EDAA Trust Seal

Epsilon Services Privacy Notice

Last Modified: May 18, 2022

I. Introduction

A. Welcome

Welcome to the Epsilon Privacy Notice (“Privacy Notice”). Epsilon Data Management, LLC, along with our affiliates, Conversant LLC and Citrus Ad International, Inc. (“we”, “our,” “us”, “Epsilon”), provide a variety of marketing data, consumer analytics, and marketing technologies services (“Services”). More information about our services can be found via the Products & Services tab of our website.

We respect consumer privacy and believe that data protection is essential to the growth and prosperity of the internet. A personalized experience, online and offline, can provide significant benefits to consumers if done properly. In accordance with these beliefs, Epsilon strives to create results for advertisers in revolutionary ways, without comprising consumers’ privacy. This Privacy Notice is created and maintained as part of our commitment to provide consumers with transparency and choice on how we process their personal data. We have taken steps to describe our personal data processing activities as clearly and easy-to-read as possible and encourage you to read the entire Privacy Notice.

B. Scope of this Privacy Notice

This Privacy Notice describes how Epsilon collects, uses, shares, and protects any personal data we process in connection with our Services. This Privacy Notice also explains the measures we take to safeguard your information and describes how you may contact us regarding our privacy practices. When we say “you” we are referring to individuals that interact with our Services, including the person reading this Privacy Notice.

This Privacy Notice applies only to Epsilon’s processing of information about you in connection with its Services as described below in Section I.B., as well as any other related services that refer or link to this Privacy Notice.

This Privacy Notice does not apply to the following activities:

  • Employment or Contractors. This Privacy Notice does not cover our processing of personal data in connection with employment by Epsilon or contractors that do business with Epsilon. If you are an employee or former employee of Epsilon, please contact your local Human Resources Office or the Data Protection Office for more information.
  • Epsilon’s Own Websites. If you are looking for information on how Epsilon collects and uses personal data in connection with visitors to our website (epsilon.com), which includes our clients, prospective clients, business-to-business contacts, please click here to view our Website Privacy Notice.
  • Epsilon Services Provided as a Processor (or Service Provider): Information collected, provided, and processed by Epsilon Clients. Please note that this Privacy Notice does not apply to services provided by Epsilon while acting strictly on behalf of a client as a processor (or service provider). If you have any questions about a particular company’s processing of your personal data, please contact that company directly. More information about this exception is detailed in section IV below.
  • Services Offered Outside of North America. This Privacy Notice applies only to Epsilon services offered in North America. For Epsilon Services offered in any other region, please visit our Global Privacy Policies Page.
  • Shopper’s Voice. For information about Shopper’s Voice privacy practices, please visit the dedicated Shopper’s Voice Privacy Policy.

II. Information Collection

To provide our Services, we must collect some information about you. Epsilon collects personal data through a variety of means, such as by observing your online interactions with our advertisements, through third party data partners, and from public sources.

The categories of information we have collected in the preceding 12 months, and the sources we obtain the information from, is provided in more detail below:

A. Categories of Personal Data Collected

  1. Commercial or transactions information: e.g., records of personal property, goods or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
  2. Demographical and statistical information: e.g., information regarding membership in protected classes or classification, such as information about a consumer’s race, color, age, medical condition (where self-reported), ancestry, national origin, religion, ethnicity, marital status, or gender.
  3. Device information and other personal identifiers: e.g., name; alias; postal address; online identifiers; IP address; email address; account name; or hashed identifiers.
  4. Inferences: e.g., inferences drawn from any of the information identified in this section to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
  5. Internet or other electronic network activity information: e.g., browsing history; search history; online interests, such as information about categories of consumer interests derived from online usage; and information on a consumer's interaction with a website, application, or advertisement.
  6. Geolocation information: e.g., non-precise location information inferred from your device or IP address, or precise location of your device if you have provided permission for such location to be collected.
  7. Professional or employment-related information: e.g., business name, job title, or job history.

B. Sources of Personal Data Collected

The categories of information identified above has been collected via various methods and sources:

Indirectly from you: We utilize automated technologies, such as cookies, log files, pixels, tags, or other similar technologies to collect information from you when you view or interact with one of our internet advertisements, or when you visit a website that has implemented our automated technologies, such as our advertiser or publisher websites. We require all such websites to provide you with appropriate notice of such collection.

Directly from You: We may also receive personal data from directly from you, such as when you inquire about our services, or when you complete our consumer surveys.

Third Parties: We additionally collect information from you from various other companies. Such third parties can be categorized as follows:

  • Advertising Networks
  • Food & Beverage Companies
  • Advertising/Marketing Companies
  • Gift Product Companies
  • Affiliates not under the Epsilon brand
  • Health and Wellness Product and Service Companies
  • Apparel & Accessory Companies
  • Internet Service Providers
  • Automotive Companies
  • Lifestyle & Interest Product Companies
  • Business Service/Agencies
  • Manufacturing Companies
  • Business to Business Companies
  • Marketing Data Companies
  • Communication Services Companies
  • Not for Profit Organizations
  • Consumer Data Resellers
  • Operating Systems and Platforms
  • Consumer Packaged Goods Companies
  • Parenting Product Companies
  • Consumer Services Companies
  • Public or Government Entities
  • Data Analytics Providers
  • Publishing Product Companies
  • Educational Institutions & Companies
  • Social Networks
  • Electronics Companies
  • Technology/Computer Software Companies
  • Energy and Utility Companies
  • Telecommunications Companies
  • Financial Services Companies
  • Travel, Leisure & Entertainment Companies

III. Purposes of Personal Data Collection

Epsilon collects and uses your personal data for the following purposes:

A. Interest-Based Advertising

We help companies serve personalized advertising across the Internet, including web browsers and mobile applications, in a variety of ways such as banner and video ads. Some of the online ads you are served may be based on the content of the webpage you’re visiting; others may be based on registration or other information you provide to us and our partners; and other ads may be customized based on predictions about your interests generated from your visits to other websites. This practice of customizing and providing online ads is often called interest-based advertising, or IBA.

Some examples of our IBA activities include:

  • Helping clients identify and target ads to online audiences based on common demographics and/or shared (actual or inferred) interests or preferences (e.g., consumers interested in winter apparel). When we do this, we handle information provided by our Clients (for instance, their own customer files) and “match” their information through pseudonymization techniques (such as through coded data “hashing”) with online cookies and other identifiers. We then use these cookies and identifiers to target and measure ad campaigns online across various display, mobile and other media channels.
  • Assisting clients by creating “identity” graphs, to help locate users across various channels, such as connecting identities based on common personal, device-based, or network-based identifiers (e.g., cookie ID, IP address, or hashed email address).

B. Data for Marketing & Analytics Purposes

Epsilon collects personal data from the sources identified above to create consumer databases. Epsilon’s consumer databases help companies get a full view of their customers and prospective customers to help them predict future buying behaviors and to help them build brand loyalty. Epsilon’s consumer databases enable marketers to connect with new and existing consumers in both digital and offline channels, such as direct mail and online advertisements. Additionally, Epsilon’s consumer database can be used by companies for analytics purposes to provide insights on trends in the marketplace or business intelligence related to the company’s industry.

Some examples of the use of our data for marketing and analytics services include (which may overlap with IBA activities, above):

  • Providing marketing information to our clients, generally regarding their marketing, fundraising, customer service and engagement, and outreach activities.
  • Providing information to companies about customers and prospective customers in order for the companies to provide better service, improved offerings, and promotions.
  • Assisting in targeting and optimizing of direct mail and email campaigns, display, mobile and social media marketing.
  • Measuring the effectiveness of online or offline ad campaigns by determining which messages are most likely to be seen or opened by which types of consumers, or which types of ads are most likely to lead to purchases.
  • Analyzing and optimizing our clients’ (or their service providers’) proprietary databases, or helping clients to identify and mitigate potential fraud.
  • Providing “identity” or data “hygiene” services, which is how companies update and/or “clean” their databases by either verifying, enhancing, updating, or removing, incorrect or outdated information.
  • Creating trend reports and business intelligence to be used by companies in the development of new products or financial projections

C. Operating Our Services:

For example:

  • Improving, testing, updating, and verifying our own data and data services.
  • Developing new services.
  • Operating, analyzing, improving, and securing our Services.

D. Other Internal Purposes:

For example: internal research, internal operations, auditing, detecting security incidents, debugging, short-term and transient use, quality control, and legal compliance. 

IV. Processing of Personal Data as a Processor or for “Agency” Services

Epsilon, as a processor (or service provider), provides its clients with agency services as well as an email platform, loyalty service platform, and other such technology platforms. For instance, clients leverage Epsilon to schedule and manage their email campaigns and manage their loyalty and incentive programs. When our clients provide us with information relating to their customer, prospective customers or other individuals, we handle it on behalf of our clients as a processor (or service provider).

Our clients determine how to engage with their customers and thus act as the business that determines the purposes and means of handling their customer or “CRM” data. Under these circumstances, consumers are ultimately subject to the privacy policy(ies) of the clients controlling their data, and they should read those policy(ies) carefully. We are not responsible for the privacy practices of our clients. Accordingly, this Privacy Notice and the rights acknowledged herein do not apply to personal data that is provided by our clients and that Epsilon handles on behalf of our clients.

While Epsilon strongly encourages its clients to adopt responsible approaches to its marketing practices, Epsilon is not responsible for the data practices of such clients.

IV. Disclosure and Sale of Personal data

A. Sharing with Third Parties.

We will share your personal data for the various purposes described above, both with service providers and with other third parties, such as our clients. All of the information we collect, as identified above in section II.A., may have been shared and sold (based on the California Consumer Privacy Act’s definition of “sell”) with the following categories of third parties in the past 12 months:

  • Advertising Networks
  • Food & Beverage Companies
  • Advertising/Marketing Companies
  • Gift Product Companies
  • Affiliates not under the Epsilon brand
  • Health and Wellness Product and Service Companies
  • Apparel & Accessory Companies
  • Internet Service Providers
  • Automotive Companies
  • Lifestyle & Interest Product Companies
  • Business Service/Agencies
  • Manufacturing Companies
  • Business to Business Companies
  • Marketing Data Companies
  • Communication Services Companies
  • Not for Profit Organizations
  • Consumer Data Resellers
  • Operating Systems and Platforms
  • Consumer Packaged Goods Companies
  • Parenting Product Companies
  • Consumer Services Companies
  • Public or Government Entities
  • Data Analytics Providers
  • Publishing Product Companies
  • Educational Institutions & Companies
  • Social Networks
  • Electronics Companies
  • Technology/Computer Software Companies
  • Energy and Utility Companies
  • Telecommunications Companies
  • Financial Services Companies
  • Travel, Leisure & Entertainment Companies

B. Sharing for Other Purposes

We also may share any of the personal data we collect for the following purposes:

Sharing for Legal Purposes: In addition, we may share personal data with other parties in order to: (a) comply with legal process or a regulatory investigation (e.g. regulatory authorities’ investigation, subpoena, or court order); (b) enforce our Terms of Service, this Privacy Notice, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of other parties; and/or (d) protect the rights, property or personal safety of us, our platform, our customers, our agents and affiliates, its users and/or the public. We likewise may provide information to other companies and organizations (including law enforcement) for fraud protection, and spam/malware prevention, and similar purposes.

Sharing In Event of a Corporate Transaction: We may also share personal data in the event of a major corporate transaction, including for example a merger, investment, acquisition, reorganization, consolidation, bankruptcy, liquidation, or sale of some or all our assets, or for purposes of due diligence connected with any such transaction.

Sharing With Service Providers: We may share any personal data we collect with our service providers, which may include (for instance) providers involved in tech or customer support, operations, web or data hosting, billing, accounting, security, marketing, data management, validation, enhancement, or hygiene, or otherwise assisting us to provide, develop, maintain, and improve our services.

Aggregate, Deidentified, or Anonymized Information: We may aggregate, de-identify and/or anonymize any information collected so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also share such data with any other party, including advertisers, promotional partners, and sponsors, in our discretion, unless otherwise prohibited by applicable law.

V. Your Rights and Choices Regarding Your Personal data

A. California Residents

California residents, under the California Consumer Privacy Act of 2018 (“CCPA”), have specific rights with regard to their personal data. This section describes what rights you have with regard to your personal data, and how to exercise those rights and our process for handling those requests. To the extent permitted by applicable law, we may charge a reasonable fee to comply with your request.

You may exercise any of the following rights by filling out and submitting our online request form or by calling toll-free (866) 267-3861.

1.1. Information from our clients

We also acknowledge that you may have certain rights under the CCPA in connection with the personal data we process on behalf of our clients. If personal data about you has been processed by us as a processor (or as a service provider) on behalf of a client and you wish to exercise any of the rights described below, please provide the name of our client on whose behalf we processed your personal data. We will refer your request to that client and will support them to the extent required by applicable law in responding to your request.

1.2 Right to request access to your personal data

California residents have the right to request that we disclose what categories of personal data that we collect, use, disclose, or sell about them. In particular, you may request by submitting our online request form:

  • the specific pieces of personal data that we have collected about you;
  • the categories of personal data we have collected about you;
  • the categories of sources from which the personal data was collected;
  • the categories of personal data about you we disclosed for a business purpose or sold;
  • the categories of third parties to whom the personal data was disclosed for a business purpose or sold; and
  • the business or commercial purpose for collecting or selling the personal data.

1.3 Right to request deletion of your personal data

California residents may also request that we delete any personal data that we collected from you. However, we may retain personal data for certain important purposes, as set out by law. When we receive and verify your request to delete your personal data, we will proceed to delete the data unless an exception applies.

1.4 Right to nondiscrimination.

We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights.

1.5 Right to Opt-out of the sale of your personal data.

The CCPA broadly defines what constitutes a “sale” – including in the definition making available a wide variety of information in exchange for “valuable consideration.” To the extent we engage in the “sale” of your personal data as defined by CCPA, California residents may opt out of the “sale” of their personal data.

Depending what information we have about you, and whether we have included any of it in our services, we may have sold (as defined by California law) certain categories of information about you in the last 12 months, as identified above in Section II.A. of this Privacy Notice. If you would like to opt out, you may do so as outlined on the following page: Do Not Sell My Personal data. You can also submit a sale opt-out request by calling toll-free (866) 267-3861. Please note that we do not knowingly sell the personal data of minors under 16 years of age without legally-required affirmative authorization.

1.6 Shine the Light

To the extent you are a survey respondent to one of our Shoppers’ Voice surveys and you are a resident of California, you may request (i) a list of categories of personal data disclosed by Epsilon to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of categories of third parties to whom we disclosed such information. You may make a request by submitting our online request form.

1.7 Verification and Authorized Agent

Please note that certain information may be exempt from such requests under California law. We also will take reasonable steps to verify your identity before responding to a request, which may include, at a minimum, depending on the type of request you are making, using a series of test questions. The verification test questions are performed by and verified against the personal data held by our vendor, LexisNexis.

You are also permitted to designate an authorized agent to submit certain requests on your behalf. In order for an authorized agent to be verified, you must provide the authorized agent with signed, written permission to make such requests (which we may ask to review) or a power of attorney. We may also follow up with you to verify your identity before processing the authorized agent’s request.

1.8. How to exercise your CCPA privacy rights

California residents may exercise their CCPA rights by filling out and submitting our online request form or by calling toll-free (866) 267-3861.

1.9 Disclosure of Financial Incentives

California law also gives residents the right to: (1) request that we provide you with information about the financial incentives that we offer to you and (2) not be discriminated against (as provided for in applicable law) for exercising certain of your rights. Please see the Shopper’s Voice privacy policy for information about financial incentives provided in exchange for your completion of surveys. Otherwise, Epsilon does not provide financial incentives in exchange for personal data.

1.10 Annual Consumer Requests Reporting

From July 1, 2020 to December 31, 2020, we maintained two distinct processes to facilitate requests pursuant to the CCPA from individuals in the United States.

Interest Based Advertising Activities. We facilitated requests made pursuant to our IBA Activities through our prior automated online process as follows:

Requests to Know: Information linked to your Cookie ID

Requests to Know: Information linked to your name

Requests to Delete

Requests to Opt-Out of Sale

Number of requests received

271

3

74

712

Number of requests complied with in full

175

3

25

712

Number of requests complied with in part

0

0

0

0

Number of requests denied due to inability to verify consumer

96

0

49

0

Mean number of days we took to substantively respond to requests

1 day

20

2 days

2 days

Data used for Marketing & Analytics. We facilitated requests made pursuant to our Data Services through our online request form or by calling our toll-free number (866) 267-3861 as follows:

Requests to Know

Requests to Delete

Requests to Opt-Out of Sale

Number of requests received

1,141

4,707

10,297

Number of requests complied with in full

498

2,026

10,297

Number of requests complied with in part

0

0

0

Number of requests denied due to inability to verify consumer

642

2681

0

Mean number of days we took to substantively respond to requests

5.5 days

1 day

1 day

B. Nevada Residents

Nevada law (NRS 603A.345) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal data that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal data for monetary consideration by the business to a third party for the third party to license or sell the personal data to other third parties.

1.1 How to Exercise Your Nevada Rights

If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, you may do so by filling out and submitting our online request form, mailing a request to Epsilon, P.O. Box 1478, Broomfield, CO 80038, Attn: Privacy, or by calling toll-free (866) 267-3861.

C. General Rights Regarding Data Collection

1.1 Epsilon Interest-Based Advertising Opt-Out

Epsilon provides several methods to opt-out from our IBA activities.

  • To directly opt-out of receiving ads linked to your device or browser (cookie), click here.
  • To directly opt-out of receiving ads linked to your hashed (obfuscated) e-mail address, click here.

1.2 DAA AdChoices

Epsilon is also a proud member of the Digital Advertising Alliance (DAA). The DAA is an organization that works with digital advertising companies to develop and enforce responsible and privacy-friendly online advertising practices, including the development of the AdChoices program. Epsilon’s IBA activities adhere to the DAA’s Self-Regulatory Principles for Online Behavioral Advertising.

Rather than opting out from Epsilon’s IBA activities directly, as indicated above, you may opt-out by using the DAA’s AdChoices tool. Canadian visitors may opt-out by using the DAAC’s AdChoices tool.

1.3 Do Not Track:

Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.

VI. Security and Data Integrity

Epsilon takes steps to help ensure that the data we possess is housed and transmitted securely. This may include various types of physical and electronic security, including firewall protections, encryption, hashing or truncation of data, and access controls to personal data. While neither we nor any platform can guarantee that electronic transmission and storage of data is completely secure, we employ efforts that are designed to ensure that this does not occur.

VII. Self-regulation

Our industry has a rigorous voluntary self-regulatory regime, and we are active members of industry groups such as the Interactive Advertising Bureau (IAB), Interactive Advertising Bureau Europe (IAB EU), Interactive Advertising Bureau UK (IAB UK), Digital Advertising Alliance (DAA), European Digital Advertising Alliance (EDAA) and Digital Advertising Alliance of Canada (DAAC). These groups promulgate codes of conduct and principles that impose requirements on participating members such as transparency and choice around the use of personal data for interest-based advertising, and some even require regular audits of member privacy practices. Such codes and principles include the DAA Self-Regulatory Principles, the EDAA Self-Regulatory Principles, and the DAAC Self-Regulatory Principles, which we all support.

VIII. Notification of Changes

From time to time, we may update this Privacy Notice. Any changes to it will become effective when it is posted to our website. You can determine when this Notice was last revised by checking the “Last Modified" legend at the top of this Policy. Please check back periodically to learn of any changes to this Privacy Notice. If any changes to this Privacy Notice have include a material change to how we use or share any personal data collected prior the publishing of this Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.

If you wish to save this text, please market the entire statement (e.g. with your mouse) and copy-paste by pushing ctr-c.

IX. Further Information

If you have any questions in relation to this Privacy Notice, have any questions regarding your rights and choices, or wish to learn more about Epsilon’s privacy practices, please email us at privacy@epsilon.com. You may also send additional correspondence to:

Epsilon
P.O. Box 1478
Broomfield, CO 80038
Attn: Privacy