Due Diligence: Third Party Data Vendors

First Party Data

• First-party data is YOUR data, collected from your own audience and customers. This can include data from: • Behaviors, actions or interests demonstrated across your website(s);

• CRM data;

• subscription data;

• social data that you have rights to;

• or cross-platform data from mobile web or apps.

• High Value

• High Quality

• Safe

Third Party Data

• Third-party data is generated by another company, on other platforms, and is often aggregated from online or offline sources.

• There are many companies out there that sell third-party data, and it is accessible through many different avenues.

• It is much higher-risk than first party data because you lack control over privacy and data collection practices.

Special Challenges for 3rd Party Data

• Industry Norms are deficient and outdated.

• Historical reliance on contracts is not sufficient for mitigating risk

Reduce liability

Reputational risk?

Risk of getting dragged into litigation?

Must VALIDATE what is being represented and warranted in the contract.

• Vendor Risk Tolerance vs. Your Risk Tolerance

• Credentialing the data, not just the vendor.

• Laws and self-regulatory guidelines are often behind the curve.

4 Steps: Vendor & Data Due Diligence

1. Credential the Vendor 2. Credential the Data 3. Permission the Data 4. Ongoing Due Diligence

Credentialing the Vendor

• Assess the Risk: Classify the vendor based on level of risk. • Type of data, company size, reputation, memberships, sophistication,

understanding of privacy concerns, years in business, etc.

• Conduct due diligence to verify incorporation, memberships, complaints, open litigation, etc.

• Conduct a security assessment on the data delivery method.

• Identify the sub-vendors/data sources

Credentialing the Data

• Risk-based approach based on the type of data and data collection.

• First, understand the data’s origin. Government or public records, publicly available data, self-reported

data, data from consumer-facing commercial entities, etc.

• Is the vendor a collector or an aggregator?

• Licensing Rights - Investigate whether the vendor has the legal and contractual rights to transfer the data for its intended purpose. • Where applicable (data aggregators), request redacted contracts terms

demonstrating rights to license the data or create derivative products.

Credentialing the Data Second, you must understand the privacy, legal, self-regulatory, and corporate burdens that must be met based on the type of data and method of data collection.

1. Privacy: Is notice and choice required? Is it sufficient?

2. Legal: Do any industry-specific laws apply?

• HIPAA, GLBA, FCRA, public records laws, etc.?

3. Self-Regulatory: Do any specific self-regs apply?

4. Corporate: Do any internal corporate policies or best practices apply?

• Corporate ethics

• Risk tolerance considerations: legal, reputational,

• Specific corporate policies

Credentialing the Data

Third, once you know the burdens that must be met, validate that they have been met.

• Validate the vendor’s representations.

• Contracts are NOT enough!

• Can you trust the vendor’s representations? NO! (trust me)

• Difficult task for data aggregators.

• Consider the “consumer experience.”

• Privacy and licensing permissions follow the data.

Credentialing the Data

• Fourth, permission the data for use based on what you’ve learned.

• Privacy permissions and licensing rights follow the data.

• Conduct periodic assessment of permissions.

The Contract

The data licensing agreement (contract) should reflect what you’ve learned.

Reps and warranties about the data and data collection.

Permitted uses of the data.

Ongoing Due Diligence

• Perform ongoing due diligence for the vendor, the data, and your use of the data. Annual re-certification

Due diligence at contract amendment and renewal

Internal audit of data use

Best Practices: Credentialing Questionnaire

• To start the due diligence process, develop a questionnaire to gather information about the vendor, the data, and the data’s collection.

• Saves time and identifies key issues and questions to be addressed.

Best Practices: Credentialing Questionnaire

Information about the VENDOR

1.Company name, address, website, contact person, etc.

2.State of incorporation.

3.Number of years in business.

4.Company size.

5.Corporate memberships and associates (e.g., IAPP, DAA, NAI, DMA, etc.).

6.A copy of the vendor’s consumer-facing privacy notice.

7.Has the company been part of a government inquiry or investigation in the last 12 months?

8.Pending litigation?

9.Consumer Affairs complaints?

Best Practices: Credentialing Questionnaire

Information about the DATA

1.A detailed description of the data/file.

2.A complete list of the data elements.

3.Is the vendor the original collector of the data or a data aggregator?

4.The original points of collection and the method of collection for the data.

5.In what country(ies) is the data collected and stored?

6.A copy of or link to every privacy policy (governing the collection, use, and transfer of the data) under which the data has been collected.

Best Practices: Credentialing Questionnaire

Information about the DATA 7. If data is collected online, a complete list of URLs (conduct a due diligence

review of those URLs). 8. Notice: If the data is about individuals, is a privacy policy made available

at the point of collection that includes information about the collection, transfer, and use of the individual’s information? Can those privacy policies be provided for review?

9. Choice: If the data is about individuals, do you (or the data collector) provide a mechanism by which the individual can exercise choice to “opt-out” or prevent transfer of their data to third parties?

10.Does the data contain any information on children/minors? If so, under 18? Under 13?

Best Practices: Annual Data Re-Certification

• Approved vendors should be contractually required to complete an “Annual Data Re-Certification” to ensure that the data collection methods of the data partner have not substantially changed and still meet all applicable requirements.

• Questions should be similar to the certification questionnaire and reviewed for changes.