligation.
    • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

14.2  EEA and Switzerland residents

  • a. Individuals located in the EEA and Switzerland have the below additional specific rights regarding their personal data. This section describes your rights and explains how to exercise those rights.

Categories Rights
Access. If you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Correction (rectification). If the personal data we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal data so that you can contact them directly.
Erasure. You can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal data with so that you can contact them directly.
Restrict (block) Processing. You can ask us to restrict the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data or you object to us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal data so that you can contact them directly.
Data Portability. You have the right, in certain circumstances, to receive a copy of personal data we've obtain from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
Automated Decision-making and Profiling. You have the right not to be subject to a decision when it's based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
Withdraw Consent. If we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
Lodge a complaint with the Supervisory Authority. If you have a concern about any aspect of our privacy practices, including the way we've handled your personal data, you can report it to the relevant supervisory authority.

14.3  Exercising Access, Data Portability, and Deletion Rights

  • a. General. You may, at any time, exercise your right to decline to supply certain information while using our Sites. Please bear in mind that you, however, may not be able to access certain content or participate in some features on our Sites. If you tell us that you do not want us to use your information to make further contact with you beyond fulfilling your request, we will respect your wishes.
  • b. Marketing. You may, at any time, exercise your right to prevent us from sharing marketing materials with you by checking certain boxes on our forms, utilizing the unsubscribe or opt-opt mechanisms in the emails we send you, indicating so when we call you, or use the Contact Us form on our Sites. For best results, please forward a copy of the mailing you received from ICF. In such cases, we will retain minimum personal data to note that you opted out in order to avoid contacting you again.
  • c. Newsletters, messages and mailings. If you have subscribed to one or more of our newsletters or receive information from ICF via email or postal mail and would like to modify or cancel these mailings, please follow the instructions in the mailing, send an email to dataprotection@icf.com, or use the Contact Us form on our Sites. For best results, please forward a copy of the mailing you received from ICF. In such cases, we will retain minimum personal data to note that you opted out in order to avoid contacting you again.
  • d. Cookies. If you want to remove existing cookies from your device, you can implement those steps by using your browser options. If you want to block future cookies being placed on your device, you can change your browser settings to do this. When you review your browser settings or options, you can identify the ICF cookies in the name. Unless you have adjusted your browser settings to block cookies, our system will issue cookies as soon as you visit our Sites or click a link in a targeted email we have sent you, even if you have previously deleted our cookies. Please bear in mind that deleting and blocking cookies will have an impact on your user experience as parts of the Site may no longer work. For more information on managing cookies, see www.allaboutcookies.org/manage-cookies.
  • e. Data Subject Access Requests. You may exercise your rights to access, data portability, and deletion rights by downloading our data subject access request (DSAR) Intake Form , filling in the required details and emailing it to: dataprotection@icf.com.

  • Residents  Individuals located in EEA and Switzerland
    A. California residents registered with the California Secretary of State or those California residents authorized to act on California residents’ behalf may make a verifiable DSAR related to California residents’ personal data. Individuals located in EEA or Switzerland authorized or those who act on their behalf may make a verifiable DSAR related to EEA or Switzerland individuals’ personal data.
    B. California residents registered with the California Secretary of State or those California residents authorized to act on California residents’ behalf may request that we not sell their personal data by clicking the below “Do Not Sell My Personal Data” button. However, selecting this option may prevent you from receiving Services, receiving program or similar updates, or accessing certain Site features. You have the right to request that we delete any of your personal data we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal data from our records, unless an exception applies. However, selecting this option may prevent you from receiving Services, receiving program or similar updates, or accessing certain Site features.
    C. California residents may only make a verifiable DSAR for access or data portability twice within a 12-month period.
    D. California residents may make a verifiable DSAR on behalf of your minor child. EEA and Switzerland residents may make a verifiable DSAR on behalf of your minor child.
    E. Response Timing and Format. We endeavor to respond to a verifiable consumer request within:
    45 days of its receipt for California residents. Any disclosures we provide will only cover the 12-month period preceding the verifiable DSAR receipt for California residents 30 days for individuals located in EEA or Switzerland. Any disclosures we provide will cover appropriate time frames under applicable EEA or Switzerland regulatory requirements.
    If we require more time to respond to either California residents or individuals located in EEA or Switzerland DSARs, we will inform you of the reason and extension period in writing before required response time. If you have an account with us, we will deliver our written response to the registered email associated with the account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. The response also we provide will explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
    F. DSAR Fees
    We do not charge California or other residents a fee to process or respond to verifiable DSAR unless it is excessive, repetitive, or manifestly unfounded. We do not charge individuals located in EEA or Switzerland a fee to process or respond to verifiable DSAR unless it is excessive or manifestly unfounded to warrant a “reasonable fee” to cover our administrative costs of complying with the request
    If we determine that a DSAR warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing the DSAR.
    G. Verified DSAR. We cannot respond to California, EEA or Switzerland DSARs or provide related personal data if we cannot verify your identity or authority to make the request and confirm the personal data relates to you. Making a verifiable DSAR does not require you to create an account with us. We will only use personal data provided in a verifiable DSAR to verify the requestor’s identity or authority to make the request.
    H. Non-Discrimination. We will not discriminate against any individual for exercising any of their respective DSAR rights. Unless permitted by law, we will not deny you use of our Services or provide you a different level or quality of Services.

  • f. Legitimate Interest or Legal Obligation Exceptions. Please note that some of the above rights may be limited where we have an overriding legitimate interest or legal obligation to continue to process the personal data, or where the personal data may be exempt from disclosure due to applicable law.

Back to top

15. Notification of our privacy statement changes

15.1  We may make changes to this Privacy Statement from time to time, to reflect changes in our practices. We also may make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.

Back to top

16. Privacy questions and how to contact us

16.1  Please click Contact Us or share by writing to the below contact information if you:

  • a. have questions about this Privacy Statement, how we process or protect your personal data.
  • b. have questions regarding exercising your personal data rights under, as example, the DSAR as outlined in the above sections 14.3.
  • c. like a copy of the full version of our data protection policy.
  • d. wish to make a complaint about our use of your personal data.
  • e. have questions or concerns about this Privacy Statement or our Sites and email marketing practices, please use any of the above contact means.
Back to top

ATTN: Data Protection Manager
ICF
9300 Lee Highway
Fairfax, VA 22031-1207 USA

E-mail:dataprotection@icf.com

Please note that no permission is granted for you to use ICF's logo, icons, or content. You must obtain our prior written permission to post additional graphic or textual material along with your link to our Sites.