Due Diligence Checklist
This document provides a series of questions you should ask of a prospective data, calls or traffic partner. Compliant organizations should be happy to share this information with you. If a prospective partner is not willing to answer these questions, you may want to reconsider whether you want to do business with them.1
ONLINE MARKETING PRACTICES
- What domains does your company use to gather consumer information?
- Identify those owned by you vs. under contract with a third party.2
- Provide examples of the form of consumer consent.3
- What third-party consent validation do you obtain?4
- What third-party data augmentation do you use?5
- How can consumers unsubscribe from ongoing contact (e.g., calls, SMS)?
- How will consumer revocation be communicated to us?
- How will data source information be communicated to me?6
- Do you place scripts, cookies or pixels to enable remarketing/retargeting?
- How long do you store consumer data?
CONTACT CENTER PRACTICES7
- Do you make outbound calls or respond to inbound calls?
- Do inbound calls include warm call transfers?
- Do you own or outsource your contact center?
- Do the agents work in the contact center or virtually?
- How is consumer consent obtained and stored?
- What is your policy regarding call recordings?
- What is your policy regarding voicemail messages?
- Does the contact center use ‘soundboard technology’ or leave pre-recorded voicemail messages?
- If a consumer revokes consent via phone, how will that be managed?
- If a consumer is transferred to me and then revokes consent, how can I communicate that to you?
COMPANY INFORMATION
- Who owns your company?
- Please identify any non-US operations.
- How long has the company been doing business under its current name?
- Please identify any legal or regulatory actions against your company or its employees or affiliates concerning marketing or call-center practices.
- Do you use incentives (e.g., sweepstakes, prizes) to generate consumer inquiries?
NOTES:
- This is not a comprehensive list or meant to replace advice from a legal professional. In addition, related inquiries should be made of businesses you send consumer data to, including understanding their licensing status, regulatory history, and data use and transfer practices.
- Each step in the data path from consumer consent until that data is transferred to us should be clear.
- This should be for all domains used to provide us with consumer data. Specific instructions for obtaining consumer consent will follow; may vary by industry and product/service.
- For example, Jornaya’s TCPA Guardian service or ActiveProspect’s TrustedForm.
- For example, credit bureaus, Neustar, Axiom.
- Specific instructions on data privacy and security will follow.
- If applicable.
- Specific instructions for call monitoring and storage will follow.