DMA: Data and Marketing Association
Hurricane Relief

Collection, Use, and Maintenance of Marketing Data

For purposes of the Guidelines for Ethical Business Practice, the following definitions are used:

Consumer refers to the subject of the data.

Marketing data means actual or inferred information consistent with a person’s commercial or charitable inquiry or transaction, or market research or market survey information. Such information can be derived from either a direct contact or marketing partnership when linked to a person’s name, postal or email address, or telephone number, or any other personally identifiable information. When obtained from a publicly available source, information (including public record information), not combined with other information, is not marketing data.

Marketing purpose means any activity undertaken to collect, aggregate, analyze, maintain, update, or sell information in order to allow or induce consumers to take action to purchase, rent, or exchange products, property or services, to solicit a charitable donation, to utilize market research or market surveys, or to provide verification services to marketers.


Article #31

This article is applicable to all addressable media and applies to senders of marketing offers or fundraising solicitations:

      A. Providing Consumer Choice and Privacy Notice Information:

    • Marketers should provide consumers a point of contact where they may add, modify or eliminate direct marketing communications from a company or an organization and obtain the company or organization’s privacy policy with regards to collection, use and transfer of their information. The point of contact information (such as a website, telephone number or address) should appear upon or within each written marketing offer, or upon request by the consumer.
    • Online marketers should provide notice in accordance with Article #38.
    • Email marketers should provide notice in accordance with Article #39 and the CAN-SPAM Act.
    • Mobile marketers must obtain prior express consent and provide a notice in accordance with Articles #54 and #55.)
    • The point of contact notice should: be easy for the consumer to find, read, understand, and act upon.
    • A marketer periodically should provide existing customers with notice of its policy concerning the rental, sale, exchange, or transfer of data about them and of the opportunity to opt out of the marketing process. All such opt-out requests should be honored promptly.
    • An in-house suppression request from a consumer should be interpreted as meaning that the consumer also wants to opt out of the transfer of his or her personal information
    • Upon request by a consumer, a marketer should disclose the source from which it obtained personally identifiable information about that consumer.

B. Processing Consumer Choices:

    • A consumer’s request for elimination of future marketing offers should be processed:
      • within 30 days of the consumer’s request or as required by law, whichever is the shorter time period
      • for a period of at least three years from the date of receipt of the request
    • Where an affiliate, division, or subsidiary markets under a different company or brand name, and is perceived as separate by the consumer, each corporate entity or brand should separately honor requests received by it.
    • A marketer should establish internal policies and practices that assure accountability for honoring consumer preference requests regardless of the marketing channel, in compliance with this guideline, and at no cost to consumers. Should those policies substantially change, the marketer has an obligation to inform consumers of that change prior to the rental, sale, exchange, or transfer of data, and to offer consumers an opportunity to opt out of the marketing process at that time.

C. DMAchoice and Related Consumer Choice Files:

  • For each prospecting list that is rented, sold, exchanged, or transferred, the names registered on the applicable DMAchoice (DMA’s consumer choice web site) name-removal lists should be removed prior to use.
  • DMAchoice name-removal lists include:
    • the relevant categorical opt-out mailing lists for Catalog, Magazine, Pre-screened Credit Offers or Other categories, as well as future categories designated by the DMA; and
    • the Email Preference Service and Telephone Preference Service, as well as future DMA preference service lists.
  • The use of the DMAchoice name-removal lists and preference service lists is not required for the company’s and organization’s existing customer or donor lists, only for prospects.
  • Members should be listed on the DMAchoice site to demonstrate their compliance with the DMA Guidelines and to provide a direct connection to consumers for further choice requests.
    • The company or organization listed must provide the correct point of contact where the consumer may exercise their marketing preferences. (See Also Article #9 Accessibility: Every offer should clearly identify the marketer’s name and street address or telephone number, or both, at which the individual may obtain service and exercise their marketing preferences.)

In all instances, the most recent monthly release of the relevant DMAchoice file should be used.

In addition to adhering to these guidelines, a marketer should cooperate with DMA when requested in demonstrating its compliance with the Commitment to Consumer Choice and the marketer’s own consumer preference policies.


Article #32

Marketers should be sensitive to the issue of consumer privacy and should only collect, combine, rent, sell, exchange, or use marketing data. Marketing data should be used only for marketing purposes.

Data and selection criteria that by reasonable standards may be considered sensitive and/or intimate should not be disclosed, be displayed, or provide the basis for lists made available for rental, sale or exchange when there is a reasonable expectation by the consumer that the information will be kept confidential.

Credit card numbers, checking account numbers, and debit account numbers are considered to be personal information and therefore should not be transferred, rented, sold, or exchanged when there is a reasonable expectation by the consumer that the information will be kept confidential. Because of the confidential nature of such personally identifying numbers, they should not be publicly displayed on direct marketing promotions or otherwise made public by direct marketers.

Social Security numbers are also considered to be personal information and therefore should not be transferred, rented, sold, or exchanged for use by a third party when there is a reasonable expectation by the consumer that the information will be kept confidential. Because of the confidential nature of Social Security numbers, they should not be publicly displayed on direct marketing promotions or otherwise made public by direct marketers. Social Security numbers, however, are used by direct marketers as part of the process of extending credit to consumers or for matching or verification purposes.


Article #33

Nothing in these guidelines is meant to prohibit research, marketing, or other uses of health-related data which are not personally identifiable, and which are used in the aggregate since there are no restrictions on the use of de-identified health information.

Health Information Data Protection:

Protected Health Information:
Protected health information is individually identifiable information held or transmitted by a covered entity (a health plan, or a health care clearinghouse, or a health care provider) or its business associate in any form or media, whether written or oral. This information includes demographic information collected from an individual that can reasonably be used to identify the individual. Identifiers can include the individual’s name, specific dates such as birth, admission, discharge, death, medical record number, photographs, city, zip code or geographic or other identifiers held as protected health data. Additionally, protected health information is information created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present or future physical or mental health condition of the individual.

These principles apply to any individual or entity that collects, maintains, uses, and/or transfers such protected health information for marketing purposes, whether or not marketing is a primary purpose.

This includes business associates (including the subcontractors of the business associate) who perform functions or services for covered entities that involve the use of protected health information.

Such business associates may only use the protected health information if they have a written agreement to use such protected information for the covered entity’s own marketing purposes.


    1. Protected health information gained in the context of a relationship between an individual and health or medical care providers or medical treatment facilities should not be transferred for marketing purposes without that individual’s specific prior consent through a written signed authorization form. All marketing communications (receipt of financial remuneration in exchange for the communication) must have such prior written authorization and must include a statement that the organization will be paid for the marketing activity if the marketing includes direct or indirect payment from a third party.

      • Covered entities may provide offers for products and services in face-to-face encounters (this is to protect the doctor-patient relationship.)
      • Health and wellness communications may be provided by the covered entity about its own products and services.
      • General wellness and prevention communications may be provided.
    2. Individually identifiable health-related information gained in the context of a relationship between individuals and health care providers or medical treatment facilities (as defined above) or other covered entities should not be used to contact those individuals for marketing purposes without the required prior written authorization.
    3. Individually identifiable health-related information volunteered by individuals, and gathered outside of the relationship between individuals and covered entities, should be considered sensitive and personal in nature. Such information should not be collected, maintained, used, and/or transferred for marketing purposes unless those individuals receive, at the time the information is collected, a clear notice of the marketer’s intended uses of the information, whether the marketer will transfer the information to third parties for further use, the name of the collecting organization, and the opportunity to opt out of transfer of the information. Such information includes, but is not limited to, information volunteered by individuals when responding to surveys and questionnaires. The notice should be easy to find, read, and understand.
    4. Individually identifiable health-related information inferred about individuals, and gathered outside of the relationship between individuals and covered entities, should also be considered sensitive and personal in nature. This is information based on individual purchasing behavior. Such information includes, but is not limited to, data captured by inquiries, donations, purchases, frequent shopper programs, advertised toll-free telephone numbers, or other consumer response devices. Any entity, including a seller of over-the-counter drugs, which uses inferred health-related information should promptly provide the individual with notice and the opportunity to opt out of any transfer of the data for marketing purposes.
    5. Marketers using individually identifiable health-related information should provide both the source and the nature of the information they have about that individual upon the request of that individual and the receipt of that individual’s proper identification.
    6. Individuals should not be required to release individually identifiable health-related information about themselves or to provide written authorizations to allow their health information be used for marketing purposes as a condition of receiving insurance coverage, treatment, services or information, or otherwise completing their health care-related transaction.
    7. The text, appearance, and nature of solicitations directed to individuals on the basis of their health-related information should take into account the sensitive nature of such information.
    8. Marketers should ensure that safeguards are built into their systems to protect individually identifiable health-related information from unauthorized access, alteration, abuse, theft, or misappropriation. Employees who have access to individually identifiable health-related information should agree in advance to use such information only in an authorized manner.
    9. If individually identifiable health-related information is transferred from one direct marketer to another for a legitimate marketing purpose as established by written agreement, the transferor should arrange the most strict security measures to assure that unauthorized access to the information is not likely during the transfer process. Transfers of individually identifiable health-related information should not be permitted for any marketing uses that are in violation of any of DMA’s Guidelines for Ethical Business Practice, state or federal laws.
    10. Fundraising exception for limited protected health information: Entities are allowed to use or disclose to a business entity or institution or institutionally-related foundation limited protected health information (demographics and dates of care) about an individual for that entity’s fundraising without a prior written authorization. However, the fundraising entity must ensure its fundraising material includes an opt-out notice that is clear and conspicuous, and if it is over the phone, an opt-out disclosure must be made. If the individual does opt-out, no more fundraising communications across all marketing channels may be made.

For the opt-out notice:

    • the opt-out notice must be included in each fundraising communication;
    • the opt-out method must be free;
    • the entity cannot condition the treatment or services on an individual’s choice to receive fundraising communication.


Article #34

Any advertising or promotion for marketing lists being offered for rental, sale, or exchange should reflect the fact that a marketing list is an aggregate collection of marketing data. Such promotions should also reflect a sensitivity for the consumers on those lists.


Article #35

List owners, brokers, managers, and users of marketing lists should ascertain the nature of the list’s intended usage for each materially different marketing use prior to rental, sale, exchange, transfer, or use of the list. List owners, brokers, and managers should not permit the rental, sale, exchange, or transfer of their marketing lists, nor should users use any marketing lists for an offer that is in violation of these guidelines. Mobile opt-in lists should not be rented or exchanged for the purpose of sending mobile marketing solicitations to those on the list, without obtaining prior express consent from those on the list.


Article #36

For purposes of this guideline, a database compiler is a company that assembles personally identifiable information about consumers (with whom the compiler has no direct relationship) for the purpose of facilitating renting, selling, or exchanging the information to non-affiliated third party organizations for marketing purposes. Customer refers to those marketers that use the database compiler’s data. Consumer refers to the subject of the data.

Database compilers should:

  • Establish written (or electronic) agreements with customers that define the rights and responsibilities of the compiler and customer with respect to the use of marketing data.
  • Upon a consumer’s request, and within a reasonable time, suppress the consumer’s information from the compiler’s and/or the applicable customer’s database made available to customers for prospecting.
  • Not prohibit an end-user marketer from divulging the database compiler as the source of the marketer’s information.
  • At a minimum, explain to consumers, upon their request for source information, the nature and types of sources they use to compile marketing databases.
  • Include language in their written (or electronic) agreements with DMA member customers that requires compliance with applicable laws and DMA guidelines. For non-DMA member customers they should require compliance with applicable laws and encourage compliance with DMA’s guidelines. In both instances, customers should agree before using the marketing data.
  • Require customers to state the purpose for which the data will be used.
  • Use marketing data only for marketing purposes. If the data are non-marketing data but are used for marketing purposes, they should be treated as marketing data for purposes of this guideline.
  • For sensitive marketing data, compilers should review materials to be used in promotions to help ensure that their customers’ use of the data is both appropriate and in accordance with their stated purpose. Sensitive marketing data include data pertaining to children, older adults, health care or treatment, account numbers, or financial transactions.
  • Randomly monitor, through seeding or other means, the use of their marketing databases to ensure that customers use them in accordance with their stated purpose.
  • If a database compiler is or becomes aware that a customer is using consumer data in a way that violates the law and/or DMA’s ethics guidelines, it should contact the customer and require compliance for any continued data usage, or refuse to sell the data and/or refer the matter to the DMA and/or a law enforcement agency.


Article #37

The protection of personally identifiable information is the responsibility of all organizations.
Therefore, organizations should assume the following responsibilities to provide secure transactions and to protect databases containing personally identifiable information against unauthorized access, alteration, or dissemination of data:

  • Establish written data security policies and procedures reflective of current business practices (including written policies and procedures related to personal devices v. company-provided devices.) Organizations should ensure there are reasonable information security policies and practices that seek to assure the uninterrupted security of information systems within their organizations.
  • Provide data security training for relevant staff. Organizations should create and implement reasonable staff procedures, training, and responsiveness measures to protect personally identifiable information handled by relevant staff in the everyday performance of their duties.
  • Train staff that use their own devices on steps designed to help prevent unauthorized access to the organization’s data as well as educate them about the inherent risks, and ensure the organization has reasonable data security policies and safeguards in place for such devices.
  • Monitor and assess data security safeguards periodically. Organizations should employ and routinely assess protective physical safeguards and technological measures within their organizations, including data retention, destruction, deletion practices, and the monitoring and analysis of systems logs in support of information security.
  • Include contractual safeguards. Organizations should contractually require all business partners and service providers that handle personally identifiable data to ensure that their policies, procedures, and practices maintain a level of security consistent with or higher than the organizations applicable information security policies, including partners’ own employees and contractors accessing data through their own devices.
  • Set up a data security breach readiness plan. Organizations should develop and maintain a data security breach readiness plan reasonable for the size and nature of the organization, their level of data collection, and type of data collected.
    • Include the following as reasonable within their organization:
      • Periodic audit of data retention. What is stored, on what servers, and who has access?
      • Employ appropriate data loss prevention technologies.
      • Employ an appropriate data minimization plan including a data destruction and purge process.
      • Maintain an inventory of system access and credentials.
      • Segment and isolate networks based on business function to avoid compromising sensitive personal information that is used in a network.
      • Create a reasonable incident response plan including vendor and law enforcement contacts as well as notification requirements.
      • Maintain a reasonable and ongoing employee training program.
      • Provide the appropriate one way encryption.
      • Maintain a reasonable password policy including minimum standards for passwords complexity and changes.
  • If a data security breach occurs, immediately inform compliance or legal staff as identified in your data breach readiness plan. Organizations should, in the event of a security breach where there is a reasonable likelihood of material harm to consumers, inform those consumers who may be affected in the most expedient time practical (or as required by state laws) unless requested by legal authorities to delay such notification due to an ongoing criminal investigation.
  • For email, organizations should implement the appropriate email authentication protocol (SPF, DKIM, DMARC as appropriate) to help reduce the risk of spoofed emails.
  • Organizations collecting sensitive data must ensure added data security measures are taken to protect such data online. The appropriate digital certificate should be employed meaning the Extended Validation Secure Socket Layer Certificates (EV SSL) should be used on all relevant pages of sites requesting sensitive data.
Our Brands EducationEventsAdvocacy MembershipAccountability ResourcesKnowledge CenterAbout UsBlogContact Us

Login To Your Account