CES Institutions Privacy Notice
Effective August 1, 2025
I. Overview.
Brigham Young University (“BYU”), Brigham Young University–Hawaii (“BYU–Hawaii”), Brigham Young University–Idaho (“BYU–Idaho”), and Ensign College (“EC”), all Utah non-profit corporations, are higher education institutions of the Church Educational System affiliated with The Church of Jesus Christ of Latter-day Saints, a Utah corporation sole (the “Church”). These four institutions (the “CES Institutions”) are committed to safeguarding the privacy of your personal data, which may include sensitive personal data. This Privacy Notice (“Notice”) outlines how the CES Institutions collect and process your personal data.
II. Who we are and how to contact us.
In this Notice “CES Institutions,” “we,” “us,” and “our” refer to the above-mentioned institutions which offer educational services, goods, programs, activities, events, and other services across various campuses and platforms. Depending on who you are or how you interact with us, your personal data is processed by different entities of the CES Institutions and/or for different purposes. In Annex 1, you will find the list of CES Institutions acting as data controllers responsible for processing your personal data. Contact information for each institution’s Data Privacy Officer is provided. You may contact the applicable Data Privacy Officer if you have questions, concerns, or to exercise your rights as described below.
III. What personal data do we collect?
There are many ways that you may interact with CES Institutions, which will affect what personal data we collect and how we use it. The types of personal data that we collect depends on the extent to which you either provide personal data directly to CES Institutions, or you use or participate in CES Institutions’ programs, activities, events, or you are a consumer of CES Institutions’ goods or other services. In general, you will know what personal data you provide to CES Institutions because you or others acting on your behalf voluntarily provide it. For a more detailed overview of the personal data we process, the purposes for its collection, and from whom we collect the personal data, please refer to Annex 2.
We also collect certain information automatically. When you visit any of our websites or use our online services, we may automatically collect information sent by your web browser, cookies, web beacons, or similar technologies (“automatically collected data”). Cookies are files placed on your computer, which help evaluate usage patterns, recall user preferences, and tailor user content. Web beacons are objects embedded in a web page to monitor user behavior. You may take steps to browse our sites anonymously, or opt-out, by changing your browser settings. However, doing so may limit your ability to use certain features of our sites.
Automatically collected data may include but is not limited to your internet protocol (IP) address, operating system, browser information, date and time of access, any referring web page you were visiting before you came to our site, your search queries, navigation, and other activities and interactions on our sites or online services.
We may collect and use this automatically collected data for the purpose of administering and improving our sites and online services; contacting you to provide information that may be of interest to you; personalizing content for you; advertising our goods and services; and complying with applicable law.
We also may receive some data from third-party sources. These may include other companies providing services to us or publicly available sources of information (such as when you engage with our content on social media networks or websites).
We may also collect sensitive personal data in limited circumstances and for limited purposes such as an interactive process regarding requested accommodations, arrangements for accommodations, to prepare for potential health emergencies, to provide requested health services, to facilitate background checks, or to protect academic integrity. Sensitive personal data we may collect and process may include, but is not limited to, certain financial data, biometric data, information about ethnicity or religious affiliation, and health data. We process sensitive personal data only when we have explicit consent or in exceptional circumstances and where we have a legal basis to do so.
IV. What is our legal basis for processing your personal data?
We use your personal data under the following legal bases, as permitted by applicable law:
- To carry out our legitimate interests as private institutions of higher education.
- To perform contractual or other obligations that we have toward you.
- To comply with a legal obligation.
- Based on your consent, when required by applicable law.
V. Sharing and transferring your personal data.
To ensure the adequacy of protection of personal data that we transfer or disclose across CES Institutions, to the Church, or to our third-party vendors, contractors, and service providers, CES Institutions impose appropriate contractual obligations on these entities as required by applicable law. Additionally, when we share your personal data as outlined below, we take the necessary steps to ensure that recipients have implemented reasonable security mechanisms to protect your personal data.
A. We may share your personal data within the Church Educational System.
Your personal data may be accessed within CES Institutions and our affiliate programs and organizations. This means that we may share your personal data across the CES Institutions and subsidiary or other supporting entities, as well as with our sponsoring institution, the Church, and its affiliates. Access will always be controlled on a need-to-know basis and only provided where it is necessary to provide you with requested services or to allow us to perform any necessary or legitimate functions (including for educational, administrative, operational, management, supervisory or analytical purposes). Any education records shared will be handled in accordance with each CES Institution’s Access to Records Policy and Procedures and in full compliance with applicable privacy laws, including the Family Educational Rights and Privacy Act. You may consult the list of CES Institutions that may receive your data in Annex 1 and a list of data processing purposes and categories in Annex 2.
B. We may share your personal data with our trusted third-party suppliers who may process it on our behalf.
CES Institutions may provide your personal data to third-party vendors, contractors, service providers, and other agents who assist CES Institutions with our day-to-day operations (for example, payment processing, maintenance, security, data analysis, hosting, advertising, and surveys). In such instances, the third-party vendors, contractors, service providers, and other agents will be required to protect personal data from unauthorized disclosure, additional processing, and transfer (including for marketing purposes), in accordance with this Notice and applicable laws.
C. We may also disclose your personal data to other third parties.
We may access and disclose your personal data if we have a good-faith belief that doing so is required by subpoena or other judicial or administrative order or otherwise required by law. Additionally, we may disclose your personal data and other information as required by law or to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of any individual, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect you, others, ourselves, or our services from fraudulent, abusive, or unlawful uses; to investigate and defend ourselves against third-party allegations, demands, or claims; to assist government law enforcement agencies; for archiving purposes in the public interest, historical research, and statistical purposes.
D. We do not sell your personal data.
CES Institutions do not sell, rent, or lend your personal data to any third parties for their use in direct marketing, advertising, or promotion of their products or services. Nonetheless, CES Institutions may disclose personal data with our affiliates and the Church and its affiliates for the purposes of fulfilling the mission of the Church or CES Institutions, subject to applicable law and in accordance with the privacy notices of those institutions.
CES Institutions may also disclose your personal data as requested by you, in accordance with CES Institutions’ policy and applicable law.
VI. International transfers.
By using and participating in CES Institutions’ services, you understand and agree that we may transfer personal data to other jurisdictions as necessary for the purposes described in this Notice, including to jurisdictions that may not provide the same level of data protection as the jurisdiction in which your personal data was originally collected. For instance, we may transfer your data to the United States because our main CES Institutions’ campuses are located there.
If we transfer your personal data to other countries or jurisdictions, we will protect that data as described in this Notice and in accordance with applicable law. Where required under applicable law, we will put in place binding contractual obligations with the data recipient to safeguard your data protection rights.
Please contact the applicable data privacy officer (as outlined in Annex 1) if you have any questions with respect to the safeguards we have put in place to protect your personal data when transferred.
VII. Where do we store your personal data?
We may store your personal data in data centers located in the United States, cloud storage solutions, or on the premises at CES Institutions. Where required under applicable law, we will put in place binding contractual obligations with any cloud storage provider(s) to safeguard your data protection rights.
VIII. How do we protect your personal data?
CES Institutions implement appropriate technical and organizational security measures to protect your personal data, and we implement a level of security appropriate to the risks presented by the processing and the nature of the data to be protected. We regularly review our security procedures and consider appropriate new security technology and methods. While CES Institutions strive to protect your personal data, we cannot ensure or warrant the security of such information. Therefore, please use caution and best practices (e.g., strong passwords) when submitting personal data online.
IX. How long do we keep your personal data?
CES Institutions strive to retain collected personal data only for the period of time reasonably necessary to fulfill purposes identified below and to comply with US federal and state law. When personal data is no longer reasonably necessary to fulfill such purposes, we destroy such information, unless there are proper historical reasons not to do so or legal requirements preventing us from doing so.
X. What are your rights regarding your personal data?
We endeavor to maintain the integrity of your personal data and rely on you to ensure your personal data is complete, accurate, and up to date. For personal data submitted through an online account or registration, you may verify, correct, and (if legally required or appropriate) remove your personal data through your own account or registration, if applicable. For all other personal data, you may contact us here to exercise these and other applicable statutory rights such as data access, rectification, restriction of processing, revocation of consent, and erasure, which may be subject to limitations. You also have the right to lodge a complaint with a supervisory authority. If you experience problems with accessing, correcting, or updating your personal data, you may contact us as is outlined in Annex 1. The provisions of this section may be applied by parents on behalf of their child whose information is in our possession.
The Family Education Rights and Privacy Act (“FERPA”), which is a US federal law designed to protect the privacy of, and limit access to, student education records, affects how certain personal data may be used or shared by CES Institutions, and may provide you with additional rights. Similar student data laws in some states and other jurisdictions may also be applicable. More information about FERPA is provided by each institution of higher education and may be informative to you as you seek to understand your rights under similar laws:
XI. Your obligations.
A. What happens if you post personal data for others to view?
CES Institutions’ websites or online services may provide chat rooms, forums, message boards, or news groups for their users. Any personal data that is disclosed in these areas may become public, and therefore, you should exercise caution when deciding to disclose your personal data in such places. Also, CES Institutions may log such information and reference it for the purposes described herein.
B. What about the privacy practices of third-party websites?
CES Institutions are not responsible for the privacy practices or content of any third-party sites, including those to which CES Institutions’ websites link and those that link to CES Institutions’ websites. For your own protection, you should review the policies of other sites to ensure they meet your personal privacy expectations.
XII. How do CES Institutions protect children’s online privacy?
CES Institutions do not knowingly collect information from children under the age of 13 through our sites or online services without parental consent. Any of our sites or services that collect personal data of children under the age of 13 may do so only with the prior express and informed consent of the child’s parent or guardian, and in compliance with applicable law. We likewise seek consent as appropriate from parents or guardians of all minors with whom we interact. Minors (those under the age of 18, or as otherwise defined where they live) should ask their parents or guardians for permission before interacting with or sending any personal data to anyone over the internet, and we encourage parents to teach their children about safe internet use practices.
XIII. Video surveillance.
CES Institutions utilize video surveillance technology in public locations on campus for safety and security purposes. Additionally, we may utilize video surveillance technology in designated secure facilities, such as restricted-access labs or productions studios, where heightened protection is deemed necessary. Surveillance is not conducted in areas where individuals have a reasonable expectation of privacy. Any video recordings that are maintained and directly relate to a student will be handled in accordance with FERPA or any similar student data laws that apply.
XIV. Biometric data.
We may collect and use data that may be deemed as biometric data—such as physical characteristics or fingerprints—for purposes including identity verification, background checks, secure access, academic integrity, and fraud prevention, but only with your explicit, informed consent where required by law. This data will be retained only as long as necessary to fulfill the purpose, comply with legal obligations, or for no longer than 3 years after the individual’s last interaction with the institution, unless otherwise allowable under applicable law. We implement heightened security measures to protect biometric information. Biometric data may be shared with trusted service providers solely to support these purposes and under strict confidentiality obligations. You have the right to request the deletion of your biometric data at any time. For more information on our data processing activities, consult Annex 2.
XV. Artificial intelligence.
CES Institutions may use artificial intelligence (AI) systems and technologies, including chatbots and language models, to enhance our services and provide you with personalized experiences. AI technologies may be employed to analyze your data, assist with security, support academic integrity, assist hiring personnel, assist instructors in providing academic feedback and grading, and provide personalized support based on your interactions and preferences. Institution guidelines require AI outputs that impact individuals be reviewed by qualified personnel. Any personal data collected and/or processed during interactions with our AI systems is handled with care and in accordance with the data handling practices outlined in this Notice and relevant data protection laws.
XVI. SMS communications.
If you provide your phone number and consent, we may send you SMS messages for notifications, service updates, or marketing communications. You can opt out at any time. We use trusted service providers to deliver these messages and may share your phone number with them solely for this purpose. Where required by law, we will seek to obtain your explicit consent before sending marketing messages.
In the instance of third-party telephony platforms, the CES Institutions do not share SMS consent or phone numbers to the third parties for the third parties’ own purposes.
XVII. Changes to the Privacy Notice.
We regularly review this Notice and may change, modify, add, or remove portions as needed. If we change this Notice in ways that affect how we use your personal data, we will provide such notice in a communication to you, when you log into an online service, or on this page. We also will update the most recent revision date at the top of this Notice. We encourage you to check this Notice from time to time to keep up to date on any changes.
XVIII. Annex.
A. Annex 1- List of CES Institutions responsible for processing your personal data.
TABLE 1- Lists the legal entities that comprise the CES Institutions as defined in this Notice and their contact information.
| Data Controllers | Email or Web Address | Mail | Phone Number |
| Brigham Young University | privacy@byu.edu | BYU Data Privacy Officer 6822 HBLL Provo, UT 84602 USA | 801-422-1670 |
| Brigham Young University–Hawaii | privacy@byuh.edu | BYU–Hawaii Data Privacy Officer 55-220 Kulanui St #1891 Laie, HI 96762 USA | 801-422-1670 |
| Brigham Young University–Idaho | privacy@byui.edu | BYU–Idaho Privacy Officer 525 S. Center St. Rexburg, ID 83460 USA | 801-422-1670 |
| Ensign College | privacy@ensign.edu | EC Data Privacy Officer 95 North 300 West Salt Lake City, UT 84101 USA | 801-422-1670 |
TABLE 2- Outlines the relevant CES Institution responsible for processing your personal data.
Depending on your interactions with us and/or the involved institution, one or more CES Institution might be responsible for processing your personal data.
Where a field designates more than one data controller, this means that more than one CES Institution is processing data related to that activity (or supporting the processing of that data) and the data controller responsible will be the entity that you have a primary relationship with (e.g. you are a current student or alumni of that institution).
To establish which CES Institution is the data controller responsible for your personal data, you need to determine and apply the following to the Table below:
1) With which CES Institution do you have a primary relationship, and
2) In which categories of data subjects do you belong (additional detail for each of these categories is available in Annex 2).
a. Prospective Students
b. Enrolled Students
c. Alumni and Donors
d. Customers
e. Individuals Involved in Research or Studies
f. Job Applicants
If you do not belong in one of the categories listed above (for instance because you do not have any, or no longer have, a relationship with us) then BYU will strive to address your privacy inquiry.
| Institution | Prospective Students | Enrolled Students | Alumni and Donors | Customers | Individuals Involved in Research or Studies | Job Applicants |
| Brigham Young University | As joint controllers: · BYU | As an independent data controller: · BYU | As an independent data controller: · BYU | As joint controllers: · BYU | As an independent data controller: · BYU | As joint controllers: · BYU |
| Brigham Young University–Hawaii | As joint controllers: · BYU | As an independent data controller: · BYU–Hawaii | As joint controllers: · BYU | As joint controllers: · BYU | As an independent data controller: · BYU–Hawaii | As joint controllers: · BYU |
| Brigham Young University–Idaho | As joint controllers: · BYU | As an independent data controller: · BYU–Idaho | As joint controllers: · BYU | As joint controllers: · BYU | As an independent data controller: · BYU–Idaho | As joint controllers: · BYU |
| Ensign College | As joint controllers: · BYU | As an independent data controller: · EC | As joint controllers: · BYU | As joint controllers: · BYU | As an independent data controller: · EC | As joint controllers: · BYU |
B. Annex 2- List of personal data processing activities.
| Categories of Data Subject | Personal Data that We May Collect and Use | Purpose for Collection and Use | From Whom Personal Data Is Collected |
| Prospective Students and Applicants | Name; contact details (address, phone, email); date and place of birth; demographic information (gender, race, ethnicity, national origin, languages spoken); philosophical or religious affiliation and beliefs; commitment to abide by CES Institutions’ policy; academic and employment performance and histories; criminal histories; identification numbers issued by the government, CES Institutions, and other Church affiliates; photographs and video and/or audio recordings; physical characteristics; accommodation and disability information; emergency contact information; parental, guardian, and other family information; citizenship and immigration status; credit card, bank account, tax, insurance, and other financial information; health and well-being information; information contained in resumes, reference letters, or ecclesiastical endorsements; and other information from your interactions with CES Institutions, including through your applications, your academic performance, participation in student organizations, and our other student services. | We may collect and use personal data for the purpose of (1) processing applications for admission, scholarships, or financial aid; (2) student enrollment or course registration; (3) processing financial transactions and conducting credit checks; (4) complying with legal obligations; (5) contacting you to provide information that may be of interest to you; (6) administering courses, programs, activities, events, or other services to you; (7) promoting your safety and welfare; and (8) complying with applicable law. | We may obtain your personal data from you or from third parties who provide information about you, such as parents, references, associates, ecclesiastical leaders, high school counselors, other educational institutions, organizations with which you are affiliated, and testing, application, or background check services. |
| Admitted and Enrolled Students, and Other Learners | Name; contact details (address, phone, email); date and place of birth; demographic information (gender, race, ethnicity, national origin, languages spoken); philosophical or religious affiliation and beliefs; commitment to abide by CES Institutions’ policy; academic and employment performance and histories; criminal histories; identification numbers issued by the government, CES Institutions, and other Church affiliates; photographs and video and/or audio recordings; physical characteristics; accommodation and disability information; emergency contact information; parental, guardian, and other family information; citizenship and immigration status; credit card, bank account, tax, insurance, and other financial information; health and well-being information; information contained in resumes, reference letters, or ecclesiastical endorsements; and other information from your interactions with CES Institutions, including through your applications, your academic performance, participation in student organizations, and our other student services. | We may collect and use personal data for the purpose of (1) processing applications for admission, scholarships, or financial aid; (2) student enrollment or course registration; (3) processing financial transactions and conducting credit checks; (4) complying with legal obligations; (5) contacting you to provide information that may be of interest to you; (6) administering courses, programs, activities, events, or other services to you; (7) monitoring for academic integrity during online academic exams; (8) promoting your safety and welfare; (8) identity verification, fraud prevention, and secure access; and (9) complying with applicable law. | We may obtain your personal data from you or from third parties who provide information about you, such as parents, references, associates, ecclesiastical leaders, high school counselors, other educational institutions, organizations with which you are affiliated, and testing, application, or background check services. |
| Alumni and Donors | Name; contact details (address, phone, email); date of birth; demographic information; philosophical or religious affiliation and beliefs; educational and employment history; identification numbers issued by the government, CES Institutions, and other Church affiliates; photographs; affiliations with clubs and other organizations; personal interests and activities; family information; financial, donation, and tax information; and other information about your interactions with CES Institutions, including from when you were a student (see above), or from surveys or other alumni and donor services. | We may collect and use personal data for the purpose of (1) alumni surveys and other outreach efforts; (2) contacting you about donations to CES Institutions; (3) administering programs, activities, events, and services to you; and (4) complying with applicable law. | We may collect this personal data from you or third parties who provide information about alumni or potential donors. Please note that while CES Institutions may use your personal data to contact you about a donation, all donations to CES Institutions are handled by Philanthropies, and you should also review the Philanthropies’ Privacy Notice. |
| Consumers of CES Institutions’ Goods or Services; Visitors to CES Institutions’ or its Websites; and Participants or Attendees in CES Institutions’ Programs, Events, and Activities. | For consumers of our goods or services, including but not limited to customers in our campus stores, participants in our events and camps, we may collect: name; contact details (address, phone, email); and credit card or other payment information. For those participating in or attending programs, events, or activities, we may also collect date of birth; demographic information; photographs and video and/or audio recordings; financial and insurance information; accommodation and disability information; family information; commitment to abide by CES Institutions policy; and emergency contact information. For youth programs, we may also collect parental, guardian, and other family information. For health or counseling services, we may also collect information about physical or mental health. For athletics and performing arts programs, we may also collect physical characteristics and performance information. In the course of visiting CES Institutions’ campuses or its websites or other online services, or participating in a program, event, activity, or other service, you may be asked to provide additional information, which will be used to administer or provide the program, event, activity, good, or service to you, such as user settings, preferences, permissions, and notifications. | We may collect and use personal data for the purpose of: (1) administering or providing programs, events, activities, goods, or services to you; (2) contacting you about your participation in such programs, events, activities or services; (3) contacting you to provide you information that may be of interest to you; (4) processing purchases or orders; (5) administering and improving CES Institutions’ websites and services; (6) promoting your safety and welfare; (7) complying with applicable law. | We may collect this personal data directly from you or from those with whom you interact in connection with CES Institutions’ programs, events, activities, or sales. |
| Individuals Involved in Research or Studies | We may collect information from or about you for purposes of research or studies. As applicable, CES Institutions comply with the principles and guidelines concerning research, including the Belmont Report and the US “Common Rule.” If required by law or otherwise appropriate, we will provide you with a description of the research and the information collected about you in connection with the research. | We may collect and use personal data for the purpose of (1) conducting research or studies involving you; or (2) analyzing, studying, publishing, or following up on research or studies in which you were involved. | We may obtain your personal data from you or from third-party researchers, or as part of research collaboration with federal, state, or local governmental authorities. |
| Job Applicants | Name; contact details (address, phone, email); date and place of birth; demographic information (gender, race, ethnicity, national origin, languages spoken); philosophical or religious affiliation and beliefs; commitment to abide by CES Institutions’ policies; academic and employment performance and histories; criminal histories; fingerprints; identification numbers issued by the government, CES Institutions, and other Church affiliates; photographs and video and/or audio recordings; physical characteristics; accommodation and disability information; emergency contact information; parental, guardian, and other family information; citizenship and immigration status; credit card, bank account, tax, insurance, and other financial information; health and well-being information; information contained in resumes, reference letters, or ecclesiastical endorsements; and other information from your interactions with CES Institutions including through your applications, your academic performance, participation in student organizations, and our other student services. | We may collect information from or about you for the purpose of (1) completing or processing your application, including the various stages of the recruitment process (2) communicating with you and providing you with services related to your application (3) fulfilling required verifications, such as identity verification, background check, and fraud prevention. | We may obtain your personal data from you or from third parties who provide information about you, such as references, associates, ecclesiastical leaders, previous employers, other educational institutions, organizations with which you are affiliated, and testing, application, or background check services. |