Update August 10, 2020: following the invalidation of the EU-US Privacy Shield by the Court of Justice of the European Union on July 16, 2020, personal data subject to the GDPR are no longer transferred by LiveRamp on the basis of the EU-US Privacy Shield but are instead subject to standard contractual clauses.
EU-US Privacy Shield/Swiss-US Privacy Shield
This Privacy Shield Policy (“Policy”) describes LiveRamp and its subsidiaries (collectively, “LiveRamp”), comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, and the United Kingdom and Switzerland to the United States, respectively. This Policy applies to the following US affiliated entities: LiveRamp Holdings, Inc. and Data Plus Math Corporation. LiveRamp has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.
LiveRamp is committed to educating its clients and employees in the United States and in the EU, United Kingdom, and Switzerland about the issues, guidelines and laws surrounding compliance with Privacy Shield. Since the requirements for compliance with Privacy Shield vary depending on whether LiveRamp is acting as a processor on behalf of LiveRamp’s clients or as a data controller, LiveRamp’s policies and manner of compliance are described separately below. The practices LiveRamp employs under the EU-U.S. Privacy Shield, as outlined below, also apply to data transferred from Switzerland to the United States in compliance with the Swiss-US Privacy Shield Framework.
LiveRamp as a Processor on Behalf of Clients
LiveRamp provides customized computer services designed to help companies manage their customer information more effectively, increase profitability of their marketing and reduce the operational costs of processing customer transactions. In this capacity, LiveRamp does not own or control any of the information it processes on behalf of LiveRamp’s clients. All such information is owned and controlled by LiveRamp’s clients. In this capacity LiveRamp receives information transferred from the EU, and the United Kingdom to the United States merely as a processor on behalf of our clients.
When LiveRamp acts as a processor on behalf of its clients, the policies outlined below apply to all data processing operations concerning personal data that has been transferred from the EU and the United Kingdom to the United States.
Before starting any processing on behalf of LiveRamp’s clients, LiveRamp will enter into a processing contract with the EU or United Kingdom (UK) data controller that ensures the EU data controller will be in compliance with the Member State Data Protection law.
Any data processed by LiveRamp will not be further disclosed to third parties except where permitted or required by the processing contract, Privacy Shield or the applicable Member State Data Protection law. Any information LiveRamp’s client (acting as the EU/UK controller) identifies as sensitive, will be treated accordingly.
The processing contract will also specify that the processing will be carried out with appropriate data security measures. LiveRamp has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
As a processor on behalf of LiveRamp’s clients (who are the EU/UK data controllers), LiveRamp is not in a position to apply other Privacy Shield Principles applicable to data controllers with respect to the personal data received for processing from its clients.
LiveRamp as a Data Controller
LiveRamp provides business and consumer information products designed to help companies and third-party service providers market more successfully, integrate and improve the accuracy of their customer information, and reduce the operational costs of processing customer data. In this function, LiveRamp acts as a data controller of the personal data contained in these information products.
LiveRamp has appointed a chief privacy officer, (i.e., a “Data Protection Officer”), who is responsible for the internal supervision of LiveRamp’s privacy policies. LiveRamp has also appointed a corporate leader for data security. The chief privacy officer and security officers are available to any individual or employee who has questions concerning LiveRamp’s compliance with Privacy Shield or data security practices.
When LiveRamp acts as a data controller of personal data, the policies outlined below apply to all personal data that has been transferred from the EU, the United Kingdom, to the United States.
LiveRamp and its subsidiaries located in the EU/UK, develop and maintain databases containing personal information on data subjects, households, and businesses located throughout EU Member States and the United Kingdom. These databases are developed from public records, publicly available information, information acquired through information providers, and information collected directly from data subjects.
LiveRamp’s databases contain information that is provided to qualified businesses for marketing, customer data integration, and connectivity purposes. The information contained in these databases may also be used to provide information services, to enhance the understanding a company has about its customers, to aid in accurate integration of a company’s customer information, and be used as lists for direct marketing purposes.
As a data controller, LiveRamp is required to comply with all principles of the Privacy Shield.
Notice
LiveRamp may be required to disclose personal information in response to lawful requests by public authorities, including requests to meet national security or law enforcement requirements. Prior to the transfer of personal information from the EU/UK to the United States, LiveRamp requires contractual confirmation from the EU/UK controller from whom LiveRamp acquired the information that the personal data has been provided to LiveRamp in accordance with the applicable United Kingdom/EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, LiveRamp provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Choice
In addition to choices regarding the use of information, LiveRamp will remove an individual’s name and related information from its direct marketing information products. Consumers may request an opt-out form by writing LiveRamp at the address below, or sending an e-mail to us at privacyshieldoptout@LiveRamp.com.
To request an opt-out form by mail, write to:
Data Ethics/ Privacy
LiveRamp
225 Bush St., 17th Floor
San Francisco, California USA 94104
Data Integrity
LiveRamp takes reasonable steps to ensure the information transferred from the EU to the United States is reliable, accurate, and complete. The steps LiveRamp takes to assure data integrity are based on the purposes for which the personal information is used.
Onward Transfer
LiveRamp complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. LiveRamp takes reasonable and appropriate steps to ensure that the third party effectively processes the personal information transferred in a manner consistent with LiveRamp’s obligations under the Principles.
When LiveRamp uses data processors to perform processing tasks on behalf and under the instruction of LiveRamp, LiveRamp requires that its data processors either:
- Subscribe to the Privacy Shield (in the case of US-based processors), the EU General Data Protection Regulation (in the case of EU-based processors), or another adequacy finding (in the case of processors in countries outside the US or EU); or
- Enter into a written agreement with LiveRamp requiring them to process the data only for limited and specified purposes and to provide the same level of protection as LiveRamp provides.
In cases of onward transfer to third parties, LiveRamp is generally liable for the acts of the third party that are in violation of the Privacy Shield Principles.
Security
LiveRamp has an information security policy in place to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. LiveRamp’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring that proper disciplinary action is taken against those who violate LiveRamp’s Information Security Policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the LiveRamp’s Data Ethics/Privacy liaison. Contact information for the LiveRamp’s Data Ethics/Privacy liaison is provided below.
Access
An individual may request access to the information LiveRamp maintains in its information products. The individual has the right to learn whether or not data about him or her is found in LiveRamp’s information products and to correct, amend or delete that information when it is inaccurate. This right applies only to personal data about the individual making the request and is subject to other limitations as defined by law. Individuals can request access by writing or emailing:
Data Ethics
LiveRamp
225 Bush St., 17th Floor
San Francisco, California USA 94104
Email: privacyshieldoptout@LiveRamp.com.
LiveRamp’s Data/Privacy liaison will explain the process for making an access request. In order to confirm the identity of the individual and have the necessary information to retrieve the individual’s information, LiveRamp provides a form which the individual fills out, signs, and mails to LiveRamp. Filing a request in English will expedite the process.
LiveRamp agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or when the request is manifestly unfounded or excessive.
Enforcement
LiveRamp commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. Notwithstanding the foregoing, human resource data is only covered by the EU-US Privacy Shield and addressed by LiveRamp’s Swiss-US Privacy Shield.
Individuals who wish to file a complaint or who take issue with LiveRamp’s Privacy Shield policies should contact LiveRamp’s consumer advocate at the above address. LiveRamp’s consumer advocate will explain the process to be followed when filing a complaint. Filing a complaint in English will expedite the process.
LiveRamp is a participant in ANA’s Privacy Shield dispute resolution programs. If consumers cannot resolve a complaint after contacting LiveRamp’s consumer advocate, they may pursue recourse with ANA, free of charge. Consumers may file a complaint with the ANA via the ANA online complaint form or via post at:
ANA
Attn: Privacy Shield
225 Reinekers Lane, Suite 325, Alexandria, VA 22314
Under certain conditions, an individual may invoke binding arbitration to resolve residual claims. LiveRamp is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.