Your Data, Your Control
Our Commitment to Your Privacy
Your privacy is our priority, and we are committed to safeguarding your personal data with the utmost care and in accordance with the highest standards of security and confidentiality
DecisionLinks is committed to protecting the privacy of our clients and their customers. This Privacy Policy outlines our practices regarding the collection, use, and disclosure of personal information that we receive through our data services.
Collection and Use of Personal Information
Collection of Personal Information
In addition to the basic personal information such as name, address, email address, phone number, and other contact details, DecisionLinks may also collect data related to clients' interactions with our services. This may include, but is not limited to, transactional data, service usage patterns, and preferences. We collect information through various methods, including direct submissions from our clients and automated means such as communication protocols, e-mail communications, and cookies.
Use of Personal Information
Personal information collected is primarily used to provide and improve our wholesale data services. This includes customer support, enhancing user experience, developing new services, and conducting market research. Additionally, we may use personal information for internal business processes such as audits, fraud monitoring, and compliance with legal obligations.
Data Products & Third-Party Data and Usage
Customers look to our company for PII-based consumer data products. We ethically aggregate data from trusted, secure third-party sources. Our customers then utilize this data to market their products and services and better understand their clientele.
Our marketing data contains available public information and data aggregated from trusted third-party providers and collectors. Clients and businesses use this data in their online and offline marketing programs and Decisioninks' internal marketing efforts. This PII data includes name, postal address, phone number, email address, VINs, and other data. We may also process information such as demographics (age, gender, presence of children, date of birth), property information (home value, SQ FT), and online opt-in identifiers (IFAs, HEMs, and IP).
As a data marketing provider, we comply with all industry policies, guidelines, principles, and ethical practices for data collection, processing, and protection. Our services are not directed at children, and you may not utilize our data solutions if you are under 18. We do not knowingly collect, disclose, or use data for marketing purposes for anyone under 18.
FCRA Data and Governance
Our Relationship with Equifax and the Consent Decree
Equifax, our principal, entered into a consent decree with the United States government following a significant data breach in 2017. As an authorized agent of Equifax:
We are contractually bound to adhere to all terms and conditions of this consent decree.
Our data security practices and protocols are directly governed by the requirements outlined in the Equifax-US government agreement.
We are subject to the same rigorous auditing and compliance checks that Equifax undergoes as part of the consent decree.
This relationship ensures that we maintain the highest standards of data protection and privacy, as mandated by both Equifax and federal authorities.
FCRA Compliance
We strictly adhere to all requirements set forth by the Fair Credit Reporting Act (FCRA). This federal law regulates the collection, dissemination, and use of consumer credit information. Our compliance includes, but is not limited to:
Ensuring the accuracy and completeness of credit information
Providing consumers with access to their credit information
Allowing consumers to dispute and correct inaccurate information
Limiting access to credit information to those with a permissible purpose
Implementing reasonable procedures to ensure maximum possible accuracy of credit information
Data Security Measures
Encryption at Rest
All credit file data under our management is encrypted at rest using industry-standard encryption protocols. This ensures that data is protected from unauthorized access even if physical storage devices are compromised.
Consent Decree Compliance
As an agent of Equifax, we are bound by the consent decree that Equifax entered into with the U.S. government. This agreement mandates stringent data security practices, and we are obligated to implement and maintain these practices in our role as an Equifax agent.
Regular Audits
We undergo frequent and rigorous audits as required by the Equifax-US government consent decree. These audits are conducted by independent third-party assessors and cover all aspects of our data security practices, including:
Network security
Access controls
Data encryption
Incident response procedures
Employee training and awareness
Data Handling Procedures
Our handling of FCRA-governed data includes:
Strict access controls based on the principle of least privilege
Comprehensive logging and monitoring of all data access
Regular employee training on data privacy and security
Secure data transmission using end-to-end encryption
Rigorous data retention and destruction policies
Commitment to Privacy
We recognize the critical importance of protecting consumer credit information. Our commitment to privacy goes beyond mere compliance with laws and regulations. As an agent of Equifax, we are held to the same high standards required by the consent decree, and we continually invest in advanced security technologies and regularly review and update our privacy practices to stay ahead of emerging threats.
Conclusion
As an agent of Equifax operating under the governance of U.S. credit bureaus and bound by the Equifax-US government consent decree, we take our responsibility to protect consumer data with the utmost seriousness. Our adherence to FCRA regulations, implementation of robust security measures, and compliance with the consent decree demonstrate our unwavering commitment to data privacy and security.
Disclosure of Personal Information
No Sale of Personal Information
DecisionLinks is committed to not selling personal information we collect to third parties. However, we may share information with trusted partners and service providers contractually obligated to comply with our privacy standards. Any shared information is strictly to provide and improve our services and is not used for independent purposes by these entities.
Companies Providing Services to DecisionLinks
We share information with third-party vendors, consultants, and other service providers that are providing business services to DecisionLinks Data. For example, we may share information about you with a third-party service provider that creates reports or other products ordered by users, sends out emails, serves ads on a third-party platform, or monitors or analyzes data. Such companies will have access to personal information only as necessary to carry out their work and are prohibited from using it for an...
How We Share Information
DecisionLinks receives data from, and handles data on behalf of, a variety of consumer-facing companies, applications and services, and data compilers. We also may obtain data through public sources, such as census data and other public records. Some of the data we receive and use is Personal Information (PII) data.
Data Security
We implement stringent security measures to protect personal information from unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to, encryption, access controls, secure data storage, and regular security assessments. Our infrastructure is designed with industry-standard security protocols, ensuring the highest level of data protection. We employ advanced encryption techniques both in transit and at rest, ensuring that sensitive data remains safeguarded from external threats.
Access to data is strictly limited to authorized personnel through role-based access controls (RBAC) and multi-factor authentication (MFA). All access attempts are logged, monitored, and regularly reviewed to detect and respond to any suspicious activity. In addition, we conduct routine vulnerability assessments and penetration testing to proactively identify and address potential security risks. Our incident response plan is regularly updated to ensure a prompt and effective response to any security breach, minimizing potential impact on our systems and data.
International Data Transfers
Personal information may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that differ from your country's laws. We take appropriate safeguards to ensure that your personal information remains protected in accordance with this privacy policy.
Your Rights
Individuals whose personal information we hold have the right to access, correct, delete, or restrict the use of their personal information. They also have the right to object to processing and to request data portability. To exercise these rights, individuals can contact us directly.
Cookie Usage
DecisionLinks does not currently use cookies or any similar tracking technologies on our website. We respect your privacy and are committed to transparency in our data practices. As we do not employ cookies, we do not collect or store any information through this method. However, please note that our privacy practices may change over time. If we decide to implement cookies or other tracking technologies in the future, we will update this policy accordingly and inform our users of any changes. For more information on our data practices, please refer to this policy.
Opt-Out
As part of our commitment to privacy, we provide mechanisms for individuals to opt out of receiving marketing communications. This can be done through the Opt-Out Form below or by contacting us directly.
If you are a consumer and you'd like to opt out of receiving marketing messages from our clients, please fill out our Opt Out Form. https://decisionlinks.com/opt-out
Changes to Our Privacy Policy
We reserve the right to modify this privacy policy at any time. Changes will be posted on our website with an updated revision date. We encourage individuals to regularly review our privacy policy to stay informed about how we are protecting their personal information.
Questions Or Concerns
For any questions or concerns regarding our privacy practices, please contact our dedicated phone number (512) 500-2461 or email at support@decisionlinks.com.
State-Specific Privacy Rights
California Resident Privacy Rights
Under the California Consumer Privacy Act (CCPA), California residents have certain rights regarding their personal information. These rights include:
The categories of personal information we’ve collected, and the categories of sources where we got the information
The business purposes for which we’ve shared their personal information
The categories of third parties with whom we’ve shared their personal information
Access to the specific pieces of personal information we’ve collected and to request deletion of that personal information, subject to certain exceptions
The right to opt out of the sale of their personal information
The right to not be discriminated against for exercising their CCPA privacy rights
The right to correct inaccurate personal information
“Sensitive” Data is defined under California state law as:
Social security, driver’s license, state identification card, or passport numbers
An account login, financial account, debit card, or credit card number in combination with any required security codes
Precise geo-location
Racial and ethnic origins, religious or philosophical beliefs, union memberships
Contents of mail, email, and text messages to unintended recipients
Genetic data
Biometric information if use to uniquely identify a person
Personal health information
Personal information related to a person’s personal life or sexual orientation
For purposes of these rights, “sold” and “business purpose” have the meanings given in the CCPA. If you submit an opt-out request, you will not be opted out from transactions that the CCPA does not deem to be sales. In addition, please note that the CCPA does not require us to delete personal information that we need to maintain for certain purposes.
If you are a California resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please contact us at: support@decisionlinks.com.
You can also request to have your personal information deleted that has been collected about you. To submit a deletion request, please contact us at: support@decisionlinks.com
You can also call (877) 652-5002 to speak with a CCPA (California Consumer Privacy Act) compliance specialist about opting out or removing your information from our database.
Colorado Resident Privacy Rights
Under Colorado’s Consumer Privacy Act, (effective as of July 1, 2023), Colorado residents have certain rights regarding their personal information. This includes:
Access to the specific pieces of personal information we’ve collected, and to request deletion of that personal information
The right to opt out of the sale of their personal information
The right to opt-out of targeted advertising
The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
“Sensitive” Data is defined under Colorado state law as:
Racial or ethnic origin
Religious beliefs
Sexual orientation
Citizenship or immigration status
Biometric or genetic data
Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
Personal data from a known child
If you are a Colorado resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Connecticut Resident Privacy Rights
Under Connecticut’s Data Privacy Act, (effective as of July 1, 2023), Connecticut residents have certain rights regarding their personal information. This includes:
Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
The right to opt out of the sale of their personal information
The right to opt-out of targeted advertising
The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
“Sensitive” Data is defined under Connecticut state law as:
Racial or ethnic origin
Religious beliefs
Sexual orientation
Citizenship or immigration status
Biometric or genetic data
Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
Personal data from a known child
Precise geolocation at a radius of 1,750 feet or less
If you are a Connecticut resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com.
Delaware Personal Data Privacy Act
The Delaware Personal Data Privacy Act (effective January 1, 2025) is a state-level legislative measure aimed at protecting the personal data of Delaware residents. It sets forth various requirements and obligations for businesses that handle personal data. Here are some key aspects of the DPDPA:
Scope and Applicability
The act applies to businesses operating in Delaware or targeting Delaware residents, handling a specified amount of personal data. It covers businesses that control or process the personal data of 10,000 or more consumers annually or derive more than 50% of their gross revenue from the sale of personal data.
It covers businesses that control or process the personal data of 10,000 or more consumers annually or derive more than 50% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit the collection of personal data to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: When transferring data to third parties, businesses must ensure that data processing agreements are in place to protect personal data.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Delaware Attorney General has the authority to enforce the DPDPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or Gramm-Leach-Bliley Act, and certain small businesses.
If you are a Delaware resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Indiana Consumer Data Protection Act
The Indiana Consumer Data Protection Act (effective January 1, 2026) is a state-level legislative measure designed to protect the personal data of Indiana residents. It outlines various rights for consumers and imposes specific obligations on businesses that collect, process, or sell personal data. Here are some key aspects of the ICDPA:
Scope and Applicability
The act applies to entities conducting business in Indiana or targeting Indiana residents.
It primarily affects businesses that process personal data of 100,000 or more consumers annually or derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Indiana Attorney General has the authority to enforce the ICDPA.
Penalties for non-compliance can include fines and other legal actions.
If you are an Indiana resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Iowa Consumer Data Protection Act
The Iowa Consumer Data Protection Act (effective January 1, 2025) is a legislative measure designed to protect the personal data of Iowa residents. Similar to data protection laws in other states, the ICDPA grants specific rights to consumers and imposes various obligations on businesses that handle personal data. Here are the key aspects of the ICDPA:
Scope and Applicability
The ICDPA applies to entities conducting business in Iowa or targeting Iowa residents.
It primarily affects businesses that control or process personal data of 100,000 or more consumers annually, or control or process personal data of 25,000 or more consumers and derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Iowa Attorney General has the authority to enforce the ICDPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
If you are an Iowa resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Kentucky Consumer Data Protection Act
The Kentucky Consumer Data Protection Act (KCDPA) is a state-level legislative measure designed to protect the personal data of Kentucky residents. It outlines various rights for consumers and imposes specific obligations on businesses that collect, process, or sell personal data. Here are some key aspects of the KCDPA:
Scope and Applicability
The KCDPA applies to entities conducting business in Kentucky or targeting Kentucky residents.
It primarily affects businesses that control or process personal data of 25,000 or more consumers annually, or derive over 50% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Kentucky Attorney General has the authority to enforce the KCDPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
If you are a Kentucky resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Montana Consumer Data Protection Act
The Montana Consumer Data Protection Act (MCDPA) is a state-level legislative measure designed to protect the personal data of Montana residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the MCDPA:
Scope and Applicability
The MCDPA applies to entities conducting business in Montana or targeting Montana residents.
It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Montana Attorney General has the authority to enforce the MCDPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
The MCDPA aims to enhance consumer privacy protections and ensure that businesses adhere to responsible data management practices. By providing consumers with more control over their personal data and demanding greater transparency from businesses, the act reflects a growing movement towards comprehensive state-level data privacy legislation in the United States.
Nebraska Consumer Data Protection Act
The Nebraska Data Protection Act (effective January 1, 2025) is a state-level legislative measure designed to protect the personal data of Nebraska residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NCDPA:
Scope and Applicability
The NDPA applies to entities conducting business in Nebraska or targeting Nebraska residents.
It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The Nebraska Attorney General has the authority to enforce the NDPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
If you are a Nebraska resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
New Hampshire Data Privacy and Security Act
The New Hampshire Data Privacy and Security Act (effective January 1, 2025) is a state-level legislative measure designed to protect the personal data of New Hampshire residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NHDPPA:
Scope and Applicability
The NHDPPA applies to entities conducting business in New Hampshire or targeting New Hampshire residents.
It primarily affects businesses that control or process personal data of 50,000 or more consumers annually, or derive over 25% of their gross revenue from the sale of personal data.
Consumer Rights
Right to Access: Consumers can request access to their personal data held by a business.
Right to Correction: Consumers can request corrections to inaccurate personal data.
Right to Deletion: Consumers can request the deletion of their personal data.
Right to Data Portability: Consumers can request a copy of their personal data in a portable format.
Right to Opt-Out: Consumers can opt out of the sale of their personal data, targeted advertising, and profiling.
Business Obligations
Data Minimization: Businesses must limit data collection to what is necessary for the purposes disclosed to consumers.
Data Security: Businesses are required to implement reasonable security measures to protect personal data.
Data Processing Agreements: Businesses must ensure data processing agreements are in place when transferring data to third parties.
Privacy Notices: Businesses must provide clear and transparent information about their data collection, use, and sharing practices.
Enforcement
The New Hampshire Attorney General has the authority to enforce the NHDPPA.
Penalties for non-compliance can include fines and other legal actions.
Exemptions
Certain types of data and entities are exempt from the act, such as data subject to federal regulations like HIPAA or the Gramm-Leach-Bliley Act, and certain small businesses.
If you are a New Hampshire resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
New Jersey Data Protection Act
The New Jersey Data Protection Act (effective January 15, 2025) is a state-level legislative measure designed to protect the personal data of New Jersey residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the NJDPA:
Consumer Rights under the NJDPA
Right to Know: Consumers can confirm whether a business is processing their personal data and access details about the categories of data collected, the purpose of processing, and any third-party disclosures.
Right to Correction: Consumers have the right to request correction of inaccurate personal data.
Right to Deletion: Consumers can request deletion of their personal data, with some exceptions for businesses with legal obligations to retain data.
Right to Portability: Consumers can obtain a copy of their personal data in a transferable format that allows them to move it to another business.
Right to Opt-Out: Consumers can opt-out of the processing of their personal data for:
Targeted advertising.
Sale of personal data (except for consumers under 18, where opt-in is required).
Profiling in furtherance of automated decisions that produce legal or similar effects concerning them.
Business Obligations under the NJDPA
Applicability: The NJDPA applies to businesses that meet at least one of the following criteria:
Control or process personal data of at least 100,000 consumers annually (increased from 50,000 after July 1, 2027).
Derive over 50% of their gross revenue from the sale of personal data and process the data of at least 25,000 consumers annually.
Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining:
The categories of personal data collected.
The purposes for processing the data.
Consumers’ rights under NJDPA and how to exercise them.
The categories of third parties with whom data is shared.
How consumers can opt-out of the sale of personal data and targeted advertising (starting July 15, 2025, universal opt-out mechanisms must be recognized).
Enforcement
The New Jersey Attorney General’s Office is responsible for enforcing the NJDPA. The Attorney General can investigate violations, issue civil penalties, and seek injunctive relief. Consumers can also file private lawsuits for certain violations.
Additional Notes
The NJDPA exempts certain data from its scope, including public data and data covered by other specific privacy laws (e.g., HIPAA).
The NJDPA prohibits discrimination against consumers for exercising their rights under the law.
Businesses have a duty to respond to consumer requests within a reasonable timeframe (generally 45 days).
If you are a New Jersey resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call (512) 500-2461.
Oregon Consumer Privacy Act
The Oregon Consumer Privacy Act (effective July 1, 2024) is a state-level legislative measure designed to protect the personal data of Oregon residents. It outlines various rights for consumers and imposes specific obligations on businesses that handle personal data. Here are some key aspects of the OCPA:
Consumer Rights under the OCPA
Right to Access: Consumers can confirm whether a business is processing their personal data and request details about the categories of data collected, the purpose of processing, and any third-party disclosures.
Right to Correction: Consumers have the right to request correction of inaccurate personal data.
Right to Deletion: Consumers can request deletion of their personal data, including data they provided directly, data obtained from other sources, and derived data.
Right to Data Portability: Consumers can obtain a copy of their personal data in a transferable format that allows them to easily move it to another business.
Right to Opt-Out: Consumers can opt-out of the sale of their personal data and targeted advertising. Additionally, they have the right to opt-in for the processing of “sensitive data” such as social security numbers, passport numbers, or data revealing race, religion, or sexual orientation.
Business Obligations under the OCPA
Applicability: The OCPA applies to businesses that control or process the personal data of at least 25,000 Oregon residents annually, or derive over 50% of their gross revenue from the sale of personal data and process the data of at least 10,000 Oregon residents annually.
Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining the categories of personal data collected, the purposes for processing, how consumers can exercise their rights, and the categories of third parties with whom data is shared.
Data Minimization: Businesses can only collect personal data that is reasonably necessary for the disclosed purposes.
Reasonable Security: Businesses must implement reasonable security measures to protect personal data from unauthorized access, disclosure, or use.
Data Processing Assessments: For activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of data, or profiling for automated decisions, businesses must conduct data privacy assessments to identify and mitigate risks.
Consumer Requests: Businesses must establish a mechanism for consumers to submit requests to exercise their rights and respond to requests within a reasonable timeframe (generally within 45 days).
Enforcement
The Oregon Attorney General’s office is responsible for enforcing the OCPA. Consumers can file complaints with the Attorney General if they believe a business has violated their rights.
Additional Notes
The OCPA exempts certain data from its scope, including public data, de-identified data, and data covered by other specific privacy laws (e.g., HIPAA).
The OCPA allows businesses to charge a reasonable fee for data portability requests if they exceed a certain frequency.
If you are a Oregon resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call: (512) 500-2461.
Tennessee Information Protection Act
The Tennessee Information Protection Act (effective July 1, 2025\) grants Tennessee residents control over their personal data and places obligations on businesses that handle this data. Here’s a comprehensive look at TIPA’s key provisions:
Consumer Rights under the TIPA
Access, Correction, and Deletion: Consumers have the right to:
Confirm whether a business is processing their personal information.
Access a copy of their personal information.
Request correction of any inaccuracies in their data.
Request deletion of their personal information, subject to certain exceptions.
Data Portability: Consumers can obtain their personal information in a usable and portable format to transfer it to another business.
Opt-Out Rights: Consumers have the right to opt-out of:
The sale of their personal information.
Targeted advertising based on their personal information.
Profiling that results in automated decisions that have a significant impact on them.
Business Obligations under the TIPA
Applicability: TIPA applies to businesses that meet at least one of the following criteria:
Control or process personal information of at least 175,000 consumers in a year and have over $25 million in gross revenue.
Control or process personal information of at least 25,000 consumers and derive more than 50% of gross revenue from the sale of personal data.
Privacy Notice: Businesses must provide a clear and comprehensive privacy notice explaining:
The categories of personal information collected.
The purposes for processing the data.
Consumers’ rights under TIPA and how to exercise them.
The categories of third parties with whom data is shared.
Reasonable Security: Businesses must implement reasonable security measures to protect personal data from unauthorized access, disclosure, or use.
Data Minimization: Businesses can only collect personal data that is reasonably necessary for the disclosed purposes.
Contracts with Processors: Businesses must have written contracts with any third-party processors that handle personal data on their behalf. These contracts must ensure the processors comply with TIPA’s requirements.
Enforcement
The Tennessee Attorney General’s office is responsible for enforcing TIPA. While consumers cannot directly sue businesses under TIPA, the Attorney General can take legal action against businesses for violations.
Exceptions and Additional Notes
TIPA exempts certain data from its scope, including public data and data covered by other specific privacy laws (e.g., HIPAA).
TIPA offers a unique “affirmative defense” provision. Businesses that create and comply with a written privacy policy that aligns with the National Institute of Standards and Technology (NIST) Privacy Framework or other documented standards designed to safeguard consumer privacy may have a defense against TIPA violations.
Businesses are exempt from certain provisions if they are already subject to and comply with stricter federal privacy laws. Notably, TIPA exempts all insurance companies licensed under Tennessee law.
If you are a Tennessee resident, you have the right to request that DecisionLinks disclose the specific personal
Texas Resident Privacy Rights
Texas is the latest state to pass new resident privacy protection laws. Known as the Texas Data Privacy and Security Act, (effective March 1, 2024), Texas residents will have certain rights regarding their personal information. This includes:
Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
Confirm that the data controller is processing their data
Correct inaccuracies in their personal data
Delete their personal data
Obtain a copy of their data in a portable and readily usable format
Opt out of having their data processed for the purpose of targeted advertising, the sale of their data, or profiling that produces a legal or significant effect on the consumer
Sensitive Data
“Sensitive” Data is defined under Texas state law as:
Racial or ethnic origin
Religious beliefs
Mental or physical health diagnosis
Sexual orientation
Citizenship or immigration status
Genetic or biometric data
Children’s data
Precise geolocation data
Effective March 1, 2024, if you are a Texas resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call: (512) 500-2461.
The entity maintaining this website is a data broker under Texas law. To conduct business in Texas, a data broker must register with the Texas Secretary of State (Texas SOS). Information about data broker registrants is available on the Texas SOS website.
Utah Resident Privacy Rights
Under Utah’s Consumer Privacy Act, (effective as of December 31, 2023), Utah residents have certain rights regarding their personal information. This includes:
Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
The right to opt out of the sale of their personal information
The right to opt-out of targeted advertising
The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
Sensitive Data
“Sensitive” Data is defined under Utah state law as:
Racial or ethnic origin
Religious beliefs
Sexual orientation
Citizenship or immigration status
Biometric or genetic data
Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
Personal data from a known child
Precise geolocation at a radius of 1,750 feet or less
If you are a Utah resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call: (512) 500-2461.
Virginia Resident Privacy Rights
Under Virginia’s Consumer Data Protection Act, (effective as of January 1, 2023), Virginia residents have certain rights regarding their personal information. This includes:
Access the specific pieces of their personal information we’ve collected and to request deletion of that personal information
The right to opt out of the sale of their personal information
The right to opt-out of targeted advertising
The right to request correction of inaccurate personal information and to request to limit disclosure or use of your sensitive personal information
Sensitive Data
“Sensitive” Data is defined under Virginia state law as:
Racial or ethnic origin
Religious beliefs
Sexual orientation
Citizenship or immigration status
Biometric or genetic data
Information regarding an individual’s medical history, mental or physical health condition, medical treatment, or diagnosis
Personal data from a known child
Precise geolocation at a radius of 1,750 feet or less
If you are a Virginia resident, you have the right to request that DecisionLinks disclose the specific personal information and categories we have collected about you. To request this information, please email us at: support@decisionlinks.com or call: (512) 500-2461.
Vermont Data Broker Act
The Act relating to Data Brokers and Consumer Protection went into full effect on January 1, 2019. The Data Broker Act imposes specific registration, disclosure, and security requirements on data brokers. Additionally, the Data Broker Act prohibits any person or entity from fraudulently acquiring or using brokered personal information.
The Data Broker Act defines the term ‘data broker’ as any business or unit of businesses that knowingly collects and sells, or licenses to third parties, ‘brokered personal information’ of a consumer (i.e.. a Vermont resident) with whom the business does not have a direct relationship. “Brokered personal information” includes any of the following data elements about a consumer, if categorized or organized for dissemination to third parties:
Name
Address
Date or place of birth
Mother’s maiden name
Unique biometric data that can identify or authenticate a consumer (e.g. fingerprint, retina, or iris image)
Name or address of a member of the consumer’s immediate family or household
Social security number or other government-issued identification number
Any other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty
Data brokers must register with the Vermont Secretary of State annually and must provide certain information as part of that process. The purpose of the registration requirement is to provide consumers with factual information to help protect themselves from deception related to data broker activities.