Here’s an overview of the steps we take at CircleBack to ensure that all personal data is handled responsibly and legally, as well as some FAQs on how we comply with the General Data Protection Regulation (GDPR) and a few tips we’ve heard from industry experts on how you can do the same.

We at CircleBack are committed to helping you strengthen, sustain, and ensure accuracy in your contact data. We are also committed to privacy and protecting your data, and meeting ever-changing compliance regulations.

The CircleBack ContactCloud and CircleBack Leads products profile decision makers and key influencers that are based in the United States.  The use of the contact information for business purposes is subject to local and federal privacy restrictions, and as a data controller CircleBack is compliant with all such regulations, most prominently CAN-SPAM, which addresses electronic mail standards and opt-out clauses.  That compliance does not extend to our clients whether a direct user, channel partner, or distribution partner using CircleBack data through our APIs or files, and the onus is on them to ensure they follow any and all applicable privacy standards.

If any CircleBack contacts are confirmed by our clients to sit outside of the United States, we encourage them to notify us so that we can make the necessary adjustments.  In Canada, contacts are subject to the 2014 Canadian Anti-Spam Law (CASL), which requires that any electronic mail recipient provide consent to receive that correspondence prior to it being sent (opt-in).  In the European Union, contacts are subject to the 2018 General Data Protection Regulation (GDPR), which requires that any electronic mail recipient provide dual consent to receive that correspondence prior to it being sent (double opt-in).  While no longer members of the EU, Great Britain and Ireland are expected to enact regulations very closely modelled on GDPR.

Whenever you license decision maker or key influencer contact data from CircleBack Leads, that data is not subject to GDPR regulations, since our contact information is US based.

How does CircleBack Leads ensure that their contact information is US based?

We validate all contact information at the gate. This means that all the contacts we find through our crowd-sourcing model are filtered to exclude non-US data.  We also have a strong international filter in place in our data processing engine. If any data point suggests that the contact sits outside the US (i.e. country code in the phone number, an email address that indicates an international URL like ‘.de’ or ‘.uk’, etc), we remove that contact from the database.  Any singular indication of an international location triggers such a removal.

The decision makers and key influencers in our premium CircleBack Leads product are all personally verified by our research staff, and any singular indication of an international location triggers a removal by the staffer who is managing that record.

GDPR: can CircleBack help our organization become compliant?

As a data controller, CircleBack is compliant with all privacy restrictions and strives not to provide our clients with any data that in subject to GDPR restrictions.  As a thought leader, we are willing to talk through any compliance questions to the best of our ability.

Here are a few tips to move your organization forward in their GDPR compliance efforts.

1.    Have your counsel, compliance, or privacy teams become acquainted with the definition of “personal data” as it applies to European Union citizens.

2.    Familiarize yourself with your organization’s use of personal data and the data protection principles.

3.    Treat data subjects (or ‘contacts’) as the most crucial data points within your processes and ecosystems when seeking to implement the requirements of the GDPR.

4.    Thoroughly document your sources for any personal data – this should extend to all contacts and not just those that are subject to GDPR or CASL.  Tracking your lead sources will help you comply with those regulations – in the case of GDPR this documentation is a requirement – and also help you understand the most effective lead sources for your business.

5.    Treat GDPR as an essential function for your compliance and privacy teams, and for any contact data management teams you employ.  Contact data managers should all familiarize themselves with ways to mitigate the risk of violation, as the risk (4% of annual revenue or 200 million euros) certainly outweighs the reward of transparency in this area.

6.    If you receive a complaint from any EU citizen about commercial email, immediately remove that individual from your email campaigns and notify them of that.  It is the responsibility of the data subject to report violations to the governing body, so that simple step of informing them that it was a small oversight and that it won’t happen again can go a long way toward preventing the subject from reporting the violation.

For more information on GDPR:
For more information on CASL: