Privacy Policy

1. Introduction

The Responsible Online Commerce Coalition (ROCC) is a non-profit company registered in Washington DC. We take the protection of your personal data seriously. We are committed to safeguarding the privacy of the personal data that we receive from you during the course of our business relationship and that collected from visitors to our website. We have implemented appropriate technological and organisational measures to protect the personal data that we process. This Privacy Policy sets out our privacy practices and your rights.

2. Data protection laws

Our use of your personal data is subject to the law (including but not limited to the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as incorporated into the law the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (i.e., the “UK GDPR”), and other relevant UK and EU legislation). Unless otherwise indicated, references in this Privacy Policy to the GDPR include the UK GDPR.

In this Privacy Policy, the terms “personal data”, “controller”, “processor”, “data subject”, “consent”, “recipient”, “third party”, “processing” and “profiling” have the meanings given to them in the GDPR.

3. Contact details of controllers

For the purposes of data protection law, the controllers for the processing of personal data under this Privacy Policy are:

The Responsible Online Commerce Coalition

4725 Wisconsin Ave, NW

Suite 200

Washington, D.C. 20016



4. What personal data we collect and why we collect it

4.1 Members and mailing list

We use your personal data (and any related information) primarily to provide our services to you. This includes personal data you provide to us when you are introduced to us, in person, by telephone, email, or via social media or our website. This may include information that can be used to identify you or that we can link to you, including your name, contact information, job title and any associated organisation and other information which we may use to identify you in relation to our services. This information may fall into the following categories:

  • We may process information contained in any enquiry that you submit to us indicating your interest in our services, including the contacts of your enquiry and any contact details. We process such data for the purposes of responding to your enquiry and updating you in relation to our services where appropriate, unless you indicate that you no longer wish to hear from us.
  • Where we enter into a contract to provide services to you or for the provision of third-party services to the ROCC, we may process personal data for the purposes of that contact and our related business services. This may include personal information contained within contract related correspondence, data provided for the purposes of the contract and/or transactional data and bank account information for the purposes of supplying and receiving services, making payments and record-keeping. We may also keep a record of contact details of individuals at your business or working on behalf of your business whom we may contact in order to carry out our activities. 
  • We will also need to process your personal data for the administration of our relationship with you including (but not limited to) billing, record keeping and where necessary debt collection. In this regard, we act as a separate data controller in our own right.  
  • We may obtain information about you from other public sources or by introduction by third parties which we may use to help us update and analyse our records, identify potential new members and for compliance and regulatory checks.
  • We may use your personal data to send you updates (by email, text, telephone or post) about legal developments that might be of interest to you and/or information about our services, including exclusive offers, promotions or new services or products. You have the right to opt out of receiving promotional communications at any time by contacting the ROCC team member. We may also record telephone calls and monitor emails for training, regulatory and compliance purposes.

4.2 Individuals involved in or connected with the ROCC’s activities

In the course of our activities, we may collect personal data about individuals employed by prospective members or other non-members. We may obtain this personal data directly from the individual, from third parties or public sources. 

The types of personal data we collect may differ depending on what is necessary for and relevant to a particular matter. However, the types of personal data we will collect generally are as follows: names, addresses, contact details and job/business details. 

4.3 Sensitive information

As a general matter, we do not collect sensitive information from you and ask that you do not provide such information to us. Sensitive information includes data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

4.4 Cookies

Our website uses cookies, which are small data files stored on your hard drive or device. Cookies help us to distinguish you from other users and to see how you interact with our website. The information provided to us by the cookies helps us enhance your experience on the website. 

You may disable our cookies by turning them off in your Internet browser. Your Internet browser will contain instructions in how to do this.

5. How and why we share your personal information with third parties

5.1 Courts, law enforcement authorities and regulators 

We may have to disclose some information to third parties, including courts, law enforcement authorities, regulators, attorneys and other authorities. We accept correspondence, memberships and data only on the understanding that we have your authority to do so when reasonable and necessary for the purposes of dealing with the functions of the coalition, or in addressing any issue or concern you or we may identify in your interest, or (in the context of our insurance arrangements) in our own interest, or if required by law. If we have any doubt as to whether you might object to the disclosure of any information, we will seek to obtain your consent before doing so unless disclosure is required by our regulators, insurers, professional advisers or as a matter of law.  

5.2 Third party service providers 

We also use third party service providers to help us deliver efficient and cost-effective services. We may share your personal data with these third parties in the following circumstances:

  • We may share your personal data with our employees as well as other legal specialists, barristers, consultants and experts engaged on a confidential basis where required for the provision of our services, internal administration, billing, compliance and reporting, promoting our events and services and other business purposes; 
  • Where we provide services to you, we may share your personal data with third-party providers for the purposes of our services;
  • We may share your personal data with third party providers who host the services on which our data is stored, our IT and marketing consultants and other suppliers of business and administrative services including debt recovery;
  • We may share your personal data with third party providers that help us with money laundering and other compliance and reference checks and for other fraud and crime prevention purposes;
  • We may share your personal data with our insurers and professional advisors as is necessary for the purposes of obtaining and maintaining insurance coverage, obtaining professional advice, managing legal disputes and maintaining accounts records and financial audits; and
  • We may also disclose your contact details on a confidential basis to third parties for the purposes of collecting feedback on our services and to improve and promote our services.

These third parties may include “cloud” service providers for document/information hosting, sharing, transfer, analysis, processing or storage.

Any information which we share with third party providers will be pursuant to contractual arrangements which we put in place which require that the data is processed only in accordance with our instructions for specified purposes and applicable law.

We also reserve the right to disclose any information which we hold where necessary: a) to appropriate courts, law enforcement authorities, governmental, legislative or regulatory authorities, if required to do so by law or regulation or by any governmental or law enforcement agency; and b) in order to protect the vital interests of the data subject or of any other individual.

6. Storage and safety of your data

We follow strict security procedures to ensure that your personal data is safely stored and used, and to try to prevent unauthorized access to it. In this regard, access to your data is authorized only for those who have a business need for such access. 

Data you provide to us is stored on servers located in the UK, the EEA, and the U.S. We will keep your data stored on our systems for as long as it takes to provide the services to you and not store your data for longer than is reasonably necessary or as required by law or by our regulator, or to assert or defend against legal claims.

7. Transferring your personal data abroad

As we work as a joined team across jurisdictions, we may sometimes transfer personal data between them where necessary to provide our services. We may transfer personal data from the UK and the EEA to the U.S., and vice versa, as well as outside of the UK, the EEA, and the U.S., for example to receive local legal advice from foreign law firms as well as other legal specialists, consultants and experts engaged in the functions of the coalition. 

We protect your personal data overseas through the following measures:

  • We always make any personal data transfers in compliance with the data privacy laws of your home country.
  • We ensure that any overseas third party to which your personal data is disclosed to:
    • only uses that personal data for the purposes for which it was disclosed; 
    • undertakes the necessary technical and organisational measures which are reasonable in the circumstances to secure that personal data; 
    • deletes that personal data when it is no longer required; and 
    • processes your personal data in accordance with this Privacy Policy and the local data privacy laws.

8. How long we will retain personal data

Any personal data will be deleted when it is no longer reasonably required for the purposes for which you provided your consent or you withdraw your consent and we are not otherwise legally permitted to continue storing your data. 

Where necessary, we will retain your personal data where it may be required to assert or defend any legal claims or otherwise asserts its rights or those of third parties until the end of the relevant retention period or until any claims have been resolved. We will also retain personal data where necessary to comply with our legal obligations, regulatory requirements and reporting obligations. We may also hold data in backup systems which are put in place to maintain the integrity of our IT systems for the minimum retention periods. 

9. Your rights

Your rights in relation to your personal data are as follows:

  • You have the right to request access to and a copy of any personal data about you which we hold. 
  • You have the right to request information about whether your personal data has been transferred outside the EU or UK and any safeguards relating to this transfer.
  • You have the right to ask us to correct any incorrect or incomplete personal data we may hold about you. 
  • Under certain circumstances, you have the right to ask us to delete any personal data we hold about you.
  • Under certain circumstances, you have the right to limit the way we use your personal data by asking us not to process your personal data for certain purposes.
  • Under certain circumstances, you have the right to object to us processing your personal data for certain purposes.
  • Under certain circumstances, you have the right to request a copy of your personal data.
  • Where you have provided consent to the collection, processing and transfer of your personal data for a specific purpose, and we are collecting, processing and transferring your data on the basis of that consent, you have the right to withdraw your consent for that specific processing at any time. 

To make a request pursuant to these rights, please contact the ROCC team members. 
We keep the Privacy Policy under regular review.