A. Your Rights Under Virginia Law
Effective January 1, 2023, individuals who reside in Virginia have specific rights under the Virginia Consumer Data Protection Act (the “Act”) and its enabling regulations. Generally, among the rights granted to Virginia residents are:
- The right to notice of your rights under the Act;
- The right to know or confirm whether we collect or process any of your personal data;
- The right to access personal data we process about you;
- The right to know the express purposes for each type of your personal data we process;
- The right to know the categories of third parties with whom we share your personal data;
- The right to opt-out of processing for targeted advertising, sale, or data profiling using your personal data;
- The right to have your personal data deleted;
- The right to obtain your personal data in a portable and technically feasible format;
- The right to correct any of your erroneous personal data we process; and
- The right to appeal any denial to take action on the above requests within a reasonable time.
Each of the rights above is addressed in the text below.
B. Important Exceptions
It is important for Virginia residents to understand that there are significant exceptions built in to the Act.
One of the main exceptions is that the Act’s definition of “personal data” specifically excludes “publicly available” information. This means that any information that is lawfully made available to the public through federal, state, and local government records is not protected by the Act.
A wide variety of information regarding Virginia consumers is made available to the public by the government. Also, Virginia local governments (counties and cities) provide extensive public access to official recordings – things like court records, deeds, mortgages, property value assessments, and real property tax information.
C. Personal Data We Collect
Categories of personal data we collect on Virginia residents are:
- Personal Identifiers (such as actual names, physical, postal, and email addresses, landline and/or wireless telephone numbers, IP addresses);
- Personal Characteristics (such as age, gender, ethnicity, income, marital status)
- Property or Buying/Interest Activity (such as homeownership, boat owner, or “interest in golf”)
- Employment Information (such as category of profession, professional licensure)
- Education Information (such as level of education completed, college attendance, date of graduation)
- Inferences (profiles or models about a consumer reflecting the consumer’s preferences, characteristics, psychological tends, predispositions, behaviors, attitudes, intelligence, abilities and aptitudes)
In nearly every instance, we do not collect this information directly from the consumer. Rather, we license this information from third parties. Please see the “How We Collect Personal Data” section below.
D. Virginia Residents’ Data We Do Not Process, Collect, Use, or Sell
We do not process, collect, store, or use personal data that falls into any of the following categories, either directly on our sites or from third-party data providers, nor do we ever sell these types of information to our clients regarding Virginia residents:
- personal signatures (other than in regard to agreements we may sign with our clients)
- credit card numbers or debit card numbers (other than to process purchases made by our clients)
- social security numbers
- passport numbers
- national ID numbers
- drivers’ license numbers
- state ID card numbers
- military ID numbers
- insurance policy numbers
- bank account numbers
- financial account numbers (other than to process purchases made by our clients)
- facial recognition data
- physical characteristics or descriptions of individuals
- exact dates of birth
- ethnic origin
- geolocation information of any individual (we may geolocate buildings & other structures, roads, land boundaries, etc.)
- actual credit scores
- actual medical conditions
- actual physical or mental disabilities
- gender identity or expression other than birth gender
- sexual orientation
- audio information (except for our clients who may call us directly)
- video information
- genetic information (including familial genetic information)
- online account usernames or passwords (other than those we issue for access to our sites)
- content of email communications (other than our own)
- internet browsing or search history
- any personally identifiable information regarding any person under 18 years of age.
E. How We Collect Personal Data
We collect information directly from our clients who do business with us. This information may be collected via our website(s) or through our communication with our clients via telephone or email. In nearly every instance, our clients are businesses and employees of businesses, not individual consumers. Individuals who interact with us in a commercial/business context are not a “consumer” under the Act and, therefore, receive no special protections under that statute.
In regard to non-client consumers, in nearly every instance we do not collect consumer information directly from the consumer. Instead, we license consumer information from third-parties who collect the information directly or obtain it from another third party.
The information we license to our clients is collected by our third-party partners from many sources. These sources include public records, publicly available information, subscription information, warranty cards, surveys, point-of-sale information, website directories, website visits, online activity, mobile applications, and commercially available consumer data from other third-party information providers who may or may not have collected the data directly from you.
Some of this information may have been modeled or inferred from other information. For example, if you subscribe to a bridal magazine we might assume (i.e., infer) that you are engaged to be married. Or, the provider of information might make a calculated estimate of your home’s value based on the known values of surrounding homes (i.e., modeling). We may also use personal data to construct a non-existent “average consumer” that encompasses certain average characteristics of consumers who buy or do not buy (i.e., profiling). Inferring, modeling, and profiling are common practices used in trying to match consumers with products and services they are most likely to want when exact information is not available or feasible.
Identifiers such as name, address, and telephone numbers are sourced from publicly accessible sources such as the white and yellow page telephone directories, online directories, website postings, public records, public websites, property and assessor files, governmental issued licenses, and information available to the public through directory assistance.
F. How We Process Personal Data
Our information is stored in electronic databases. Sometimes we match these databases to one another to make the data more effective for marketing purposes. We may also enhance your information with other information we acquire from other sources or through the use of technology. For example, we might add geospatial codes (latitude and longitude) to your physical address or merge two directories to match addresses with telephone numbers.
G. Our Purpose in Using Your Personal Data
Our core business is relicensing (i.e., selling) third-party consumer and business information to help our clients market their products and services more effectively. Ultimately, our goal is to help our clients ensure their marketing messages reach consumers who are most likely to want to receive them, and avoid consumers who do not want those messages. In most cases, we do this by supplying them with lists of customers or prospects that meet demographic criteria that make the consumers more likely to buy the specific product or service our client sells. We may also infer, model, or profile personal data for our clients use in their marketing. Collectively, this is our “Purpose” for collecting and processing consumers’ personal data. Our clients ultimately use our information to send targeted offers to consumers and businesses via various marketing channels such as direct mail, telemarketing, digital ads, social media ads, mobile ads, etc.
Our clients are permitted to use the information we provide for a limited purpose. Our clients may use our data only for lawfully conducted marketing or for things related to lawful marketing (such as cleaning their customer lists or verification of data they already have). No other purpose is allowed. This means that our clients are prohibited from using our data for any purpose or in any way that might violate any U.S. federal or state law that protects your privacy or consumer rights. Among those are the CAN-SPAM Act (intended to reduce unwanted email solicitations); the Telephone Consumer Protection Act of 1991 (intended to reduce unwanted telephone solicitations) as well as the privacy and best practice policies set out by the Data and Marketing Association (“DMA”).
H. Categories of Third Parties with Whom We Share Personal Data
We license your Personal Data with the following categories of third parties:
- Sellers of Consumer Goods and Services: Telecommunications companies (such as cable TV companies); utility companies (such as energy retailers); financial services companies (such as banks, lenders); insurance companies; technology companies; service providers (such as landscapers); media and publishers; or retailers (such as apparel sellers);
- Marketing agencies or data resellers whose clients fall within the above categories;
- Governmental entities or candidates for office;
- Third-party service providers (mail houses, fulfillment centers, email providers, or data centers) who work for our clients and process the data we sell to our clients. For example, our client may contract with a third-party mail house to mail out coupons and offers using data we supply to our client.
I. How to Access Your Personal Data
You have the right to access any of your personal data we process. You may request this information in three ways:
- Sending an email to firstname.lastname@example.org. You will need to provide your full name and any variants of your name (Robert Smith, Bob Smith, Bobby Smith, etc.), your current full address, and your telephone number(s) so that we can identify your record(s). We recommend that you also supply any previous addresses within the last year so we can be sure to match to those as well; or
- Call us toll-free at 866.423.1818 and speak with a customer service representative who will assist you with your request.
- Complete the web form found HERE.
We will acknowledge receipt of your access request within ten (10) days of submission. Your information request will be processed as soon as possible, but we may take up to forty-five (45) days to respond as to the outcome of your request.
We will take reasonable precautions to confirm your identity before we provide your information which may include asking you to provide an Affidavit of Identity under penalty of perjury. If you are a third-party attempting to obtain information on another person, you must provide evidence of legally sufficient authorization from that person (such as a valid Power of Attorney) before we will provide the other person’s information.
Our response will be in writing (which may be via email). The response will include your personal data in a portable and readily usable format (common formats include plain text, .html and .pdf) that will allow you to transmit the data to another entity (if you wish) without hinderance.
J. How to Opt Out
We respect Virginia residents’ rights to opt-out of any database we maintain. You may opt out of receiving communications we send to you (such as emails from us to you) or you may opt out of the marketing databases that we use to create our products and services for sale to third parties.
1. Opting Out of Email Communications Sent Directly to You by Us:
All email offers for goods and services sent to you by us include an opportunity to opt-out from receiving future communications from us about our services. Simply follow the “Opt Out” instructions included in the email message.
If you wish to no longer receive any emails from us, send an email the subject heading “REMOVE ME” to: email@example.com. Be sure that the email list from which you wish to be removed is a list maintained by us. We cannot remove you from any list that we do not maintain.
2. Opting Out of Sale of Personal Data, Targeted Advertising & Profiling
You may opt out of the licensing (i.e., sale) of your personal data, targeted advertising, and profiling in one of three ways:
- Clicking the “Manage Your Privacy Preferences” button located on our homepage of each of our websites and following the simple instructions regarding opting out; or
- Sending an email to firstname.lastname@example.org. You will need to provide your full name and any variants of your name (Robert Smith, Bob Smith, Bobby Smith, etc.), your current full address, and your telephone number(s) so that we can identify your record(s). We recommend that you also supply any previous addresses so we can be sure to opt those out as well; or
- Call us toll-free at 866.423.1818 and speak with a customer service representative who will assist you with opting out
We will acknowledge receipt of your opt-out request within ten (10) days of submission. Your opt-out request will be processed as soon as possible, with most being fully processed within fifteen (15) days. However, we may take up to forty-five (45) days to respond as to the outcome of your request.
We will take reasonable precautions to confirm your identity before we opt-out your information. If you are a third-party attempting to opt-out another person, you must provide evidence of legally sufficient authorization before we will opt the other person out.
If you choose to opt out of our consumer database(s), we will stop licensing to or sharing your personal data with any of our clients. Your personal data will no longer be sold, used by us our our clients for targeted advertising or profiling. This opt-out is permanent and does not need to be renewed. Please understand that opting out of our databases:
- Does NOT mean we will delete or destroy information pertaining to you. Instead, we flag your record as an “Opt Out” that will not be delivered to any of our clients. We preserve your data so that we can show continuing compliance with your opt-out request. If you wish to have your information deleted entirely, you will need to follow the further instructions below.
- Does NOT mean that any of our clients or providers will also opt you out of their databases. We can promise only that we will opt you out of our databases that we maintain, and will no longer use your information to help our clients target their marketing messages.
- Does NOT guarantee you will no longer receive marketing messages in general. We can opt you out only from databases we maintain. Your information may appear on databases maintained by companies other than ours.
K. How to Request Deletion of Your Personal Data
We are happy to delete any of your personal data that we possess upon request. You may request deletion in multiple ways:
- Clicking the “Manage Your Privacy Preferences” button located on our homepage of each of our websites and following the simple instructions regarding submitting a deletion request; or
- Sending an email to email@example.com. You will need to provide your full name and any variants of your name (Robert Smith, Bob Smith, Bobby Smith, etc.), your current full address, and your telephone number(s) so that we can identify your record(s) for deletion. We recommend that you also supply any previous addresses so we can be sure to delete those as well; or
- Call us toll-free at 866.423.1818 and speak with a customer service representative who will assist you with requesting deletion.
We will acknowledge receipt of your deletion request within ten (10) days of submission. Your deletion request will be processed as soon as possible, but we may take up to forty-five (45) days to respond in writing (which may be via email) as to the outcome of your request.
We will take reasonable precautions to confirm your identity before we delete your information. If you are a third-party attempting to delete the information of another person, you must provide evidence of legally sufficient authorization before we will opt the other person out.
Once deleted, the information you requested to be deleted will no longer be utilized by us, our service providers, or shared with any third-party.
If you request deletion of your personal data, we may retain certain basic identifying information (name, address, telephone number, and/or email address) for the sole purpose of enforcing your deletion request in the future. It is possible that information that we have deleted (pursuant to your request) may reappear in our databases because it arrived in a future data update or via a different channel or data provider. In those instances, we use your basic contact information to re-delete your information.
L. How to Correct Erroneous Information
If you discover or believe that any personal data we possess about you is incorrect, you have the right to correct that information. You may either call us toll free at 866.423.1818 or email us at firstname.lastname@example.org. Please provide as much detail as possible as to the nature or the error and provide the corrected information in your request so that we can remedy the error as quickly as possible.
M. How to Appeal a Denial
If we expressly deny any of your requests made under the Act, or if we fail to respond or take action within a reasonable time (a 45-day initial period, plus an additional 45 days if we notify you we need more time), you may submit an appeal. Simply send an email to our Consumer Privacy Coordinator at email@example.com or call us toll-free at 866.423.1818. Please provide as much detail as possible as to the nature of your appeal including the type of request you initially made, the date the initial request was made, and what you expected the outcome to be. A team made up of members of our legal department and our executive leadership will review your appeal. You will receive a written notification on the outcome of your appeal within fifteen (15) days of our receipt.
N. Sensitive Data Not Collected or Processed
The Act has additional requirements for entities that collect or process Virginia residents’ “Sensitive Data.” “Sensitive Data” includes personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship/immigration status; genetic or biometric data; personal data from a known child or precise geolocation data. We do not collect or process any of these types of Sensitive Data regarding Virginia residents. See Section D above.
O. No Discrimination, Retaliation, Costs or Incentives
P. Contact Us