Collection of Personal Information
In addition to the basic personal information such as name, address, email address, phone number, and other contact details, DarkMath may also collect data related to clients' interactions with our services. We collect information through various methods, including direct submissions from our clients, automated means such as communication protocols, and ethical aggregation from trusted third-party data providers, data compilers, and public sources.
Use of Personal Information
Personal information collected is primarily used to provide and improve our wholesale data services. This includes customer support, enhancing user experience, developing new services, and conducting market research. Additionally, we may use personal information for internal business processes such as audits, fraud monitoring, and compliance with legal obligations.
Data Products & Third-Party Data and Usage
DarkMath processes PII-based consumer data. This data is leveraged by our proprietary vectorization engine and AI models to unify fragmented customer identities into a single, resilient 'Golden Record,' which is then licensed to our clients for their own marketing, analytics, and fraud prevention efforts.
This PI data includes: Identifiers (Name, Postal Address, Phone Number, Email Address, IP Addresses, HEMs), Commercial Information, Internet/Network Activity, Geolocation Data, Inferences drawn from other data, and Sensitive Personal Information (as defined by state law, such as precise geolocation, where legally permitted).
As a data marketing provider, we comply with all industry policies, guidelines, principles, and ethical practices for data collection, processing, and protection. Our services are not directed at children, and you may not utilize our data solutions if you are under 18. We do not knowingly collect, disclose, or use data for marketing purposes for anyone under the age of 16, as defined by CCPA/CPRA, and we adhere to all relevant provisions of the Children’s Online Privacy Protection Act (COPPA).
DarkMath shares Personal Information (PI) and Sensitive Personal Information (SPI) with our clients and partners to provide our services, which includes licensing our Identity Resolution and Audience Generation products.
Some state laws, such as the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), define "sale" to include sharing, disclosing, or making personal information available for monetary or other valuable consideration, which includes providing data for cross-context behavioral advertising.
You have the right to opt out of this sale or sharing. To exercise this right, you must visit our dedicated
Your Privacy Choices page
.
Companies Providing Services to DarkMath
We share information with third-party vendors, consultants, and other service providers that are providing business services to DarkMath. For example, we may share information about you with a third-party service provider that creates reports or other products ordered by users, sends out emails, serves ads on a third-party platform, or monitors or analyzes data. Such companies will have access to personal information only as necessary to carry out their work and are prohibited from using it for independent purposes.
How We Share Information
DarkMath receives data from, and handles data on behalf of, a variety of consumer-facing companies, applications and services, and data compilers. We also may obtain data through public sources, such as census data and other public records. Some of the data we receive and use is Personal Information (PII) data.
International Data Transfers
Personal information may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that differ from your country's laws. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this privacy policy.
Your Rights and Control Over Personal Data
Individuals whose personal information we process have various rights, including the right to access, correct, delete, object to processing, and request data portability. Furthermore, you have the right to opt-out of the sale or sharing of your data, and
to opt-out of processing for targeted advertising and certain profiling activities.
To exercise any of these rights, you must visit our dedicated Your Privacy Choices page. bla
Cookie Usage
DarkMath does not currently use cookies or any similar tracking technologies on our website. We respect your privacy and are committed to transparency in our data practices. As we do not employ cookies, we do not collect or store any information through this method. However, please note that our privacy practices may change over time. If we decide to implement cookies or other tracking technologies in the future, we will update this policy accordingly and inform our users of any changes.
Opt-OutAs part of our commitment to privacy, we provide mechanisms for individuals to opt out of receiving marketing communications. This can be done by visiting our
Your Privacy Choices page or by contacting us directly.
Changes to Our Privacy Policy
We reserve the right to modify this privacy policy at any time. Changes will be posted on our website with an updated revision date. We encourage individuals to regularly review our privacy policy to stay informed about how we are protecting their personal information.
Questions Or Concerns
For any questions or concerns regarding our privacy practices, please email at
admin@darkmath.ai.
California Resident Privacy Rights
Under the California Consumer Privacy Act (CCPA), California residents have certain rights regarding their personal information. These rights include: - The categories of personal information we’ve collected, and the categories of sources where we got the information
- The business purposes for which we’ve shared their personal information
- The categories of third parties with whom we’ve shared their personal information
- Access to the specific pieces of personal information we’ve collected and to request deletion of that personal information, subject to certain exceptions
- The right to opt out of the sale of their personal information
- The right to not be discriminated against for exercising their CCPA privacy rights
- The right to correct inaccurate personal information
“Sensitive” Data is defined under California state law as:
- Social security, driver’s license, state identification card, or passport numbers
- An account login, financial account, debit card, or credit card number in combination with any required security codes
- Precise geo-location
- Racial and ethnic origins, religious or philosophical beliefs, union memberships
- Contents of mail, email, and text messages to unintended recipients
- Genetic data
- Biometric information if use to uniquely identify a person
- Personal health information
- Personal information related to a person’s personal life or sexual orientation
For purposes of these rights, “sold” and “business purpose” have the meanings given in the CCPA. If you submit an opt-out request, you will not be opted out from transactions that the CCPA does not deem to be sales. In addition, please note that the CCPA does not require us to delete personal information that we need to maintain for certain purposes.
Colorado Resident Privacy Rights
Under Colorado’s Consumer Privacy Act, (effective as of July 1, 2023), Colorado residents have certain rights regarding their personal information. This includes:
- Access to the specific pieces of personal information we’ve collected, and to request deletion of that personal information
- The right to opt out of the sale of their personal information
- The right to opt-out of targeted advertising
- The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
“Sensitive” Data is defined under Colorado state law as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Biometric or genetic data
- Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
- Personal data from a known child
Connecticut Resident Privacy Rights
Under Connecticut’s Data Privacy Act, (effective as of July 1, 2023), Connecticut residents have certain rights regarding their personal information. This includes:
- Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
- The right to opt out of the sale of their personal information
- The right to opt-out of targeted advertising
- The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
“Sensitive” Data is defined under Connecticut state law as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Biometric or genetic data
- Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
- Personal data from a known child
- Precise geolocation at a radius of 1,750 feet or less
Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act (effective January 1, 2025) is a state-level legislative measure aimed at protecting the personal data of Delaware residents. It sets forth various requirements and obligations for businesses that handle personal data. Here are some key aspects of the DPDPA:
Scope and Applicability
The act applies to businesses operating in Delaware or targeting Delaware residents, handling a specified amount of personal data. It covers businesses that control or process the personal data of 10,000 or more consumers annually or derive more than 50% of their gross revenue from the sale of personal data. It covers businesses that control or process the personal data of 10,000 or more consumers annually or derive more than 50% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit the collection of personal data to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: When transferring data to third parties, businesses must ensure that data processing agreements are in place to protect personal data.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Delaware Attorney General has the authority to enforce the DPDPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or Gramm-Leach-Bliley Act, and certain small businesses.
Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act (effective January 1, 2026) is a state-level legislative measure designed to protect the personal data of Indiana residents. It outlines various rights for consumers and imposes specific obligations on businesses that collect, process, or sell personal data. Here are some key aspects of the ICDPA:
Scope and Applicability
The act applies to entities conducting business in Indiana or targeting Indiana residents. It primarily affects businesses that process personal data of 100,000 or more consumers annually or derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Indiana Attorney General has the authority to enforce the ICDPA. Penalties for non-compliance can include fines and other legal actions.
Iowa Consumer Data Protection Act
The Iowa Consumer Data Protection Act (effective January 1, 2025) is a legislative measure designed to protect the personal data of Iowa residents. Similar to data protection laws in other states, the ICDPA grants specific rights to consumers and imposes various obligations on businesses that handle personal data. Here are the key aspects of the ICDPA:
Scope and Applicability
The ICDPA applies to entities conducting business in Iowa or targeting Iowa residents. It primarily affects businesses that control or process personal data of 100,000 or more consumers annually, or control or process personal data of 25,000 or more consumers and derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Iowa Attorney General has the authority to enforce the ICDPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
Kentucky Consumer Data Protection Act
The Kentucky Consumer Data Protection Act (KCDPA) is a state-level legislative measure designed to protect the personal data of Kentucky residents. It outlines various rights for consumers and imposes specific obligations on businesses that collect, process, or sell personal data. Here are some key aspects of the KCDPA:
Scope and Applicability
The KCDPA applies to entities conducting business in Kentucky or targeting Kentucky residents. It primarily affects businesses that control or process personal data of 25,000 or more consumers annually, or derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Kentucky Attorney General has the authority to enforce the KCDPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
Minnesota Consumer Data Protection Act
The Minnesota Consumer Data Protection Act (MCDPA) is a state-level legislative measure designed to protect the personal data of Minnesota residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the MCDPA:
Scope and Applicability
The MCDPA applies to entities conducting business in Minnesota or targeting Minnesota residents. It primarily affects businesses that control or process personal data of 100,000 or more consumers annually, or derive 25% or more of their gross revenue from the sale of personal data while processing data for at least 25,000 consumers.
Consumer Rights
- Right to Access: Consumers can confirm whether a business is processing their personal data and obtain a copy of that data.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable and readily usable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling that produces legal or similarly significant effects.
- Right to Question Profiling: A unique right for consumers to question profiling and be informed of the reasons for the profiling decision.
Business Obligations
- Data Minimization: Businesses must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purposes disclosed.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Consent for Sensitive Data: Businesses cannot process a consumer's sensitive data (e.g., racial or ethnic origin, religious beliefs, health diagnosis, sexual orientation) without first obtaining the consumer's consent.
- Data Protection Assessments: Businesses must conduct data protection assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, data sales, or profiling.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Minnesota Attorney General has the authority to enforce the MCDPA. Penalties for non-compliance can include fines and other legal actions. The act does not provide a private right of action for consumers.
Montana Consumer Data Protection Act
The Montana Consumer Data Protection Act (MCDPA) is a state-level legislative measure designed to protect the personal data of Montana residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the MCDPA:
Scope and Applicability
The MCDPA applies to entities conducting business in Montana or targeting Montana residents. It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Montana Attorney General has authority to enforce the MCDPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses. The MCDPA aims to enhance consumer privacy protections and ensure that businesses adhere to responsible data management practices. By providing consumers with more control over their personal data and demanding greater transparency from businesses, the act reflects a growing movement towards comprehensive state-level data privacy legislation in the United States.
Nebraska Consumer Data Protection Act
The Nebraska Data Protection Act (effective January 1, 2025) is a state-level legislative measure designed to protect the personal data of Nebraska residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NCDPA:
Scope and Applicability
The NDPA applies to entities conducting business in Nebraska or targeting Nebraska residents. It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Nebraska Attorney General has the authority to enforce the NDPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
New Hampshire Data Privacy and Security Act
The New Hampshire Data Privacy and Security Act (effective January 1, 2025) is a state-level legislative measure designed to protect the personal data of New Hampshire residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NHDPPA:
Scope and Applicability
The NHDPPA applies to entities conducting business in New Hampshire or targeting New Hampshire residents. It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
- Right to Access: Consumers can request access to their personal data held by a business.
- Right to Correction: Consumers can request corrections to inaccurate personal data.
- Right to Deletion: Consumers can request the deletion of their personal data.
- Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
- Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
- Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
- Data Security: Businesses are required to implement reasonable security measures to protect personal data.
- Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
- Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The New Hampshire Attorney General has the authority to enforce the NHDPPA. Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
New Jersey Data Protection Act
The New Jersey Data Protection Act (effective January 15, 2025) is a state-level legislative measure designed to protect the personal data of New Jersey residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NJDPA:
Consumer Rights under the NJDPA
- Right to Know: Consumers can confirm whether a business is processing their personal data and access details about the categories of data collected, the purpose of processing, and any third-party disclosures.
- Right to Correction: Consumers have the right to request correction of inaccurate personal data.
- Right to Deletion: Consumers can request deletion of their personal data, with some exceptions for businesses with legal obligations to retain data.
- Right to Portability: Consumers can obtain a copy of their personal data in a transferable format that allows them to move it to another business.
- Right to Opt-Out: Consumers can opt-out of the processing of their personal data for: Targeted advertising. Sale of personal data (except for consumers under 18, where opt-in is required).Profiling in furtherance of automated decisions that produce legal or similar effects concerning them.
Business Obligations under the NJDPA
- Applicability: The NJDPA applies to businesses that meet at least one of the following criteria: Control or process personal data of at least 100,000 consumers annually (increased from 50,000 after July 1, 2027).Derive over 50% of their gross revenue from the sale of personal data and process the data of at least 25,000 consumers annually.
- Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining: The categories of personal data collected. The purposes for processing the data. Consumers’ rights under NJDPA and how to exercise them. The categories of third parties with whom data is shared. How consumers can opt-out of the sale of personal data and targeted advertising (starting July 15, 2025, universal opt-out mechanisms must be recognized).
Enforcement
The New Jersey Attorney General’s Office is responsible for enforcing the NJDPA. The Attorney General can investigate violations, issue civil penalties, and seek injunctive relief. Consumers can also file private lawsuits for certain violations.
Additional Notes
The NJDPA exempts certain data from its scope, including public data and data covered by other specific privacy laws (e.g., HIPAA).The NJDPA prohibits discrimination against consumers for exercising their rights under the law. Businesses have a duty to respond to consumer requests within a reasonable timeframe (generally 45 days).
Oregon Consumer Privacy Act
The Oregon Consumer Privacy Act (effective July 1, 2024) is a state-level legislative measure designed to protect the personal data of Oregon residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the OCPA:
Consumer Rights under the OCPA
- Right to Access: Consumers can confirm whether a business is processing their personal data and request details about the categories of data collected, the purpose of processing, and any third-party disclosures.
- Right to Correction: Consumers have the right to request correction of inaccurate personal data.
- Right to Deletion: Consumers can request deletion of their personal data, including data they provided directly, data obtained from other sources, and derived data.
- Right to Data Portability: Consumers can obtain a copy of their personal data in a transferable format that allows them to easily move it to another business.
- Right to Opt-Out: Consumers can opt-out of the sale of their personal data and targeted advertising. Additionally, they have the right to opt-in for the processing of “sensitive data” such as social security numbers, passport numbers, or data revealing race, religion, or sexual orientation.
Business Obligations under the OCPA
- Applicability: The OCPA applies to businesses that control or process the personal data of at least 25,000 Oregon residents annually, or derive over 50% of their gross revenue from the sale of personal data and process the data of at least 10,000 Oregon residents annually.
- Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining the categories of personal data collected, the purposes for processing, how consumers can exercise their rights, and the categories of third parties with whom data is shared.
- Data Minimization: Businesses can only collect personal data that is reasonably necessary for the disclosed purposes.
- Reasonable Security: Businesses must implement reasonable security measures to protect personal data from unauthorized access, disclosure, or use.
- Data Processing Assessments: For activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of data, or profiling for automated decisions, businesses must conduct data privacy assessments to identify and mitigate risks.
- Consumer Requests: Businesses must establish a mechanism for consumers to submit requests to exercise their rights and respond to requests within a reasonable timeframe (generally within 45 days).
Enforcement
The Oregon Attorney General’s office is responsible for enforcing the OCPA. Consumers can file complaints with the Attorney General if they believe a business has violated their rights.
Additional Notes
The OCPA exempts certain data from its scope, including public data, de-identified data, and data covered by other specific privacy laws (e.g., HIPAA).The OCPA allows businesses to charge a reasonable fee for data portability requests if they exceed a certain frequency.
Tennessee Information Protection Act
The Tennessee Information Protection Act (effective July 1, 2025) grants Tennessee residents control over their personal data and places obligations on businesses that handle this data. Here’s a comprehensive look at TIPA’s key provisions:
Consumer Rights under the TIPA
- Access, Correction, and Deletion: Consumers have the right to: Confirm whether a business is processing their personal information. Access a copy of their personal information. Request correction of any inaccuracies in their data. Request deletion of their personal information, subject to certain exceptions.
- Data Portability: Consumers can obtain their personal information in a usable and portable format to transfer it to another business.
- Opt-Out Rights: Consumers have the right to opt-out of: The sale of their personal information. Targeted advertising based on their personal information. Profiling that results in automated decisions that have a significant impact on them.
Business Obligations under the TIPA
- Applicability: TIPA applies to businesses that meet at least one of the following criteria: Control or process personal information of at least 175,000 consumers in a year and have over $25 million in gross revenue. Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
- Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining: The categories of personal information collected. The purposes for processing the data. Consumers’ rights under TIPA and how to exercise them. The categories of third parties with whom data is shared.
- Reasonable Security: Businesses must implement reasonable security measures to protect personal data from unauthorized access, disclosure, or use.
- Data Minimization: Businesses can only collect personal data that is reasonably necessary for the disclosed purposes.
- Contracts with Processors: Businesses must have written contracts with any third-party processors that handle personal data on their behalf. These contracts must ensure the processors comply with TIPA’s requirements.
Enforcement
The Tennessee Attorney General’s office is responsible for enforcing TIPA. While consumers cannot directly sue businesses under TIPA, the Attorney General can take legal action against businesses for violations.
Exceptions and Additional Notes
TIPA exempts certain data from its scope, including public data and data covered by other specific privacy laws (e.g., HIPAA).TIPA offers a unique “affirmative defense” provision. Businesses that create and comply with a written privacy policy that aligns with the National Institute of Standards and Technology (NIST) Privacy Framework or other documented standards designed to safeguard consumer privacy may have a defense against TIPA violations.Businesses are exempt from certain provisions if they are already subject to and comply with stricter federal privacy laws. Notably, TIPA exempts all insurance companies licensed under Tennessee law.
Texas Resident Privacy Rights
Texas is the latest state to pass new resident privacy protection laws. Known as the Texas Data Privacy and Security Act, (effective March 1, 2024), Texas residents will have certain rights regarding their personal information. This includes:
- Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
- Confirm that the data controller is processing their data
- Correct inaccuracies in their personal data
- Delete their personal data
- Obtain a copy of their data in a portable and readily usable format
- Opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the consumer
Sensitive Data“Sensitive” Data is defined under Texas state law as:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Children’s data
- Precise geolocation data
The entity maintaining this website is a data broker under Texas law. To conduct business in Texas, a data broker must register with the Texas Secretary of State (Texas SOS). Information about data broker registrants is available on the Texas SOS website.
Utah Resident Privacy Rights
Under Utah’s Consumer Privacy Act, (effective as of December 31, 2023), Utah residents have certain rights regarding their personal information. This includes:
- Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
- The right to opt out of the sale of their personal information
- The right to opt-out of targeted advertising
- The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
Sensitive Data
“Sensitive” Data is defined under Utah state law as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Biometric or genetic data
- Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
- Personal data from a known child
- Precise geolocation at a radius of 1,750 feet or less
Virginia Resident Privacy Rights
Under Virginia’s Consumer Data Protection Act, (effective as of January 1, 2023), Virginia residents have certain rights regarding their personal information. This includes:
- Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
- The right to opt out of the sale of their personal information
- The right to opt-out of targeted advertising
- The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
Sensitive Data
“Sensitive” Data is defined under Virginia state law as:
- Racial or ethnic origin
- Religious beliefs
- Sexual orientation
- Citizenship or immigration status
- Biometric or genetic data
- Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
- Personal data from a known child
- Precise geolocation at a radius of 1,750 feet or less
Vermont Data Broker Act
The Act relating to Data Brokers and Consumer Protection went into full effect on January 1, 2019. The Data Broker Act imposes specific registration, disclosure, and security requirements on data brokers. Additionally, the Data Broker Act prohibits any person or entity from fraudulently acquiring or using brokered personal information. The Data Broker Act defines the term ‘data broker’ as any business or unit of businesses that knowingly collects and sells, or licenses to third parties, ‘brokered personal information’ of a consumer (i.e.. a Vermont resident) with whom the business does not have a direct relationship. “Brokered personal information” includes any of the following data elements about a consumer, if categorized or organized for dissemination to third parties:
- Name
- Address
- Date or place of birth
- Mother’s maiden name
- Unique biometric data that can identify or authenticate a consumer (e.g. fingerprint, retina, or iris image)Name or address of a member of the consumer’s immediate family or household
- Social security number or other government-issued identification number
- Any other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty
Data brokers must register with the Vermont Secretary of State annually and must provide certain information as part of that process. The purpose of the registration requirement is to provide consumers with factual information to help protect themselves from deception related to data broker activities.
