Book Demo

Compliance Portal

KnownVisitors Privacy & Compliance Portal

Last Updated: August 2, 2025

At KnownVisitors, we are committed to a privacy-first approach in delivering our audience identification services. Our platform helps businesses identify anonymous website visitors and turn them into known customers for marketing and analytics, all while adhering to applicable privacy regulations. Below we outline how KnownVisitors complies with major privacy laws and what this means for our clients and consumers.

Disclaimer: This summary is intended for informational purposes only and does not constitute legal advice. It is not an exhaustive list of all requirements, and businesses should consult legal counsel for advice on specific compliance questions.

Introduction. KnownVisitors' technology allows companies to obtain identifiable information (like email addresses) about website visitors who have not otherwise provided that information to the site owner. The following sections describe key regulations and how KnownVisitors and its clients can stay compliant while using our services.

CAN-SPAM (U.S. Email Marketing Law)

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) sets the rules for commercial emails in the United States. CAN-SPAM compliance is crucial when using KnownVisitors to collect emails and send marketing messages. Key points include:

·No Illegal Email Harvesting: CAN-SPAM prohibits harvesting email addresses from websites that publish a notice prohibiting such collection. KnownVisitors does not collect or provide emails from any source that violates this rule. We ensure our data sources are compliant and expect our clients to only use KnownVisitors on websites where email collection is permitted.

· Opt-Out, Not Opt-In (U.S. Standard): The U.S. is an opt-out jurisdiction for email marketing. This means you can send marketing emails to an address until the recipient opts out. Unlike some other countries, prior consent (opt-in) isn't strictly required for general commercial emails in the U.S. (except in certain contexts).However, every email must include a clear way to unsubscribe, and all opt-out requests must be honored promptly. If a KnownVisitors-identified contact has previously opted out of your communications, you must not email them.

·Required Email Practices: Ensure no misleading information in email headers or subject lines. Identify the message as an advertisement where applicable.Include your valid physical postal address in every message. And if you use a vendor or platform to send emails, remember that you are still responsible for compliance with CAN-SPAM.These steps heIp avoid deceptive practices and comply with federal requirements.

By following CAN-SPAM guidelines, KnownVisitors' clients can confidently utilize captured email leads while respecting recipients' choices. We advise all clients to familiarize themselves with the FTC's CAN-SPAM guidance and implement proper unsubscribe mechanisms in every campaign. KnownVisitors provides tools to assist with managing opt-outs and maintains internal suppression lists to avoid re-sending to any email that has opted out.

Telephone Consumer Protection Act (TCPA & Do-Not-Call)

If clients use KnownVisitors data for phone calls or text message marketing, compliance with the Telephone Consumer Protection Act (TCPA) and related "Do Not Call" laws is essential. KnownVisitors may furnish phone numbers for your leads, but it is the client's responsibility to ensure legal use of that contact data. Key TCPA considerations include:

·Prior Consent for Calls/Text: The TCPA generally requires prior express consent from the recipient before making automated telemarketing calls or sending marketing text messages to a mobile phone. This means if you plan to send SMS campaigns or auto-dialed calls using KnownVisitors-provided phone numbers, you must have the proper opt-in consent from those individuals in advance.

·Honoring Do-Not-Call: You must comply with the National and State Do Not Call registries. If a KnownVisitors lead's number is on the DNC list, or if the individual has asked not to be contacted, you must refrain from calling or texting that number. Always scrub phone contact lists against the Do-Not-Call database and any internal opt-out lists before outreach.

· TCPA Disclosures and Timing: Ensure any call or text you send includes any legally required identification and opt-out instructions (for example, allowing SMS recipients to reply "STOP" to unsubscribe). Adhere to calling time restrictions (typically not calling before 8am or after 9pm local time for telemarketing) as specified by TCPA regulations.

KnownVisitors supports compliant use of phone data by encouraging permission-based outreach. Our service agreements make clear that clients must only use the data in lawful ways, including respecting TCPA consent requirements. By obtaining proper

consent and honoring opt-outs, you can leverage KnownVisitors data for calls/SMS within the bounds of the law.

California Privacy Laws (CCPA/CPRA)

California has been at the forefront of consumer privacy with the California Consumer Privacy Act (CCPA) of 2018, amended by the California Privacy Rights Act (CPRA) in 2020. These laws give California residents robust rights over their personal information and impose various obligations on businesses. If you use KnownVisitors and have California consumers' data, here's what you need to know:

·Right to Opt-Out of "Sale" or "Sharing": Under CCPA/CPRA, consumers have the right to opt out of the sale of their personal information. The CPRA expanded this to include opting out of sharing data for targeted advertising (cross-context behavioral advertising).In practice, using KnownVisitors to identify visitor emails and retarget them with marketing could be considered a form of "sharing" personal information for advertising purposes under California law. Therefore, your website must offer California residents a "Do Not Sell or Share My Personal Information" option. This usually means placing a clear link on your homepage (often titled "Do Not Sell or Share My Info") that allows users to opt out of having their data shared. KnownVisitors supports honoring such opt-out signals (including browser-based global privacy controls, as required by CPRA regulations) to ensure no data is collected for opted-out users.

·Notice & Transparency: California law requires businesses to disclose their data collection and usage practices in a privacy notice. If you use KnownVisitors on your site,your Privacy Policy must clearly state that you utilize a third-party service to collect personal identifiers (like emails or phone numbers) from visitors for marketing purposes.You should describe the categories of personal information collected, the purpose (e.g.retargeting marketing emails/ads), and the categories of third parties with whom it's shared (for example, "We use a visitor identification service (KnownVisitors) which collects contact information of our site visitors and shares it with us to facilitate our marketing efforts"). We have provided sample language to clients for this disclosure,and we encourage reviewing CPRA's specific notice requirements.

·Consumer Rights Requests: California residents can request that you delete their personal data, or disclose what you've collected about them, among other rights. If you receive a deletion request from a California user and it pertains to data identified via KnownVisitors, you are responsible for fulfilling it (which may involve deleting the data from your own systems and notifying us, so we can remove it from our systems as well).KnownVisitors will cooperate with such requests - if an individual contacts us directly to opt-out of our database or delete their information, we will honor that request and suppress or remove their data. We also provide tools for clients to suppress certain contacts (for example, if a user exercised their CCPA rights with you, you can ensure our pixel does not re-identify them).

·Non-Discrimination: The CCPA/CPRA prohibits discriminating against consumers for exercising their privacy rights. This means you cannot deny services, or provide different quality of service or pricing, just because someone opted out of sale/sharing or requested deletion. Ensure your marketing practices via KnownVisitors do not disadvantage users who have exercised a "Do Not Sell/Share"choice.

·Minors' Data: California law has special rules for minors. KnownVisitors' services are not intended to collect data on children. If your website is directed to children under 13,you should not use KnownVisitors, as COPPA (Children's Online Privacy Protection Act)and CPRA would require parental consent. FFor teens aged 13-16,the CPRA requires affirmative opt-in consent to sell or share their data. We advise clients to avoid including any users under 16 in KnownVisitors tracking, or ensure you obtain the necessary consent.

In summary, for California compliance: provide proper notice of data collection, offer a "Do Not Sell or Share" opt-out mechanism on your site, and honor all consumer rights requests. KnownVisitors is designed to assist in compliance-for instance, by allowing suppression of specific users and by not retaining data longer than necessary-but our clients must implement the front-end notices and choices as required by law.

Colorado Privacy Act (CPA)

Colorado's privacy law, the Colorado Privacy Act (CPA), took effect on July 1, 2023. The CPA closely mirrors aspects of California and Virginia laws, and it grants Colorado residents specific rights over their personal data. Key points for KnownVisitors users in Colorado:

·Scope: The CPA applies to businesses that conduct business in Colorado or target Colorado residents and meet certain thresholds (e.g. processing personal data of 100,000+ consumers, or 25,000+ if selling data and deriving revenue from it). If your use of KnownVisitors involves large volumes of Colorado resident data, you likely fall under the CPA's scope. Even if you're a smaller business, it's good practice to follow these principles.

·Consumer Rights: Colorado consumers have five key rights under CPA-the right to access their personal data, the right to correct inaccuracies, the right to delete their data, the right to data portability, and the right to opt out of certain processing.Specifically, they can opt out of their data being used for targeted advertising or being sold, as well as opt out of profiling decisions that produce legal or similarly significant effects. The CPA also requires that consumers be provided an appeal process if you deny their request (e.g., if you refuse to act on a deletion request, the consumer can appeal your decision).

·Business Obligations: Under CPA, businesses have several affirmative duties: a duty of transparency (clear privacy notices, outlining categories of data collected,purposes of use, and how to exercise rights); a duty of purpose specification and data minimization (collect only data reasonably necessary for the specified purpose); a duty of care for data security (protect data with appropriate measures);and a requirement to obtain consent for processing sensitive data (e.g.health,racial, or other sensitive info).Businesses must also avoid using data for purposes beyond what was disclosed (or get consent for new uses).

·Opt-Out Mechanisms: By July 2024, the Colorado Attorney General may require businesses to honor universal opt-out signals (such as a browser-based Global Privacy Control) as a valid opt-out of targeted advertising or sales. KnownVisitors is building capabilities to honor these signals-we recommend clients configure our script to check for GPC or similar signals and not execute tracking for users who have opted out via such global mechanisms, in line with Colorado regulations.

In practical terms, compliance with Colorado's law means treating Colorado-resident data much like California's: be transparent, honor opt-outs (including targeted ad opt-outs),and allow corrections/deletions. If a Colorado resident invokes their rights,KnownVisitors will assist our client in fulfilling those (for example, by deleting any data we hold on that individual upon request). We are committed to not using personal data for any purpose outside of providing services to you, which helps you avoid "selling"data in a way that would trigger extra obligations. By following these guidelines and using our contractual protections,you can use KnownVisitors in Colorado with confidence.

Virginia Consumer Data Protection Act (CDPA)

Virginia's Consumer Data Protection Act (CDPA) became effective on January 1,2023.The CDPA is another comprehensive state privacy law, and it shares many similarities with the laws in California and Colorado, with a few nuances. Here's how to comply when using KnownVisitors:

·Scope: The CDPA applies to entities conducting business in Virginia or targeting Virginians,that control or process personal data of at least 100,000 Virginia consumers,or 25,000 consumers and derive over 50% of gross revenue from the sale of personal data. Notably, the CDPA (like Colorado) exempts data collected in a commercial (B2B)or employment context -it only protects personal data of individuals acting in a household/consumer context. So if KnownVisitors is used on a purely B2B site,Virginia's law might not apply,but caution is advised because California and others may still count B2B contacts in some cases.

·Consumer Rights: Virginia gives consumers the right to access their personal data,correct inaccuracies, delete data, obtain a copy of their data (portability), and opt out of the sale of data or use of data for targeted advertising or certain profiling.Consumers also must be allowed to appeal a refusal to act on any of these requests. There is also a non-discrimination provision similar to CCPA (you cannot retaliate if someone exercises their rights). One big difference: Virginia requires opt-in consent for processing sensitive data (such as data revealing health, racial or ethnic origin, religious beliefs, sexual orientation, etc.). KnownVisitors does not intentionally collect sensitive data categories -we focus on contact information and general demographics-but if any data could be considered "sensitive" (for example, inferring precise geolocation could be sensitive in VA law), clients should ensure they obtain proper consent from the user before collecting/using it.

·"Sale" Definition: The CDPA's definition of a "sale" of personal data is narrower than California's. Virginia counts it as a sale only when personal data is exchanged for monetary consideration. Transfers of data for other benefits (like a cross-promotional data swap) might not count as a sale under Virginia's law. By contrast,California's definition includes any exchange for "valuable consideration," which can be broader.Why does this matter? It means that some uses of KnownVisitors that might be a "sale"under CCPA (requiring an opt-out) might not be considered a sale under CDPA if no money is changing hands for the data. However,Virginia consumers still have the right to opt out of targeted advertising, which would encompass our use case (identifying them for marketing). In summary, always provide an opt-out of targeted advertising for Virginia users, but understand that not every sharing of data is a "sale" in Virginia's terms.

·Transparency & Contracts: As with other states, you need a privacy notice that discloses your data practices. Virginia expects you to describe the categories of personal data processed, the purposes, how consumers can exercise their rights,etc., in your privacy policy. It also requires data protection assessments for certain processing activities (e.g. if you're doing targeted advertising or profiling using KnownVisitors data,you should internally assess and document the benefits vs. risks to consumers' privacy).In addition, like the other laws, if KnownVisitors is a processor for you, our Data Processing Agreement includes terms to help you comply (e.g. we'll cooperate with CDPA requests, and we won't use personal data except on your instructions).

·Enforcement: There is no private right of action under the CDPA - only the Virginia Attorney General can enforce it, and there's a 30-day cure period for businesses to fix violations after being notified. This means if an issue arises, you generally have an opportunity to correct it. KnownVisitors will work with clients quickly to resolve any compliance concerns raised.

By aligning your use of KnownVisitors with Virginia's requirements-providing notice,honoring opt-outs, allowing deletion/correction-you can continue leveraging our identification services for VVirginia visitors. We remain informed on Virginia's law (which in many ways was modeled on GDPR), and we design our practices to meet or exceed those standards.

Other U.S. State Privacy Laws

In addition to CA, CO, and VA, several other states have passed similar privacy legislation.KnownVisitors monitors these developments closely, and our compliance approach extends to all applicable jurisdictions. Notable examples include:

**·Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

-**EffectiveJuly 1, 2023, Connecticut's law is very similar to Colorado and Virginia's. It gives Connecticut residents the rights to access, correct, delete, obtain a copy of their personal data, and opt out of sale and targeted ads. The CTDPA's thresholds for applicability are somewhat lower (e.g. it can apply to businesses handling data of 100k CT consumers, or 25k if selling data) and notably has no revenue threshold for coverage. If you do business with Connecticut residents' data using KnownVisitors, you should treat their data similarly to how you would under CDPA/CPA-provide opt-outs and honor their requests.

·Utah Consumer Privacy Act (UCPA) - Effective December 31, 2023, Utah's law grants consumers rights to confirm processing and access their data, delete data they provided, obtain a portable copy, and opt out of the sale of data or use of data for targeted advertising. The UCPA applies to businesses with $25M+annual revenue that controls or processes data on 100k+ Utah consumers (or 25k+ if 50% of revenue is from data sales). UCPA is considered a bit more business-friendly (for example, it does not include a right to correct, and it defines "sale" similarly narrowly as Virginia does).However, from KnownVisitors' perspective, we still recommend treating Utah consumer data with the same care: provide a clear privacy notice, allow opt-outs of sale/ads, and secure the data. Utah also mandates reasonable data security practices and transparency about data usage.

·Other States (Texas, lowa, etc.): Several other U.S. states have passed privacy laws that take effect in 2024-2025, such as the Texas Data Privacy and Security Act (effective July 1, 2024), lowa's Consumer Data Protection Act (effective Jan 1,2025),and new laws in states like Indiana, Tennessee, Montana, and Oregon. While each law has its own nuances, they generally follow the same pattern of consumer rights (access, delete, opt-out, etc.) and business obligations (notice, security,

consent for sensitive data). KnownVisitors will adapt its compliance as these laws come into force. For our clients, the safest approach is to implement a baseline privacy

standard that meets the strictest requirements across these laws. This typically means:provide a comprehensive privacy policy disclosure, offer consumers an easy opt-out of data sales/sharing, honor any universal opt-out signals, and respond to any verified consumer requests to exercise their rights within the required timeframes (usually 45days).

In summary, KnownVisitors is designed to help you comply with the patchwork of U.S.state privacy laws by facilitating required disclosures and opt-outs. We update our client guidance as new laws emerge. We encourage clients to stay informed about the states relevant to their business. If you operate nationally, assume that you should uphold rights like access, deletion, and opt-out for all users, not just those from a specific state - this approach builds trust and simplifies compliance. Our team can provide a Data Protection Addendum and other documentation to cover state-specific ents (for example, confirming our role as a processor/service provider and that we don't further sell personal information).

Consumer Opt-Out & Data Subject Rights

KnownVisitors is built with respect for consumer choice. We believe that while our technology enables innovative marketing, individuals should have control over their personal data. We implement several measures to honor opt-outs and privacy rights:

·Opt-Out of KnownVisitors Database: We provide a consumer opt-out page where any individual can request that their personal information be excluded from the KnownVisitors identification database. If you have been identified by KnownVisitors (for example, if you received an email from one of our client brands and learned that your info was obtained via KnownVisitors), you can visit our Opt-Out page (or email us at support@knownvisitors.com) to remove your data from our systems. Once opted out,we will no longer include your email or other identifiers in any data deliveries to clients.We maintain an internal suppression list to ensure opted-out

individuals stay excluded. (Clients: we make this opt-out link available for you to include in your privacy policy or emails to comply with state laws' "Do Not Sell"requirements and general best practices.)

·"Do Not Sell or Share" Requests: If we receive a CCPA/CPRA Do-Not-Sell request (or any similar opt-out of sale/sharing from other states) from a consumer, we will treat it as an opt-out for that person across all our systems. We also provide the ability for our clients to integrate a "Do Not Sell or Share" mechanism. For example,if a user clicks your site's "Do Not Sell My Personal Info" link and opts out, you can use our API or script settings to disable KnownVisitors tracking for that user (ensuring no personal data is collected or shared for them). This helps you fulfill obligations under laws like CPRA which mandate honoring such opt-outs.

-·Data Access, Correction, Deletion: Should an individual seek to exercise rights to access,delete, or correct their data that might be in KnownVisitors' possession, we will assist. Consumers can contact us directly with such requests. For deletion requests,upon proper verification of identity, we will delete any personal data we have about the requester and notify our client (if the data was previously shared with a client) to do the same. For access requests, we can provide the individual with a report of what information we have associated with them(if any).Currently,because of how our service works (identifying individuals for specific client websites), it is uncommon for us to maintain extensive profiles on our own - we act mostly as a conduit - but in any case,we comply with applicable access request requirements. Correction requests are less likely to apply (since we don't store user-managed profiles), but if a consumer believes we have incorrect info (e.g.,wrong email), the best approach is usually to opt out (stop processing) that data.

·No Discrimination: We never penalize or restrict consumers who exercise privacy rights. Opting out of KnownVisitors tracking means simply that-you won't be identified or contacted via our service. We ensure that our clients understand they should not treat opted-out users unfairly (aside from, of course, not being able to send marketing that they no longer have permission to send). In fact, we see respecting privacy choices as a way to build trust with consumers over the long term.

In essence, KnownVisitors aims to balance effective marketing with consumer privacy rights. We provide the necessary tools (opt-outs, contractual assurances, compliance guides) to use our platform in a way that meets all major privacy regulations while still driving growth for your business. By integrating these compliance practices into your use of KnownVisitors, you can turn anonymous visitors into loyal customers in a lawful and privacy-respecting way.

If you have any questions about privacy or compliance in using KnownVisitors, please contact our compliance team. We also have external privacy counsel available to assist with any complex questions your legal team might have. KnownVisitors is committed to working with our clients and regulators to ensure that our audience identification technology is deployed responsibly, ethically, and in full compliance with the evolving landscape of data privacy laws.