North Carolina State Board of CPA Examiners Privacy Policy

Effective Date: April 1, 2026

Purpose

The North Carolina State Board of CPA Examiners (“the Board”) is committed to protecting the privacy and security of individuals who visit and interact with our website. This Privacy Policy explains how we collect, use, store, and protect information obtained through our website, in accordance with applicable North Carolina laws and public sector standards.

Information We Collect

We may collect the following types of information when you use our website:

Information You Voluntarily Provide

• Name, email address, phone number, and mailing address
• License or application information
• Information submitted through forms, applications, or email communications

Automatically Collected Information

• Internet Protocol (IP) address
• Browser type and operating system
• Date and time of access
• Pages visited and referring website addresses

This information is collected through standard web technologies such as cookies and server logs.

How We Use Information

The Board uses collected information to:

• Process applications, renewals, and payments
• Respond to inquiries and provide customer service
• Improve website functionality and user experience
• Maintain security and prevent unauthorized access
• Fulfill legal and regulatory obligations

Public Records and Disclosure

As a North Carolina state agency, the Board is subject to the North Carolina Public Records Law (N.C. Gen. Stat. § 132-1). Information submitted to the Board may be considered a public record and may be disclosed upon request, unless an exception applies.

Confidential or sensitive information (such as Social Security numbers) is protected as required by law and will not be disclosed except as permitted or required by law.

Cookies and Tracking Technologies

Our website may use cookies and similar technologies to enhance user experience and collect usage data. Cookies are small files stored on your device that help us understand how users interact with our website.

You may choose to disable cookies through your browser settings; however, some features of the website may not function properly.

Information Security

The Board implements reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, disclosure, alteration, or destruction.

Despite these measures, no method of transmission over the Internet or electronic storage is completely secure.

Third-Party Services and Links

Our website may contain links to external websites or use third-party services (such as payment processors). The Board is not responsible for the privacy practices of these third parties.

Users are encouraged to review the privacy policies of any external websites they visit.

Children’s Privacy

This website is not intended for use by children under the age of 13. The Board does not knowingly collect personal information from children.

Your Rights and Choices

You may contact the Board to:

• Request access to information you have submitted
• Request corrections to inaccurate information
• Ask questions about how your information is used

Requests will be handled in accordance with applicable laws and regulations.

Accessibility

The Board is committed to ensuring that this Privacy Policy and our website are accessible to all users, including individuals with disabilities. If you need assistance accessing this information, please contact us using the information above.

Legal Authority and Additional North Carolina Requirements

This Privacy Policy is provided in accordance with applicable North Carolina laws and guidance for state agencies, including but not limited to:

• North Carolina Public Records Law (N.C. Gen. Stat. § 132-1)
• Identity Theft Protection Act (N.C. Gen. Stat. § 75-60 et seq.)
• North Carolina General Statutes governing occupational licensing boards

The Board limits the collection and use of personal information to that which is necessary to perform its statutory duties.

Data Retention

The Board retains information in accordance with records retention and disposition schedules issued by the North Carolina Department of Natural and Cultural Resources.

Information is retained only as long as necessary to fulfill administrative, legal, and regulatory requirements.

Payment Processing

If you make payments through the Board’s website, your payment information may be processed by a secure third-party payment processor. The Board does not store full credit card numbers or financial account information on its systems.

All payment transactions are encrypted and handled in accordance with applicable security standards.

Monitoring and Acceptable Use

The Board’s website may be monitored to ensure proper operation, verify the functioning of applicable security features, and detect unauthorized activity.

Unauthorized attempts to upload or change information, defeat security measures, or otherwise misuse the website are strictly prohibited and may be subject to legal action.

Information Technology (IT) Security Controls

The Board follows State of North Carolina information security standards and best practices to safeguard data and systems. Security measures include, but are not limited to:

• Access Controls: Role-based access and least-privilege principles are used to limit access to sensitive information.
• Authentication: Secure authentication methods are used for internal systems and user accounts, including multi-factor authentication where appropriate.
• Encryption: Sensitive data is encrypted in transit using industry-standard protocols (e.g., HTTPS/TLS). Encryption at rest is implemented where appropriate.
• Network Security: Firewalls, intrusion detection/prevention systems, and continuous monitoring tools are used to protect the network environment.
• System Maintenance: Systems are regularly updated and patched to address known vulnerabilities.
• Audit Logging: System activity is logged and periodically reviewed to detect unauthorized access or anomalies.

Third-Party Vendors and Service Providers

The Board may use third-party vendors to support website functionality, licensing systems, hosting, and payment processing. These vendors are required to:

• Comply with applicable state and federal data protection requirements
• Implement appropriate administrative, technical, and physical safeguards
• Limit use of data to authorized purposes only

The Board evaluates vendors through appropriate due diligence and contractual requirements.

Secure Online Transactions and Portals

Any online portals used for licensing, applications, or account management are protected using secure session management, authentication controls, and encrypted communications.

Users are responsible for maintaining the confidentiality of their login credentials and should notify the Board immediately of any suspected unauthorized account activity.

Email and Electronic Communication Security

While the Board takes steps to protect electronic communications, email is not always a secure method of communication. Users are encouraged not to send sensitive personal information (such as Social Security numbers or financial information) via unsecured email.

Security Breach Notification

In the event of a security breach involving personal information, the Board will provide notification in accordance with the North Carolina Identity Theft Protection Act and other applicable laws.

Incident Response

The Board maintains an incident response process to address potential cybersecurity events. This includes:

• Identification and containment of threats
• Investigation and mitigation of impacts
• Notification as required by law and state policy
• Coordination with appropriate state agencies and vendors

User Responsibilities

Users of the Board’s website are expected to:

• Use the website for lawful purposes only
• Protect their own devices and networks when accessing online services
• Avoid sharing login credentials

Failure to comply may result in restricted access and/or legal action.

Single Sign-On (SSO) and Identity Providers

The Board may offer Single Sign-On (SSO) functionality to allow users to access certain services using credentials from a trusted third-party identity provider (e.g., professional networking platforms or enterprise identity services).

When you choose to use SSO:

• You may be redirected to the third-party provider to authenticate your identity.
• The Board may receive limited information from the provider, such as your name, email address, and a unique identifier, as permitted by your account settings with that provider.
• The Board does not receive or store your third-party account password.

Use of SSO is voluntary. If you prefer, you may choose to use standard account registration and login methods (if available).

Users should review the privacy policies and terms of service of any third-party identity provider used for authentication, as those providers govern how their platforms collect and use your information.

The Board requires that any SSO providers used meet applicable security and data protection requirements and be approved in accordance with State of North Carolina IT governance standards.

Changes to This Policy

The Board may update this Privacy Policy periodically. Any changes will be posted on this page with an updated effective date.

Contact Information

If you have questions about this Privacy Policy or the Board’s data practices, please contact:

North Carolina State Board of CPA Examiners
1101 Oberlin Road, Suite 104
Raleigh, NC 27605
Phone: (919) 733-4222
Email: communications@nccpaboard.gov

This policy is intended to provide general information about the Board’s website privacy practices and does not create contractual rights.