Due Diligence Checklist

This document provides a series of questions you should ask of a prospective data, calls or traffic partner. Compliant organizations should be happy to share this information with you. If a prospective partner is not willing to answer these questions, you may want to reconsider whether you want to do business with them.1

Download PDF Version

ONLINE MARKETING PRACTICES

  • What domains does your company use to gather consumer information?
  • Identify those owned by you vs. under contract with a third party.2
  • Provide examples of the form of consumer consent.3
  • What third-party consent validation do you obtain?4
  • What third-party data augmentation do you use?5
  • How can consumers unsubscribe from ongoing contact (e.g., calls, SMS)?
  • How will consumer revocation be communicated to us?
  • How will data source information be communicated to me?6
  • Do you place scripts, cookies or pixels to enable remarketing/retargeting?
  • How long do you store consumer data?

CONTACT CENTER PRACTICES7

  • Do you make outbound calls or respond to inbound calls?
  • Do inbound calls include warm call transfers?
  • Do you own or outsource your contact center?
  • Do the agents work in the contact center or virtually?
  • How is consumer consent obtained and stored?
  • What is your policy regarding call recordings?
  • What is your policy regarding voicemail messages?
  • Does the contact center use ‘soundboard technology’ or leave pre-recorded voicemail messages?
  • If a consumer revokes consent via phone, how will that be managed?
  • If a consumer is transferred to me and then revokes consent, how can I communicate that to you?

COMPANY INFORMATION

  • Who owns your company?
  • Please identify any non-US operations.
  • How long has the company been doing business under its current name?
  • Please identify any legal or regulatory actions against your company or its employees or affiliates concerning marketing or call-center practices.
  • Do you use incentives (e.g., sweepstakes, prizes) to generate consumer inquiries?

NOTES:

  1. This is not a comprehensive list or meant to replace advice from a legal professional. In addition, related inquiries should be made of businesses you send consumer data to, including understanding their licensing status, regulatory history, and data use and transfer practices.
  2. Each step in the data path from consumer consent until that data is transferred to us should be clear.
  3. This should be for all domains used to provide us with consumer data. Specific instructions for obtaining consumer consent will follow; may vary by industry and product/service.
  4. For example, Jornaya’s TCPA Guardian service or ActiveProspect’s TrustedForm.
  5. For example, credit bureaus, Neustar, Axiom.
  6. Specific instructions on data privacy and security will follow.
  7. If applicable.
  8. Specific instructions for call monitoring and storage will follow.