DMA: Data and Marketing Association
Consumer Help


Marketing Data Transparency


Article #1

Entities should provide Consumers with a point of contact where the Consumers may:

  1. Obtain the entity’s privacy policy regarding collection, use, and transfer of Consumer data; and
  2. Express preferences about Marketing communications from the entity.

The point of contact (such as a website, email, telephone number, or valid physical postal address*) should appear on or within each Marketing offer or upon request by the Consumer. The point of contact should be easy for the Consumer to find, read, understand, and act upon.

* A requirement for email marketing communications.


Article #2

Placement. Entities should make their data practices available to Consumers in a prominent place on their website’s or application’s home page or in a place that is easily accessible from the home page or the functional equivalent.

Clarity. The privacy policy about data practices should be easy to find, read, and understand. Consumers should be able to comprehend the scope of the notice and how they can exercise choice regarding use of Personally Identifiable Data.

Timing. The privacy policy should be available prior to or at the time Personally Identifiable Data is collected.

Content. Entities that collect Personally Identifiable Data about Consumers should include the following content in their privacy policies:

  • Scope
    • The scope of data practices covered by the notice.
  • Data Collection
    • The type and categories of the data collected.
    • How such data is collected, such as with cookies or by other means.
    • Whether third parties may collect Personally Identifiable Data about a Consumer’s activities over time and across different websites or the functional equivalent when a Consumer uses the entity’s service.
  • Data Use
    • The types of uses the entity makes of such data.
  • Data Sharing
    • The entity’s policy concerning the rental, sale, exchange, sharing, or access to Consumer data.
    • Whether the entity shares data with, and/or allows access to, third parties for Marketing.
  • Combination of Marketing Data and Digital Identifiers
    • Whether the entity collects Consumer data for combination with Digital Identifiers for Marketing purposes and/or combines data with Digital Identifiers for Marketing purposes.
  • Connected Devices
    • Whether the entity collects Marketing data for Marketing purposes via a Connected Device.
  • Choice
    • The means by which Consumers can exercise choice, if provided, not to have data shared and/or accessed.
    • If Non-Affiliated third parties may collect Personally Identifiable Data about a Consumer’s activities over time and across different websites or the functional equivalent when a Consumer uses the entity’s service, link to a mechanism by which a Consumer can exercise choice not to have such data used by these types of entities if they provide such choice.
  • Service Providers
    • Whether Personally Identifiable Data is collected by, used by, or shared with service providers.
  • Accountability
    • The policies, procedures, and compliance mechanisms the entity has put in place to ensure adherence to these Standards.
  • Security
    • That the entity maintains physical, electronic, and administrative safeguards to protect data collected.
  • Access
    • If an entity provides Consumers access to the data the entity maintains about them, the entity should indicate how Consumers may obtain such access.
  • Consumer Correction
    • If the entity maintains a process for a Consumer to request changes to data about the Consumer, the entity should describe that process.
  • Material Changes
    • The process by which the entity notifies Consumers of Material Changes to the entity’s privacy policy.
  • Effective Date
    • The effective date of the privacy policy.


    Article #3

    If an entity makes a Material Change to its privacy policy, the entity should update its policy and give Consumers notice to that effect and, where appropriate, offer Consumers an opportunity to manage or select their preferences. Prior to making a materially different use of data collected from a Consumer, entities should obtain Consent to such a new Marketing use from the Consumer.


    Article #4

    An entity should have a meaningful, timely, and effective procedure through which it can demonstrate its adherence to its stated data practices. Such a procedure should include self or third-party verification and monitoring. Such verification and monitoring can be accomplished by:

    1. An independent auditor;
    2. Public assertion of compliance;
    3. A third-party privacy seal program;
    4. A licensing program; or
    5. Membership in a trade, professional, or other association with a self-regulatory program.

    Additionally, an entity may elect to provide complaint resolution, internal education, and external outreach. Such education and outreach can be accomplished by:

    1. Mechanisms to put privacy policies into effect, including tools, training, and education;
    2. Systems for internal education and ongoing oversight and assurance reviews;
    3. Transparency and mechanisms for individual participation; and/or
    4. Means for remediation of Consumer complaints.


    Article #5

    Where appropriate, and upon reasonable request by a Consumer, an entity should disclose the nature and types of sources from which it obtained Personally Identifiable Data about that Consumer.

Ethical Data Marketing Practices Training Certificate