This page addresses common FAQs about Zeta’s data privacy and security practices.
Can users opt out? If yes, where?
Yes. Zeta processes two types of data: data owned by its clients, for which Zeta acts as a data processor, and data it has obtained by its own means and for which it acts as a data controller. For client data, user rights requests are generally received by clients and can be passed to the Zeta platform to be applied to the client data resident on the system by several possible means, including via APIs from the client’s OneTrust deployment. Because the client data stored on Zeta’s platform is generally not the client’s database of record, data subject access requests typically are not directed to Zeta; however, deletion and opt-out requests routinely are.
What cookies are deployed by Zeta?
Zeta primarily utilizes three cookie domains, each of which is used for different purposes to support different services:
p13n: Cookies are delivered via a publisher domain to create a first-party identifier, enabling some aspects of the Zeta Marketing Platform. Starting in Q2 2023, data associated with these cookies can be solely processed in the EEA upon request.
Zync: Creates a Zeta-specific identifier that can be linked to other data in the Zeta Data Cloud, creates a user session ID, and tracks opt-outs. Starting in Q2 2023, data associated with these cookies can be solely processed in the EEA upon request.
rfihub: Cookies used by Zeta’s demand-side platform (DSP) for real-time bidding purposes. rfihub cookies are currently deployed to users in EEA countries based on TCF 2.0 consent strings, but data associated with these cookies is processed in the United States and India.
For how long do we store Data?
Data retention periods vary depending on the specific data in question and its use. Zeta cookies have varying lifespans, with most expiring within 13 months if inactive. Online activity can keep a cookie active for longer periods, however. Much of the data in the Zeta Data Cloud is constantly refreshed, as its relevance fades over time. Individuals can request the deletion of profiles in the Zeta Data Cloud at any time. Campaign-related data is typically retained for as long as Zeta continues to provide services, although shorter retention periods can be adopted to conform to client retention policies. Client retention limits can be applied to all client data housed on Zeta systems.
When a user opts out, how does Zeta ensure that the user is excluded from future contacts?
In part, the answer depends on what the user has opted out from. For instance, Zeta maintains brand- and advertiser-specific suppression lists in addition to channel-specific and global opt-outs. Examples include:
An email recipient who opts out of receiving commercial emails from that brand will be added to a brand-specific suppression list that will be applied to all future email campaigns for that brand.
An email recipient who opts out of Zeta will be permanently suppressed from future Zeta acquisition email campaigns.
Online users who opt out from Zeta cookies will receive an opt-out cookie that blocks further data collection so long as it remains on the user’s browser.
Users who contact Zeta asking to have data deleted will be added to our global suppression list.
How does Zeta obtain consent for placing tracking cookies on the browsers of EEA users?
Zeta participates in the IAB Europe’s Transparency and Consent Framework (TCF) 2.0. The TCF operates as a consent management platform to obtain GDPR-required opt-in consent for the placement of cookies from users based in the EEA. Accordingly, Zeta’s lawful basis for the placement of cookies and subsequent uses of data is the consent of the user.
Zeta’s processing of most cookie-based data (other than in the context of website personalization services) occurs in the United States; Zeta’s standard Data Processing Agreement (DPA) includes up-to-date EU Standard Contractual Clauses (SCCs) in order to provide a lawful basis for Zeta’s non-EEA processing.
Zeta is currently also evaluating the Global Privacy Control (GPC), a developing browser-based opt-out signal. The GPC is not widely deployed on popular browsers at this time but will be integrated by Zeta as it comes into wider use.
Is Zeta GDPR compliant?
Yes. Zeta is a data processor of client-owned data, and in that role its primary responsibilities under GDPR are not to re-purpose client data beyond the scope of services being provided, to maintain reasonable and appropriate security measures to protect client data, and to otherwise support clients’ compliance with GDPR as needed.
Zeta also has its own data for which it acts as a data controller. This data is obtained on the basis of individual consent and/or Zeta’s legitimate interests.
Does Zeta have an EU Data Privacy Officer (DPO)?
Yes. The DPO can be reached in the following ways: by email at email@example.com (please include “ATTN DPO” in the subject line) or by postal mail at: Zeta Privacy, 3 Park Ave., 33rd Floor, New York, NY 10016 USA.
Is Zeta a data processor or data controller?
Zeta is a data processor with respect to client-owned data and a data controller with respect to data that it owns. Zeta is a data controller of data collected from its owned and operated web properties, and from Zync and rfihub cookies in some cases. In regard to data for which Zeta acts as a data controller, its basis for processing is the consent of the data subject.
Is the data hosted in Europe? If yes, which country?
Zeta stores EU data in a data center in Amsterdam and on AWS in Ireland. All website personalization data is stored in these locations, along with other data where clients request EU-only processing. Zeta has other software and services that currently include data processing in the United States and/or India. For all non-EU processing Zeta utilizes EU Standard Contractual Clauses (SCCs) to provide a lawful basis for non-EU access to data.
Zeta’s EU-only processing capabilities include an EU-based instance of the ZMP, local data storage in the EU, and an EU-based sub-domain for Zync cookies. During 2023 there will continue to be certain services (e.g., DSP/real-time bidding) that require non-EU data processing, but over time Zeta will continue to build out its suite of EU-based capabilities. In the meantime, Zeta currently processes EU data from many of its clients lawfully via the use of SCCs.
Does Schrems II limit Zeta’s ability to process EEA data outside the EEA?
No. The European Court of Justice focused its findings in both the Schrems I and II cases on two aspects of data collection by U.S. national security agencies, neither of which are applicable to Zeta. Section 702 of FISA applies to “Electronic Communications Services Providers,” and Zeta does not meet the statutory definition of an ECSP. The Schrems cases also focus on a U.S. Executive Order that relates to the tapping of undersea data cables between the U.S. and Europe. That order applies to telecommunications carriers, and Zeta is not such a company. The court in Schrems II specifically validated the continued use of SCCs as a means of creating a lawful basis for EEA data to be processed in the United States, so long as FISA 702 and the Executive Order do not apply, which they do not in Zeta’s case.
How does Zeta ensure that its sub-processors (if any) are compliant?
Zeta uses very few subprocessors. It uses AWS for cloud hosting. There are a very small number of other subprocessors that are used to support specific Zeta services. In each case, Zeta has implemented appropriate contractual terms with its subcontractors, including EU Standard Contractual Clauses (SCCs), or CCPA-required Service Provider terms. Zeta’s Privacy Team reviews new sub-processing arrangements to ensure compliance with both contractual and substantive privacy requirements.
Can clients access their data? Or delete it at the end of the agreement?
Clients have self-serve access to their data stored on the ZMP at all times. Client users can be assigned specific rights or levels of access. Data can be deleted at any time at the client’s direction or will be deleted by Zeta following the termination of services.
How do we restrict access/processing of data outside of the EU?
Zeta’s EU-based capabilities have been built in the EU from the ground up, rather than as nodes or extensions of US-based systems. Prior to 2023 Zeta maintained one EU-based data center where data used for website personalization services was (and still is) stored. In 2023, Zeta is introducing a 100% EU-based instance of its Zeta Marketing Platform. The EU ZMP will include many Zeta product features that have no non-EU data processing of any kind.
Does Zeta have a list of certifications?
Zeta’s demand-side platform (DSP) is certified GDPR-compliant by ePrivacy, a private German-based privacy certification firm. Zeta is a member of the European Digital Advertising Alliance (EDAA) and follows its privacy code. It also participates in the IAB Europe’s Transparency and Consent Framework (TCF) 2.0, the means by which Zeta obtains consent to access data from cookies placed on the browsers of EEA residents.
How is Zeta treating consent tracking around cookies placed for tracking user behaviors?
As of April 2023, there are no specific opt-in requirements for setting cookies on U.S. users; however, the compliance burden for providing adequate notice to users and giving them an opt-out mechanism falls primarily on website publishers. In the EEA Zeta uses the TCF 2.0 framework to obtain consent to set cookies. Zeta is testing Global Privacy Control (GPC) processes and will deploy them when possible.
Can cookie preferences on “cookie banners” be defaulted to “Yes”?
Website publishers should familiarize themselves with the FTC’s guidance on so-called “dark patterns” when designing consumer choice mechanisms. While cookies do not currently require opt-in consent in the United States, consumers also need to be given clear, easy-to-find, and easy-to-use mechanisms to opt-out. If cookie preferences are defaulted to “Yes” there also needs to be a readily available “No” option.
Zeta is currently testing processes for applying Global Privacy Control (GPC) signals. The GPC is a browser-based do-not-share mechanism that, when more broadly deployed, will likely become a key consumer data opt-out tool.
What personal information does Zeta’s pixel collect about my customers?
The Zeta pixel can help power important capabilities and insights that can provide a significant boost to brands’ marketing strategies. But recent cases like Sephora and BetterHelp have raised the bar for compliance with companies for their digital marketing efforts. Zeta is committed to being transparent with its clients about how its pixels work and the data they collect.
Zeta has configurable pixels that can be used for multiple purposes, including website personalization, retargeting, real-time bidding, onboarding and synching with the Zeta Data Cloud or other data sources. In addition, our Zync pixel is a “container tag” that can include other third-party pixels or cookies depending on the specific features or services desired.
In general, all Zeta pixels collect IP addresses and browser types. The Zync pixel assigns a unique Zeta ID that can be (but is not automatically) used to match website visitors to data in the Zeta Data Cloud. Some configurations collect data on website actions taken (view, add to cart, etc.), log page views, or are used for onboarding either via Zeta or another provider such as LiveIntent. The specific functionality of the Zeta pixel on a site will depend on which specific services Zeta is providing, but Zeta will provide complete information to enable you to update consumer disclosures and ensure compliance.
How is Zeta treating/offering data retrieval and deletion requests?
Data deletion or other requests received by the client can be applied to the instance of client data housed on Zeta’s platform by various means, from automated APIs with client systems (like OneTrust) to more manual managed service processes. Zeta offers data subjects easy-to-find and easy-to-use tools on its website to exercise their legal privacy rights.
Does Zeta collect or use Sensitive Personal Information? If so, how is Zeta dealing with new consent requirements?
Where it is allowed to do so without obtaining prior consent, Zeta collects some categories of Sensitive Personal Information, including data relating to ethnicity, health, political, LBGTQ+ interest, and religion. These categories of data are not collected for data subjects who live in states or countries where prior opt-in consent is required. In all cases, a minimal amount of data from these categories is collected in order to group an audience by demographic characteristics or interest areas; detailed information is not maintained. In no case is any SPI collected by Zeta used to make determinations about housing, employment, insurance, credit, or for other similarly impactful purposes.
Where can I access/download Zeta’s Data Processing Agreement?
The Zeta DPA is available here: https://zetaglobal.com/data-processing-terms/?cn-reloaded=1
Does Zeta comply with CCPA? CPRA? Other U.S. state laws?
Yes. When the original CCPA went into effect, Zeta needed to make very few changes because it was already providing users with most of the rights that the CCPA created. CPRA, its implementing regulations, and other state laws have created some additional new requirements, and Zeta has made the necessary adjustments to ensure ongoing compliance. Examples of Zeta’s CCPA compliance include:
Updated privacy policies and notices;
Easy-to-find and easy-to-use mechanisms for users to exercise their privacy rights;
Updated commercial agreements with clients, data suppliers, and vendors;
Registration with the state of California as a data broker;
Processes to pass and receive deletion requests from and to data partners; and
Updated internal documentation
As CCPA rules and precedents continue to evolve, Zeta will continue to track developments and make changes as needed.
What is Zeta's role under the CCPA, CPRA, and cases like Sephora as it relates to Zeta’s services?
Recent changes to the CCPA, as well as the case that was settled by Sephora with the California Attorney General, have changed the roles of commercial parties involved in data-driven marketing. There are now three distinct roles, Business, Service Provider, and Third Party, and Zeta plays each of these roles in different contexts:
Zeta is a Business with respect to its own data, for which it is solely responsible;
Zeta is a Service Provider with respect to its clients’ data in many cases; and
Zeta is a Third Party where it matches Zeta data with client data to power insights, audience creation, and campaigns, or in many cases where Zeta’s pixel is active on a client website.
When Zeta acts as a “Third Party” it is because specific services involve “Cross Context Behavioral Advertising.” In such cases—where Zeta and client data are matched—each party is considered to be “sharing” data while the services are active, although no data is permanently transferred (i.e. “sold”) between the parties.
What is Zeta doing to enable customers to comply with CCPA and CPRA?
Zeta has taken a number of steps to support its clients’ compliance with CCPA (including its 2023 amendments and implementing regulations). These include:
A CCPA amendment to Zeta’s standard Data Processing Agreement which incorporates required contract terms for both Service Providers and Third Parties;
APIs to link client OneTrust systems to the ZMP so that opt-out and deletion requests received by clients can be actioned in instances of client data stored on Zeta’s platform.
Custom processes are available to apply user rights requests to client data.
Multiple levels of suppression are available: campaign-level, client/brand-level, global, and custom.
Zeta is committed to supporting its clients’ compliance with privacy laws and is happy to engage with clients to find solutions to your unique needs.
How does Zeta Global manage the organization of information security?
Zeta Global management supports security within the Company through clear direction, demonstrated commitment, explicit assignment, and acknowledgment of information security responsibilities. The Company has appointed an Information Security team, who is responsible for the Company Information Security Management System. This System is based on industry-best practices, specifically ISO 27001, and it applies to the following:
Zeta Global business units, employees, contractors, workers, service providers, those who work on Company premises, and those with access to Company information/resources.
Zeta Global premises and physical assets, including datacenters (e.g., networks, servers, computers, storage, peripherals, hard copy media, etc.) used for administration, hosting, or other purposes supporting the Company mission.
Zeta Global logical and information assets (e.g., company data, client data, electronic documentation, software).
Zeta Global processes (e.g., collection, recording, processing, preservation, dissemination, and destruction).
The Information Security Management System is updated annually to meet the Company’s needs and objectives. The Chief Information Security Officer at the group level shall assess and formally approve any deviation from the security program.
How does Zeta Global define information security responsibilities within its organization?
The Chief Information Officer has appointed a Chief Information Security Officer to implement and manage the Information Security Management System across the Company. The CISO and their team are responsible for developing, implementing, and ensuring compliance to Company Information Security policies.
Zeta Global line managers are responsible for executing and properly communicating the Information Security Management System and policies.
How are Zeta Global employees, contractors, and third-party users committed to applying security?
The Information Security Team develops and implements a formal security education program, which includes training programs and communication plans to educate users on the following:
Information security policies, standards, and procedures.
Practices to safeguard information resources.
Protocols for responding to security incidents and violations.
Employees are subject to confidentiality and acceptable usage agreements. All employees have access to information system terms and conditions, which are formalized in an Acceptable Use Policy (AUP). All employees complying with local legislation shall formally sign this policy.
The IT department, in accordance with local legislation, may monitor employee use of Zeta Global information and information systems. Employees are made aware of this monitoring as well as a process for raising information security alerts and incidents. An individual aware of an actual or suspected information security breach must report to their manager or the Information Security team as soon as possible. The Information Security team shall examine the situation to determine whether the breach has violated a policy or resulted in damage and loss.
How does Zeta Global manage human resources security?
Zeta Global uses pre-employment screening to holistically counter the full range of threats it may face, like terrorism, fraud, and reputational damage. The Company recruits potential users for their considered roles in line with Human Resources policies to reduce the risk of theft, fraud, or information misuse.
Zeta Global management informs users of information security threats. The Company aims to ensure users know their responsibilities, are equipped to support organizational security policies and reduce the risk of human error. Any violation of any policy may result in the Company doing the following:
Restricting or terminating an internal user’s access to Company information resources, including computers.
Initiating legal action, including, but not limited to, criminal prosecution.
Terminating employment in some regions under certain circumstances.
How does Zeta Global appropriately train employees, contractors, and third-party users on information security awareness?
Zeta Global continually emphasizes and reinforces security awareness and training in order to reduce vulnerability to error and fraud. The Company annually and mandatorily trains all employees to comply with the information security program. Users confirm their understanding of information security responsibilities through assessment programs.
How does Zeta Global ensure that employees, contractors, and third-party users appropriately change employment status or exit the organization?
Zeta Global line managers must notify the Technology Management and Information Security teams in a timely manner of any changes in a user’s role or business environment. All employees, contractors, and third-party users must return all Company assets in their possession upon termination of their employment, contract, or agreement. Line managers must ensure that users return Company property or equipment at the time of departure when all system privileges and information access ceases.
How does Zeta Global prevent unauthorized physical access, damage, and interference to their premises and organization?
The Company physically restricts all access to areas containing sensitive information through electronic access control mechanisms to validate access. Security perimeters (e.g., card-controlled entry gates, CCTV, 24x7 guards, etc.) protect areas containing information and information processing facilities, and only authorized personnel may access these areas. Visitors must be accompanied at all times and require a government-issued ID to gain access to Zeta Global premises.
How does Zeta Global prevent asset loss, damage, theft, or compromise and interruption of company activities?
The Company safeguards data and hosting sites against environmental threats (e.g., fire, water damage, flooding, improper temperature, and humidity). Zeta Global also installs backup batteries and generators as necessary to ensure continued service in the event of power failure. The Company also checks all equipment containing storage media to ensure that sensitive data and licensed software are removed or overwritten before disposal.
How does Zeta Global ensure the proper operation of information processing facilities?
Zeta Global protects information by controlling and managing changes to information processing facilities and systems. The Company implements formal management responsibilities/procedures and change audit logs. Zeta Global makes necessary and relevant changes to operating documentation and user procedures. The Company implements application and operational change control procedures as needed.
Zeta Global protects the integrity of information by separating operational, development, and testing facilities to reduce the risk of unauthorized access or changes. The Company only implements applications and operating system software after carrying out successful testing of usability, security, and effects on non-production systems and environments.
How does Zeta Global implement controls against malicious code?
Zeta Global is responsible for professionally managing client services as outlined in customer contracts. The Company must protect customers from malware threats, like viruses and spyware applications. A Malicious Code and Virus Protection Policy limits the exposure and effects of common malware threats.
Zeta Global uses preventative/detective technology, policies, procedures, and training to protect against malicious code in a multi-layered manner from perimeters to hosts and data. Users receive procedure awareness training in case of infection.
How does Zeta Global protect its infrastructure against technical vulnerabilities?
Zeta Global’s Information Security team implements vulnerability assessment of Company assets deployed on the network. The team scans to identify network assets, determine potential vulnerabilities, and assess criticality. The Technology Management team is responsible for implementing a remediation plan in accordance with vulnerability criticality.
How does Zeta Global maintain the integrity and availability of information and processing systems?
Zeta Global is responsible for ensuring that Company information and data are routinely backed up and can be restored in the event of unforeseen circumstances. The Company tests backups and its disaster recovery plan on a regular basis, and employs multiple layers of redundancy to maintain availability.
How does Zeta Global ensure proper access control?
All system owners must develop and implement user access management procedures for their information systems. Users are granted access based on the need-to-know principle: users must only be provided with justifiable minimum access and functionality to perform their tasks.
How does Zeta Global ensure that information security incidents are managed consistently and effectively?
The Zeta Global Incident Management Process applies to all Company-owned networking, computing, and data services that store/deliver Company or client data. It also applies to any external systems requiring proprietary Company information to function. The CISO of the Information Security and Emergency Response Team shall analyze all information security issues, determine whether the issue is an event or an incident, and track/assess events for resolutions. Any client-impacting incidents shall be conveyed to clients promptly.
How does Zeta Global avoid breaches of any law, statutory, regulatory, or contractual obligations?
Zeta Global implements appropriate procedures to ensure compliance with legislative, regulatory, and contractual requirements regarding intellectual property rights and proprietary software products. The Company protects important records from loss, destruction, and falsification in accordance with statutory, regulatory, contractual, and business requirements.
The Company protects all data obtained during its activities and complies with all laws and regulations governing personal data processing. Zeta Global has appointed a Chief Privacy Officer, who is responsible for cooperating with the relevant data protection authorities.
How does Zeta Global ensure system compliance within organizational security policies and standards?
Zeta Global implements training programs and communication plans to educate users about information security policies, standards, and procedures. The Company’s procedures notify information resource users (e.g., data owners, users, providers, management, etc.) of their respective responsibilities for information resource protection/recovery and the consequences of non-compliance. Zeta Global may implement additional security measures as required by its clients’ undersigned contracts, agreements, and service contracts.