LiveRamp’s Notice of Certification Under the Data Privacy Framework

Effective: August 26, 2024

This Data Privacy Framework Notice (“Notice”) describes how LiveRamp and its subsidiaries DataFleets, Ltd., Data Plus Math Corporation, Diablo.ai, Inc., Habu, Inc., and LiveRamp Holdings, Inc. (collectively, “LiveRamp”) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  LiveRamp has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  LiveRamp has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

LiveRamp is committed to educating its clients and employees in the United States, EU, United Kingdom, and Switzerland about the issues, guidelines and laws surrounding compliance with the Data Privacy Framework (DPF). Since the requirements for compliance with the DPF vary depending on whether LiveRamp is acting as a processor on behalf of LiveRamp’s clients and as a data controller for its own data processing, LiveRamp’s policies and manner of compliance are described separately below. The practices LiveRamp employs under the EU-U.S. DPF, as outlined below, also applies to data transferred from the United Kingdom to the United States in compliance with the UK Extension to the EU-U.S. DPF and Switzerland to the United States in compliance with the Swiss-US DPF.

LiveRamp as a Processor on Behalf of Clients

LiveRamp provides customized computer services designed to help companies manage their customer information more effectively, increase profitability of their marketing, and reduce the operational costs of processing customer transactions. In this capacity, LiveRamp does not own or control any of the information it processes on behalf of LiveRamp’s clients. All such information is owned and controlled by LiveRamp’s clients. In this capacity LiveRamp receives information transferred from the EU, Switzerland and the United Kingdom to the United States merely as a processor on behalf of our clients.

When LiveRamp acts as a processor on behalf of its clients, the policies outlined below apply to all data processing operations concerning personal data that has been transferred from the EU, Switzerland, and the United Kingdom to the United States.

Before starting any processing on behalf of LiveRamp’s clients, LiveRamp will enter into a processing contract with the EU, Swiss or United Kingdom (UK) data controller that ensures the EU data controller will be in compliance with the Member State and UK Data Protection laws.

Any data processed by LiveRamp will not be further disclosed to third parties except where permitted or required by the processing contract, DPF, or the applicable Member State Data Protection law. 

The processing contract will also specify that the processing will be carried out with appropriate data security measures. LiveRamp has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.

As a processor on behalf of LiveRamp’s clients (who are the EU/UK/Swiss data controllers), LiveRamp is not in a position to apply other DPF Principles applicable to data controllers with respect to the personal data received for processing from its clients.

LiveRamp as a Data Controller

LiveRamp provides business and consumer information products designed to help companies and third-party service providers market more successfully, integrate and improve the accuracy of their customer information, and reduce the operational costs of processing customer data. In this function, LiveRamp acts as a data controller of the personal data contained in these information products.

LiveRamp has appointed a chief privacy officer, who is responsible for the global internal supervision of LiveRamp’s privacy policies. LiveRamp has also appointed a EU and UK Data Protection Officer (DPO) and a corporate leader for data security. The chief privacy officer, DPO and security officers are available to any individual or employee who has questions concerning LiveRamp’s compliance with the DPF or our data security practices.

When LiveRamp acts as a data controller of personal data, the policies outlined below apply to all personal data that has been transferred from the EU or United Kingdom to the United States.

LiveRamp and its subsidiaries located in the EU/UK, develop and maintain databases containing personal information on data subjects, households, and businesses located throughout EU Member States and the United Kingdom. These databases are developed from information acquired through information providers, and information collected directly from data subjects.

LiveRamp’s databases contain information that is provided to qualified businesses for marketing, customer data integration, and connectivity purposes. The information contained in these databases may also be used to provide information services, to enhance the understanding a company has about its customers, to aid in accurate integration of a company’s customer information, and be used as lists for direct marketing purposes.

As a data controller, LiveRamp is required to comply with all principles of the DPF.

Notice

LiveRamp may be required to disclose personal information in response to lawful requests by public authorities, including requests to meet national security or law enforcement requirements. Prior to the transfer of personal information from the EU/UK/Switzerland to the United States, LiveRamp requires contractual confirmation from the EU/UK controller from whom LiveRamp acquired the information that the personal data has been provided to LiveRamp in accordance with the applicable United Kingdom/EU Member State Data Protection laws, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, LiveRamp provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.

Choice

If EU/UK personal information covered by this notice is to be used for a new purpose that is materially different from that for which the personal information was originally collected or authorized or is to be disclosed to a third party, LiveRamp, where operating as a controller, will provide EU/UK data subjects with an opportunity to choose whether to have their personal information so used or disclosed. Request to opt out of such uses or disclosure of personal information should be submitted via the following:

Data Integrity

LiveRamp takes reasonable steps to ensure the information transferred from the EU, Switzerland, and the United Kingdom to the United States is reliable, accurate, and complete. The steps LiveRamp takes to assure data integrity are based on the purposes for which the personal information is used.

Onward Transfer

LiveRamp complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. LiveRamp takes reasonable and appropriate steps to ensure that the third party effectively processes the personal information transferred in a manner consistent with LiveRamp’s obligations under the Principles.

When LiveRamp (as a processor) sends data to processors on behalf of and at the instruction of a customer, the customer is responsible for ensuring the compliance of the transfer.  When LiveRamp uses data processors to perform processing tasks on behalf of and under the instruction of LiveRamp, LiveRamp requires that its data processors either:

  • Subscribe to the DPF (in the case of US-based processors), the EU/UK General Data Protection Regulation (in the case of EU/UK/Swiss-based processors), or another adequacy finding (in the case of processors in countries outside the US or EU/UK/Switzerland); or
  • Enter into a written agreement with LiveRamp requiring them to process the data only for limited and specified purposes and to provide the same level of protection as LiveRamp provides.

In cases of onward transfer to third parties, LiveRamp is generally liable for the acts of the third party that are in violation of the DPF Principles.

Security

LiveRamp has an information security policy in place to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. LiveRamp’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring that proper disciplinary action is taken against those who violate LiveRamp’s Information Security Policy.

Any security compromises or potential security compromises and any inquiries concerning security should be reported to the LiveRamp’s Data Ethics/Privacy liaison. Contact information for the LiveRamp’s Data Ethics/Privacy liaison is provided below.

Access

Where LiveRamp is operating as a controller, an individual may request access to the information LiveRamp maintains in its information products. The individual has the right to learn whether or not data about him or her is found in LiveRamp’s information products and to correct, amend, or delete that information when it is inaccurate. This right applies only to personal data about the individual making the request and is subject to other limitations as defined by law. Individuals can request access by submitting your request online or emailing:

LiveRamp’s Data Ethics/Privacy liaison will explain the process for making an access request. In order to confirm the identity of the individual and have the necessary information to retrieve the individual’s information, LiveRamp provides a form which the individual fills out, signs, and mails to LiveRamp. Filing a request in English will expedite the process.

LiveRamp agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in accordance with conditions set by applicable laws.

Enforcement

LiveRamp commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. Notwithstanding the foregoing, human resource data is only covered by the EU-US, the UK Extension to the EU-U.S. DPF and addressed by LiveRamp’s Swiss-US DPF.

Individuals who wish to file a complaint or who take issue with LiveRamp’s DPF policies should contact LiveRamp’s Data Ethics team using the links below. LiveRamp will explain the process to be followed when filing a complaint. Filing a complaint in English will expedite the process.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, LiveRamp commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF in the context of the employment relationship.

Under certain conditions, an individual may invoke binding arbitration to resolve residual claims. With respect to participation in and compliance with the Data Privacy Framework, LiveRamp is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.