Epsilon North American Services & Products Privacy Notice
Last Modified: March 15, 2023
Welcome to the Epsilon Privacy Notice (“Privacy Notice”). Epsilon Data Management, LLC, along with our affiliates, Conversant LLC and Citrus Ad International, Inc. (“we”, “our,” “us”, “Epsilon”), provide a variety of marketing data, consumer analytics, and marketing technologies services (“Services”). More information about our services can be found via the Products & Services tab of our website.
We respect consumer privacy and believe that data protection is essential to the growth and prosperity of the internet. A personalized experience, online and offline, can provide significant benefits to consumers if done properly. In accordance with these beliefs, Epsilon strives to create results for advertisers in revolutionary ways, without comprising consumers’ privacy. This Privacy Notice is created and maintained as part of our commitment to provide consumers with transparency and choice on how we process their personal data. We have taken steps to describe our personal data processing activities as clearly and easy-to-read as possible and encourage you to read the entire Privacy Notice.
B. Scope of this Privacy Notice
This Privacy Notice describes how Epsilon collects, uses, discloses, and protects any personal data we process in connection with our Services. This Privacy Notice also explains the measures we take to safeguard your information and describes how you may contact us regarding our privacy practices. When we say “you” we are referring to individuals whose personal data may be used in our Services, which may include the person reading this Privacy Notice.
This Privacy Notice applies only to Epsilon’s processing of information about you in connection with its Services as described below in Section I.B., as well as any other related services that refer or link to this Privacy Notice.
This Privacy Notice does not apply to the following activities:
- Employment or Contractors. This Privacy Notice does not cover our processing of personal data in connection with employment by Epsilon or contractors that do business with Epsilon. If you are an employee or former employee of Epsilon, please contact your local Human Resources Office or the Data Protection Office for more information.
- Epsilon’s Own Websites. If you are looking for information on how Epsilon collects and uses personal data in connection with visitors to our website (epsilon.com), which includes our clients, prospective clients, business-to-business contacts, please click here to view our Website Privacy Notice.
- Epsilon Services Provided as a Processor (or Service Provider): Information collected, provided, and processed by Epsilon Clients. Please note that this Privacy Notice does not apply to services provided by Epsilon while acting strictly on behalf of a client as a processor (or service provider). If you have any questions about a particular company’s processing of your personal data, please contact that company directly. More information about this exception is detailed in section IV below.
- Services Offered Outside of North America. This Privacy Notice applies only to Epsilon services offered in North America. For Epsilon Services offered in any other region, please visit our Global Privacy Policies Page.
II. What personal data do we collect and process?
To provide our Services, we must collect, use and disclose some information about you. Epsilon collects personal data through a variety of means, such as by observing your online interactions with our advertisements, through third party data partners, and from public sources.
The categories of personal data we process, and the sources we obtain the personal data from, is provided in more detail below:
A. Categories of personal data processed
- Contact information and other identifiers: e.g., name, email address, telephone number, IP address, mobile ad identifier, device ID
- Commercial or transactions information: e.g., records of personal property, goods or services purchased or considered, or other purchasing or consuming histories or tendencies
- Demographical and statistical information: e.g., marital status or gender.
- Inferences: e.g., data attributes drawn or created from any of the information identified in this section reflecting the consumer’s preferences, characteristics, predispositions, behavior, attitudes, abilities, and aptitudes.
- Internet or other electronic network activity information: e.g., browsing history; search history; online interests, such as information about categories of consumer interests derived from online usage; and information on a consumer's interaction with a website, application, or advertisement.
- Professional or employment-related information: e.g., business name, job title, or job history.
- Sensitive personal data
- Health data
- Political and philosophical beliefs
- Precise geolocation: your location derived from a device within an area of 1,850 feet
- Racial/Ethnic Data
B. Sources of personal data processed
The categories of information identified above has been collected via various methods and sources:
Indirectly from you: We utilize automated technologies, such as cookies, log files, pixels, tags, or other similar technologies to collect information from you when you view or interact with one of the internet advertisements we serve, or when you visit a website that has implemented our automated technologies, such as advertiser or publisher websites. We require all such websites to provide you with appropriate notice of such collection.
Directly from You: We may also receive personal data from directly from you, such as when you inquire about our services, or when you complete our consumer surveys (see Shopper’s Voice privacy notice).
Inferred from other data: We create new personal data attributes or derive a probability percentage (propensity) that a data attribute may be linked to you by using other personal data that we collect using propensity analysis and modeling.
Third Parties: We additionally collect information from you from various other companies. Such third parties can be categorized as follows:
III. Purposes of processing personal data
Epsilon collects and uses your personal data for the following purposes:
A. Interest-Based Advertising
We help companies serve personalized advertising across the Internet, including web browsers and mobile applications, in a variety of ways such as banner and video ads. Some of the online ads you are served may be based on the content of the webpage you’re visiting; others may be based on registration or other information you provide to us and our partners; and other ads may be customized based on predictions about your interests generated from your visits to other websites. This practice of customizing and providing online ads is often called interest-based advertising, or IBA.
Some examples of our IBA activities include:
- Helping clients identify and target ads to online audiences based on common demographics and/or disclosed (actual or inferred) interests or preferences (e.g., consumers interested in winter apparel). When we do this, we handle information provided by our Clients (for instance, their own customer files) and “match” their information through pseudonymization techniques (such as through coded data “hashing”) with online cookies and other identifiers. We then use these cookies and identifiers to target and measure ad campaigns online across various display, mobile and other media channels.
- Assisting clients by creating “identity” graphs, to help locate users across various channels, such as connecting identities based on common personal, device-based, or network-based identifiers (e.g., cookie ID, IP address, or hashed email address).
B. Data for Marketing & Analytics Purposes
Epsilon collects personal data from the sources identified above and infers personal data to create consumer databases. Epsilon’s consumer databases help companies get a full view of their customers and prospective customers to help them predict future buying behaviors and to help them build brand loyalty. Epsilon’s consumer databases enable marketers to connect with new and existing consumers in both digital and offline channels, such as direct mail and online advertisements. Additionally, Epsilon’s consumer database can be used by companies for analytics purposes to provide insights on trends in the marketplace or business intelligence related to the company’s industry.
Some examples of the use of our data for marketing and analytics services include (which may overlap with IBA activities, above):
- Providing marketing information to our clients, generally regarding their marketing, fundraising, customer service and engagement, and outreach activities.
- Providing information to companies about customers and prospective customers in order for the companies to provide better service, improved offerings, and promotions.
- Assisting in targeting and optimizing of direct mail and email campaigns, display, mobile and social media marketing.
- Measuring the effectiveness of online or offline ad campaigns by determining which messages are most likely to be seen or opened by which types of consumers, or which types of ads are most likely to lead to purchases.
- Analyzing and optimizing our clients’ (or their service providers’) proprietary databases, or helping clients to identify and mitigate potential fraud.
- Providing “identity” or data “hygiene” services, which is how companies update and/or “clean” their databases by either verifying, enhancing, updating, or removing, incorrect or outdated information.
- Creating trend reports and business intelligence to be used by companies in the development of new products or financial projections
C. Operating Our Services:
- Improving, testing, updating, and verifying our own data and data services.
- Developing new services.
- Operating, analyzing, improving, and securing our Services.
- We may aggregate, de-identify and/or anonymize any information collected so that such information can no longer be linked to you or your device (“Aggregate/De-Identified Information”). We may use Aggregate/De-Identified Information for any purpose, including without limitation for research and marketing purposes, and may also disclose such data with any other party, including advertisers, promotional partners, and sponsors, in our discretion, unless otherwise prohibited by applicable law.
D. Other Internal Purposes:
For example: internal research, internal operations, auditing, detecting security incidents, debugging, short-term and transient use, quality control, and legal compliance.
IV. Processing of Personal Data as a Processor or for “Agency” Services
Epsilon, as a processor (or service provider), provides its clients with agency services as well as an email platform, loyalty service platform, and other such technology platforms. For instance, clients leverage Epsilon to schedule and manage their email campaigns and manage their loyalty and incentive programs. When our clients provide us with information relating to their customers, prospective customers or other individuals, we use it on behalf of our clients as a processor (or service provider).
While Epsilon strongly encourages its clients to adopt responsible approaches to its marketing practices, Epsilon is not responsible for the data practices of such clients.
V. Disclosure of Personal data
A. Disclosing to Third Parties.
We will disclose your personal data for the various purposes described above, both with service providers and with other third parties, such as our clients. All of the information we process, as identified above in section II.A., may have been shared and sold (based on the US privacy laws’ definition of “sell” and “share”) with the following categories of third parties in the past 12 months:
B. Disclosing to Service Providers for a Business Purpose
We may disclose your personal data to our service providers that assist us with our business purposes. Our service providers are to only process your personal data in accordance with our instructions and only for the purpose listed below. The table below shows with whom we disclose your personal data for the specific business purpose(s).
Category of Personal Data
Categories of Service Providers
C. Disclosing for Other Purposes
We also may disclose any of the personal data we process for the following purposes:
Disclosing for Legal Purposes: In addition, we may disclose personal data with other parties in order to: (a) comply with legal process or a regulatory investigation (e.g. regulatory authorities’ investigation, subpoena, or court order); (b) enforce our Terms of Service, this Privacy Notice, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of other parties; and/or (d) protect the rights, property or personal safety of us, our platform, our customers, our agents and affiliates, its users and/or the public. We likewise may provide information to other companies and organizations (including law enforcement) for fraud protection, and spam/malware prevention, and similar purposes.
Disclosing In Event of a Corporate Transaction: We may also disclose personal data in the event of a major corporate transaction, including for example a merger, investment, acquisition, reorganization, consolidation, bankruptcy, liquidation, or sale of some or all our assets, or for purposes of due diligence connected with any such transaction.
Disclosing to Service Providers: We may disclose any personal data we collect with our service providers, which may include (for instance) providers involved in tech or customer support, operations, web or data hosting, billing, accounting, security, marketing, data management, validation, enhancement, or hygiene, or otherwise assisting us to provide, develop, maintain, and improve our services.
VI. Automated Decision Making and Profiling
To the extent that we use processes that involve automated decision making or profiling when processing your personal data, we take steps to ensure that any automated decision making or profiling practices are fair and not discriminatory. We use automated processes to derive inferences and create audiences for interest based advertising and other marketing purpose.
VII. Retention of Personal Data
We keep personal data for as long as is necessary for the purposes described in this Privacy Notice, complying with legal and regulatory obligations, protecting our or other’s interests, and as otherwise permitted or required by law. When personal data is no longer necessary for or compatible with these purposes, it is removed from our systems or de-identified and archived in accordance with our internal retention policies. The criteria used to determine our retention periods include:
• The length of time we provide our services;
• Whether our processing of the personal data is consistent with what an average consumer would expect when the personal data was collected;
• Whether the personal data is processed for any other disclosed purpose(s) compatible with what is reasonably expected by the average consumer;
• Whether the personal data is relevant and useful to the provision of our services and our further processing is permitted by law;
• Whether the personal data has been de-identified, anonymized, and/or aggregated; and
• Whether there is a legal obligation to which we are subject.
VIII. Your Rights and Choices Regarding Your Personal data
You may have privacy rights based on the laws of your jurisdiction of residence, such as the states of California or Virginia or the provinces and country of Canada. This section describes how to exercise those rights and our process for handling those requests. You may also be permitted to designate an agent to make the following requests to exercise your rights where the law allows. We will take steps to verify that your agent has been authorized to make a request on your behalf through providing us with a signed written authorization or a copy of a power of attorney. All requests submitted by an agent must be made by using our agent form or by calling us toll-free at (866) 267-3861. You may exercise any of the following rights by filling out and submitting our online request form or by calling toll-free (866) 267-3861.
A. Information from our clients
We acknowledge that you may have certain rights in connection with the personal data we process on behalf of our clients. If personal data about you has been processed by us as a processor (or as a service provider) on behalf of our client and you wish to exercise any of the rights described below, please provide the name of our client on whose behalf we processed your personal data. We will refer your request to that client and will support them to the extent required by applicable law in responding to your request.
B. Right to request access to and portability of your personal data
If the state/province/country in which you reside provides you with the right to access or know what personal data we process about you, you may request, up to two times each year, access to categories and specific pieces of personal data about you that we collect. To make an access request please visit https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. Once we receive your form, our identity verification service provider will confirm your identity with a series of test questions to be verified against the service provider’s data. We will provide your report of categories and specific pieces of personal data in a portable format. When we receive and verify your request, we will make best efforts to fulfill your request unless an exception applies.
C. Right to request correction of your personal data
If the state/province/country in which you reside provides you with the right to correct the personal data we process about you and if you believe we hold inaccurate personal data about you, you may request that we correct that personal data. We will delete your personal data upon receipt of your correction request. When we receive and verify your request, we will proceed to delete the data unless an exception applies. To make a correction or deletion request please visit https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. Once we receive your form, our identity verification service provider will confirm your identity with a series of test questions to be verified against the service provider’s data.
D. Right to request deletion of your personal data
If the state/province/country in which you reside provides you with the right to delete the personal data we process about you, you may request that we delete any personal data that we obtained about you. However, we may retain personal data for certain important purposes, as set out by law. When we receive and verify your request to delete your personal data, we will proceed to delete the data unless an exception applies. To make a deletion request please visit https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. Once we receive your form, our identity verification service provider will confirm your identity with a series of test questions to be verified against the service provider’s data.
E. Right to nondiscrimination.
We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights.
F. Right to opt-out of the sale of your personal data.
If the state/province/country in which you reside provides you with the right to opt-out of the sale of your personal data and if you would like to opt out of our use of your personal data for such purposes that are considered a “sale” under privacy laws, you may do so by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. Please note that we do not knowingly sell the personal data of minors under 16 years of age without legally-required affirmative authorization.
Nevada law (NRS 603A.340) requires each business to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of personal data that the business has collected or will collect about the consumer. A sale under Nevada law is the exchange of personal data for monetary consideration by the business to a third party for the third party to license or sell the personal data to other third parties. If you are a Nevada consumer and wish to submit a request relating to our compliance with Nevada law, you can make the opt-out request by visiting https://legal.epsilon.com/dsr/, calling us toll-free at (866) 267-386, emailing us at firstname.lastname@example.org, or mailing your request to: Epsilon, P.O. Box 1478, Broomfield, CO 80038, Attn: Privacy.
G. Right to opt-out of the share/cross-context behavioral advertising/targeted advertising use of your personal data
If the state/province/country in which you reside provides you with the right to opt-out of the share/cross-context behavioral advertising/targeted advertising and if you would like to opt out of our use of your information for such purposes that are considered a “share” under privacy laws or cross-context behavioral advertising/targeted advertising (what we refer to above as Interest-based Advertising), you may do so by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861.
Additionally, you may choose not to receive targeted advertising from ad networks, data exchanges, and other digital advertising providers by opting out of targeted advertising via YourAdChoices (US) or YourAdChoices (Canada) powered by the Digital Advertising Alliance
H. Right to opt-out of automated decision making and profiling
Your state/province/country may provide you with the right to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on your or produce a similarly significant effect. If the state/province/country in which you reside provides you with the right to opt-out of automated decision making and profiling, you may opt-out of the processing of your personal data for profiling and other automated decision making by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861.
I. Right to limit the use of your sensitive personal data
If the state/province/country in which you reside provides you with the right to limit the use of your sensitive personal data, you may request that we limit the use and disclosure of your sensitive personal data by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. We may deny your request in part or in full under uses authorized by applicable law.
J. Shine the Light (California residents)
To the extent you are a survey respondent to one of our Shoppers’ Voice surveys and you are a resident of California, you may request (i) a list of categories of personal data disclosed by Epsilon to third parties during the immediately preceding calendar year for those third parties’ own direct marketing purposes; and (ii) a list of categories of third parties to whom we disclosed such information. You may make a request by visiting https://legal.epsilon.com/dsr/ or calling us toll-free at (866) 267-3861.
K. Right to withdraw your consent (Canadian residents)
If you are a Canadian resident, you request to withdraw your consent to our processing of your personal data. To do so, you may select deletion request by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861. Please note this may affect our ability to communicate with you and we may retain certain data points if permitted by law.
Certain residents of the United States have the right to appeal our denial of your privacy rights request. Within 60 days of receiving our denial of your request, you may make an appeal by visiting https://legal.epsilon.com/dsr/ or by calling us toll-free at (866) 267-3861.
M. Disclosure of Financial Incentives
N. Annual Consumer Requests Reporting
From January 1, 2021 to December 31, 2021, we maintained two distinct processes to facilitate requests pursuant to the CCPA from individuals in the United States.
Interest Based Advertising Activities. We facilitated requests made pursuant to our IBA Activities through our prior automated online process as follows:
Requests to Know
Requests to Delete
Requests to Opt-Out of Sale
Number of requests received
Number of requests complied with in full
Number of requests complied with in part
Number of requests denied due to inability to verify consumer
Mean number of days we took to substantively respond to requests
Data used for Marketing & Analytics. We facilitated requests made pursuant to our Data Services through our online request form or by calling our toll-free number (866) 267-3861 as follows:
Requests to Know
Requests to Delete
Requests to Opt-Out of Sale
Number of requests received
Number of requests complied with in full
Number of requests complied with in part
Number of requests denied due to inability to verify consumer
Mean number of days we took to substantively respond to requests
O. General Rights Regarding Data Collection
1.1 Epsilon Interest-Based Advertising Opt-Out
Epsilon provides several methods to opt-out from our IBA activities. In addition to visiting our privacy rights portal and choosing to opt-out of share/cross-context behavioral advertising/targeted advertising, you may also opt-out as follows:
- To directly opt-out of receiving ads linked to your device or browser (cookie), click here.
- To directly opt-out of receiving ads linked to your hashed (obfuscated) e-mail address, click here.
1.2 DAA AdChoices
Epsilon is also a proud member of the Digital Advertising Alliance (DAA). The DAA is an organization that works with digital advertising companies to develop and enforce responsible and privacy-friendly online advertising practices, including the development of the AdChoices program. Epsilon’s IBA activities adhere to the DAA’s Self-Regulatory Principles for Online Behavioral Advertising.
Rather than opting out from Epsilon’s IBA activities directly, as indicated above, you may opt-out by using the DAA’s AdChoices tool. Canadian visitors may opt-out by using the DAAC’s AdChoices tool.
1.3 Do Not Track:
Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. Note, however, there is no industry consensus as to what site and app operators should do with regard to these signals. Accordingly, unless and until the law is interpreted to require us to do so, we do not monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.
We do not knowingly collect personal data (as defined by the U.S. Children’s Privacy Protection Act, or “COPPA”) from children. If you are a parent or guardian and believe we have collected personal data in violation of COPPA, contact us at email@example.com. We will remove the personal data in accordance with COPPA.
X. Security and Data Integrity
Epsilon takes steps to help ensure that the data we possess is housed and transmitted securely. This may include various types of physical and electronic security, including firewall protections, encryption, hashing or truncation of data, and access controls to personal data. While neither we nor any platform can guarantee that electronic transmission and storage of data is completely secure, we employ efforts that are designed to ensure that this does not occur.
Our industry has a rigorous voluntary self-regulatory regime, and we are active members of industry groups such as the Interactive Advertising Bureau (IAB), Interactive Advertising Bureau Europe (IAB EU), Interactive Advertising Bureau UK (IAB UK), Digital Advertising Alliance (DAA), European Digital Advertising Alliance (EDAA) and Digital Advertising Alliance of Canada (DAAC). These groups promulgate codes of conduct and principles that impose requirements on participating members such as transparency and choice around the use of Personal data for interest-based advertising, and some even require regular audits of member privacy practices. Such codes and principles include the DAA Self-Regulatory Principles, the EDAA Self-Regulatory Principles, and the DAAC Self-Regulatory Principles, which we all support.
XII. Notification of Changes
From time to time, we may update this Privacy Notice. Any changes to it will become effective when it is posted to our website. You can determine when this Notice was last revised by checking the “Last Modified" legend at the top of this Policy. Please check back periodically to learn of any changes to this Privacy Notice. If any changes to this Privacy Notice have include a material change to how we use or disclose any personal data collected prior the publishing of this Privacy Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
If you wish to save this text, please market the entire statement (e.g. with your mouse) and copy-paste by pushing ctr-c.
XIII. Further Information
If you have any questions in relation to this Privacy Notice, have any questions regarding your rights and choices, or wish to learn more about Epsilon’s privacy practices, please email us at firstname.lastname@example.org. You may also send additional correspondence to:
P.O. Box 1478
Broomfield, CO 80038