Where is ACL data technically stored?
The exact details may depend on the filesystem, but conceptually, yes, the ACLs are metadata stored in the file inodes just like traditional permissions, dates, etc.
Since the size of ACLs can vary, they may end up being stored in separate blocks. However the details only matter if you're designing a filesystem or programming a filesystem driver.
Take a look at the Extended Attributes section of this paper, titled: POSIX Access Control Lists on Linux.
excerpt
ACLs are pieces of information of variable length that are associated with file system objects. Dedicated strategies for storing ACLs on file systems might be devised, as Solaris does on the UFS file system [13]. Each inode on a UFS file system has a field called i_shadow. If an inode has an ACL, this field points to a shadow inode. On the file system, shadow inodes are used like regular files. Each shadow inode stores an ACL in its data blocks. Multiple files with the same ACL may point to the same shadow inode.
Because other kernel and user space extensions in addition to ACLs benefit from being able to associate pieces of information with files, Linux and most other UNIX-like operating systems implement a more general mechanism called Extended Attributes (EAs). On these systems, ACLs are implemented as EAs.
After the Extended Attributes section it get's into the specifics of how the various file systems, ext2/ext3, JFS, etc. implement EA.
For Ext4:
https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout#Extended_Attributes
"Extended attributes (xattrs) are typically stored in a separate data block on the disk and referenced from inodes via inode.i_file_acl*."