Privacy Statement

CRA International, Inc. and each of its affiliates and subsidiaries (collectively, "CRA") is committed to meeting all of our obligations to our clients and visitors worldwide to protect their data and to collect, use, and disclose it for authorized purposes only. CRA is equally committed to abiding by all applicable domestic, national, and international privacy laws. Like most businesses providing services to clients, CRA may acquire personally identifiable information (also known as personal data) of its clients and their employees, and of its other visitors. In general, data collected, used, or disclosed by CRA is processed by CRA on behalf of and as directed by our clients. When CRA does process personally identifiable information on its own behalf, CRA conforms to recognized privacy principles and practices, including notice, choice, consent and control, fairness and integrity, as provided by applicable industry and international legal standards.


As an economics, finance, and business consulting firm that works with businesses, law firms, accounting firms, and governments in providing a wide range of services ("Services"), CRA not only is committed to the privacy of its clients but is equally committed to the privacy of those who visit our Websites. Our Privacy Notice applies to all CRA activities, including the production of our Websites. Both our Privacy Notice and our long-established business principles commit us to keeping your personal information appropriately protected.

For the purposes of applicable data protection law, CRA International, Inc. is the controller of any personal data collected from you on CRA’s websites. If your personal data is collected in the course of CRA providing its Services to a client, the data controller will be the CRA entity that has been engaged to provide those Services.

Information we collect

Every computer connected to the Internet has a domain name and a set of numbers that serve as that computer's "Internet protocol" (IP) address. When a visitor requests a page from one of our Websites, our Web servers automatically recognize that visitor's domain name and IP address. The domain name and IP address reveal nothing personal about you other than the IP address from which you have accessed our Website.

From time to time, we examine our traffic in aggregate to help us improve our Websites, to maintain quality of the service, and to provide general statistics regarding use of the Websites. Under no circumstances do we sell, rent, or give your e-mail address to a third party for the purpose of that party sending you "spam mail" or otherwise using your email address in any way not directly associated with CRA providing its Services to you.

Our Websites collect and store client and Website user information. This information may include names, company names, addresses, telephone numbers, facsimile numbers and email addresses. In addition, CRA may ask employees of clients for Website addresses, service interests, credit-related information with respect to service retention, and other information.

We routinely collect personal data – which may relate to employees, customers, or other third parties – from our clients in the course of providing our Services to them. This personal data will be requested by CRA only where it is reasonably required in order to provide our Services, in accordance with our terms of engagement.

If you represent one of CRA's clients or prospective clients, we may collect and keep your business contact information in a variety of ways, including through face-to-face meetings, public directories or networking sites, and other professional encounters.


A cookie is a text file that is placed on your computer’s hard drive or other electronic storage device by a Web page server. We use cookies to obtain some of the information that is collected automatically as described above. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can be read only by a Web server in the CRA domain that issued the cookie to you. One of the primary purposes of cookies is to provide a convenience feature to save you time by telling the Web server that you have returned to a specific page. Cookies can be deleted from your system at any time. You also have the ability to accept or decline cookies and most Web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of the Websites you visit.

For more information about cookies including how to set your Web browser to reject cookies please go to

By continuing to use our Websites, you agree to our use of cookies in accordance with this Privacy Notice.

Different types of cookies are used for different purposes on our Website. These are known as strictly necessary cookies, performance cookies, and functionality cookies. Some cookies may be provided by an external third party to provide additional functionality to our Website, and these are described below.

  • Strictly necessary cookies
    These are cookies that are essential to fulfill an action requested by you, such as identifying you as being logged in. If you prevent these cookies by adjusting your browser settings we cannot guarantee how our Website will perform during your visit.
  • Performance cookies
    These are cookies used to improve our Website, for example for analytics that let us see how our Website is being used and where to make improvements. These cookies are used to collect information about how visitors use our Website. The information is collected in an anonymous form and includes the number of visitors, where visitors have come from to the Websites and the pages they visited.
  • Functionality cookies
    These cookies enhance the performance and functionality of our Website, often as a result of something you are doing as a user. For instance, we may personalize our content for you or remember your preferences.

Use of personal information

When processing personal information, CRA adheres to applicable domestic, national, and international data privacy laws. The personal information we collect is used for the purposes below.

Where relevant under applicable law, all processing (i.e., use and storage) of your personal information will be justified by a "condition" for processing. In the majority of cases, processing will be justified on the basis that:

  • you have consented to the processing;
  • the processing is necessary to perform a contract with you or take steps to enter into a contract;
  • the processing is necessary for us to comply with a relevant legal obligation; or
  • the processing is in our legitimate commercial interests, subject to your interests and fundamental rights.

We use the personal information we collect to:

  • deliver our Services to our clients;
  • help us maintain the quality of our Website and the Services we offer generally;
  • operate and customize our Website to users' needs;
  • enable you to subscribe to and receive CRA's news services and other additional CRA Services, and enable CRA to deliver to you those Services that you have requested;
  • correspond with users to resolve their queries or complaints;
  • market our Services to our clients;
  • manage client relationships; and
  • comply with applicable laws and regulations.

Our Website uses cookies to:

  • help our clients and visitors personalize their online experience; and
  • identify users and track trends among clients and other users who visit our Websites.

Our Website may request your email or mailing address for the purpose of providing you with further information, administering online registrations to courses and similar events run by CRA, or in association with other organizations such as universities

CRA also makes every effort to keep personal information up-to-date and we welcome our clients and visitors to access and update this personal information. Except for disclosure amongst the members of CRA and its subsidiaries, CRA does not sell lists, accept advertising, or generate any third-party revenue from the data that is generated on this Website.

Disclosure of personal information

CRA does not disclose personal information to third parties except where we may make this information available (i) to outside contractors working on client-specific projects bound by written obligations of confidentiality and non-disclosure; or (ii) to outside mailing houses bound by written obligations of confidentiality and non-disclosure, working under CRA's direction to provide CRA mailings to our clients.

In relation to both internal transfers and the use of service providers, if personal information is transferred outside your local jurisdiction (e.g., the European Economic Area, “EEA”), we will take steps, where required by applicable law, to ensure that the information receives the same level of protection as if it remained within your local jurisdiction. CRA is accountable for the onward transfer of personal information to third-party service providers or agents who assist us in providing services. We maintain contracts with these third parties in compliance with our obligations under the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework (described below) and other obligations. We accept liability under the Privacy Shield Principles if any of these parties fail to process the personal information transferred in a manner consistent with our Privacy Shield obligations, unless we demonstrate that we are not responsible for the event giving rise to the damage. For internal transfers, we have put in place an Intra Group Data Transfer Agreement which protects customer data transferred between global CRA entities. For EU residents, you may have a right to details of the mechanisms under which your data is transferred outside of the EEA.

In addition, CRA recognizes standard domestic and international legal and public policy exceptions to non-disclosure. Important exceptions to the general rule of non-disclosure without permission have been codified internationally in such privacy laws as the 1995 EU Privacy Directive (and from 25 May 2018, the General Data Protection Regulation (EU) 2016/679), Title V of the US Financial Services Modernization Act in 1999, Canada's Personal Information Protection Act (C-6), and Australia's Privacy Act 1988. As such, CRA may therefore collect, use, and disclose personal information necessary for the establishment, exercise, or defense of legal claims, as required by law, or where the collection, use, and disclosure is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment, or the management of health care services. For example, CRA may maintain such data in our system for a client using CRA to store or process health insurance records for the purposes of the coordination of insurance benefits, in conformity with applicable national privacy and security requirements. As provided by applicable US federal law (or applicable local laws), CRA may also disclose personal information without the consent of the individual to protect the confidentiality or security of the firm's records pertaining to the customer, the service or product, or the transaction to protect against or prevent actual or potential fraud, for institutional risk control, for the enforcement of contractual obligations, to resolve client disputes or injuries, and for various other purposes provided by law. Please also be aware that CRA may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Marketing communication

Where lawful to do so, we may communicate with you to tell you about our products and Services. If you do not wish us to use personal information about you in order to inform you about Services and courses provided by CRA, news on industry developments, or other corporate and industry-related announcements, please contact us using the information in the "Contact Information" section at the bottom of this page. You can also use the <Unsubscribe> link provided in our emails

Security of your personal information

CRA uses data storage and security techniques to protect your personal information from unauthorized access, use, or disclosure, unauthorized modification or unlawful destruction or accidental loss. CRA secures personally identifiable information on computer servers in a controlled, secure environment, protected from unauthorized access, use or disclosure. Personal information gathered through our Website is transmitted only within the CRA domain and it is protected through the use of encryption and/or other means. However, it is important to remember that no Website can be 100% secure and we cannot be responsible for unauthorized or unintended access that is beyond our control.

Retention of your information

We apply a general rule of keeping personal information only for as long as required to fulfil the purposes for which it was collected. However, in some circumstances we may retain personal information for longer periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements. In specific circumstances we may also retain your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges.

External links

Please note that the Website may contain links to third party sites and if you link to a third party site from CRA, any information you provide to that site and any use of that information by the third party are not under the control of CRA and are not subject to this Privacy Notice. You should consult the privacy policies of each site you visit. This Privacy Notice applies solely to personal information collected by our Websites.

Your rights

Subject to applicable law, you may have some or all of the following rights in respect of your personal information:

  • the right to access your own personal data subject to certain limitations, such as where the legitimate rights of other persons would be infringed or where the burden or expense of providing access would be disproportionate;
  • to obtain a copy of your personal information together with information about how and on what basis that personal information is processed;
  • to rectify inaccurate personal information (including the right to have incomplete personal information completed);
  • to erase your personal information (in limited circumstances, where it is no longer necessary in relation to the purposes for which it was collected or processed);
  • to restrict processing of your personal information where:
    • the accuracy of the personal information is contested
    • we no longer require the personal information but it is still required for the establishment, exercise or defence of a legal claim;
  • to challenge processing which we have justified on the basis of a legitimate interest (as opposed to your consent, or to perform a contract with you);
  • to prevent us from sending you direct marketing;
  • to withdraw your consent to our processing of your personal information (where that processing is based on your consent);
  • to object to decisions that are based solely on automated processing or profiling; and
  • to obtain, or see a copy of the appropriate safeguards under which your personal information is transferred to a third country or international organization.

In relation to all of these rights, please contact us using the details given below. Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We will endeavor to respond to your requests within all applicable timeframes.

Changes to this statement

CRA will occasionally update this Privacy Notice to reflect company and user feedback. CRA encourages you to periodically review this Privacy Notice to be informed of how CRA is protecting your information.

Privacy Shield Certification 

CRA complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from European Union and Switzerland to the United States, respectively. CRA has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. CRA is committed to subjecting such personal data to the Frameworks to the extent that we have received it in reliance on the Frameworks, including the Frameworks’ Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit The Federal Trade Commission has jurisdiction over CRA’s compliance with the Privacy Shield.

Contact and Enforcement

CRA welcomes your comments regarding this Privacy Notice. If you have any questions relating to this privacy statement, believe that CRA has not adhered to this Privacy Notice, wish to exercise any of your rights, or if you have any suggestions or problems, please contact us at:

Charles River Associates
Privacy and Compliance
200 Clarendon Street
Boston, MA 02116-5092
United States

We will use all reasonable efforts to promptly determine and remedy any problems reported to us. CRA has a practice of responding to individuals within forty-five (45) days of an inquiry or complaint.

CRA has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the JAMS Privacy Shield Program. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit for more information and to file a complaint.

You also may have the option to select binding arbitration under the Privacy Shield Panel for the resolution of your complaint under certain circumstances. For further information, please see