Skip to main content

Privacy and Compliance

Understand privacy regulations, compliance requirements, and ethical practices for using Catchlight data responsibly, including GLBA, FCRA, CAN-SPAM, TCPA, and best practices for protecting client information.

Chris Ross avatar
Written by Chris Ross
Updated over 2 weeks ago

Privacy Regulations Overview

Gramm-Leach-Bliley Act (GLBA)

Applies to: Financial institutions and advisors

Requirements:

  • Provide privacy notice to clients

  • Secure client financial information

  • Limit disclosure of client data

  • Have information security program

Catchlight relevance: Once someone becomes a client, their information is protected under GLBA. Secure all client data appropriately.

Fair Credit Reporting Act (FCRA)

Applies to: Use of consumer reports for credit, employment, insurance decisions

Key restriction: You cannot use Catchlight data (which includes consumer report data) to make adverse decisions about credit, employment, or insurance without following FCRA procedures.

What this means: Don't use Catchlight data to deny services or make negative decisions without proper FCRA disclosure and procedures.

Safe use: Using data to identify and prioritize prospects is generally permissible. Consult compliance counsel for specific use cases.

CAN-SPAM Act

Applies to: Commercial email

Requirements:

  • Accurate "From" and "Subject" lines

  • Identify message as advertisement (if applicable)

  • Include physical address

  • Provide clear opt-out mechanism

  • Honor opt-outs within 10 days

Catchlight application: When emailing prospects from Catchlight data, ensure emails comply with CAN-SPAM.

Telephone Consumer Protection Act (TCPA)

Applies to: Automated calls and text messages

Key restrictions:

  • Don't use autodialers or prerecorded messages to call cell phones without consent

  • Don't send marketing texts without prior consent

  • Maintain internal Do Not Call list

  • Respect National Do Not Call Registry

Catchlight application: If calling prospects from Catchlight, manually dial (don't use autodialer) and honor DNC requests.

State Privacy Laws

California Consumer Privacy Act (CCPA) / CPRA:

  • Right to know what data is collected

  • Right to delete personal information

  • Right to opt-out of sale of data

Other state laws: Virginia, Colorado, Connecticut, and others have similar laws

Catchlight application: Be prepared to explain data sources if asked. Don't sell or share prospect data.

Ethical Use of Data

Transparency Principle

Be honest about data sources

If a prospect asks how you found their information: ✅ "We use publicly available data and professional research tools to identify people who might benefit from financial planning." ❌ "I just happened to come across your information." (dishonest)

Respect Principle

Respect privacy preferences

  • Honor opt-out requests immediately

  • Don't contact people who've asked not to be contacted

  • Respect "Do Not Contact" preferences in your CRM

  • Don't share prospect data with third parties

Accuracy Principle

Don't misrepresent data

✅ "I noticed you're approaching retirement age..." (general, verifiable)

❌ "I know you have $2.5M in assets..." (estimated, could be wrong)

Don't cite estimated figures as facts.

Purpose Limitation Principle

Use data only for intended purpose

✅ Using Catchlight data to identify and contact prospects about financial planning ❌ Using Catchlight data to identify targets for non-financial solicitations

❌ Sharing data with others for their marketing purposes

❌ Using data for employment screening or background checks

Data Security Best Practices

Protect Login Credentials

  • Use strong, unique password

  • Enable two-factor authentication (if available)

  • Don't share login credentials

  • Log out when not in use

Secure Exported Data

  • Password-protect exported files with client data

  • Store exports on secure, encrypted systems

  • Delete exports when no longer needed

  • Don't email unencrypted client data

Access Control

  • Limit dashboard access to authorized personnel

  • Remove access for former employees

  • Use role-based permissions

  • Monitor for unauthorized access

Device Security

  • Use secure devices to access dashboard

  • Don't access from public/unsecured WiFi

  • Keep devices password-protected

  • Use encrypted hard drives

Opt-Out and Do Not Contact Management

Honor Opt-Outs Immediately

  • Remove from email campaigns within 10 business days (CAN-SPAM requires 10 days)

  • Add to internal Do Not Contact list

  • Document opt-out request

  • Don't contact again unless they re-opt-in

Maintain Do Not Contact List

  • Track all opt-out requests

  • Sync with your CRM

  • Regularly review and update

  • Train team on honoring DNC lists

Email Unsubscribe Links

  • Include clear unsubscribe link in all marketing emails

  • Make unsubscribe process simple (one-click)

  • Don't require login to unsubscribe

  • Confirm unsubscribe

Compliance with Marketing Rules

Financial Industry Regulations

SEC (Investment Advisers):

  • Testimonial and endorsement rules

  • Performance advertising restrictions

  • Social media guidance

FINRA (Broker-Dealers):

  • Communication approval requirements

  • Recordkeeping obligations

  • Social media policies

State Securities Regulators:

  • Vary by state

  • May have additional advertising rules

Your responsibility: Ensure all outreach and marketing complies with applicable regulations. Consult your compliance department.

Content Approval

Before sending campaigns:

  • Get compliance approval (if required by your firm)

  • Review for prohibited claims

  • Ensure testimonials comply with rules

  • Archive communications per recordkeeping requirements

Client Privacy

Existing Clients

Once someone becomes a client:

  • Provide GLBA privacy notice

  • Secure their financial information

  • Limit disclosure without consent

  • Implement information security program

Prospect Information

Treat prospect data respectfully:

  • Secure it like client data

  • Don't share with third parties

  • Delete when no longer needed

  • Honor privacy requests

Third-Party Data Sharing

Don't Share Catchlight Data With:

  • Other vendors or service providers (without permission)

  • Joint marketing partners

  • Affiliates for their own marketing

  • Data brokers

Permitted Sharing:

  • With service providers under contract (e.g., CRM vendor) for your business purposes only

  • When required by law or regulation

  • With consent from the individual

Audit and Recordkeeping

Document Your Practices

  • Written privacy policy

  • Data security procedures

  • Opt-out process

  • Marketing compliance procedures

Maintain Records

  • Email campaign records (per FINRA/SEC requirements)

  • Opt-out requests

  • Compliance approvals

  • Data source documentation

Regular Audits

  • Review data practices annually

  • Test security controls

  • Update policies as regulations change

  • Train staff on compliance

Red Flags and Prohibited Uses

Never Use Catchlight Data To:

  • Make credit decisions without FCRA compliance

  • Screen employment candidates

  • Deny insurance coverage

  • Discriminate based on protected characteristics

  • Harass or stalk individuals

  • Violate restraining orders or legal restrictions

Immediately Stop If:

  • Individual requests no contact

  • You discover incorrect identity (wrong person)

  • Person is deceased

  • Legal restriction exists (bankruptcy, conservatorship)

State-Specific Considerations

California (CCPA/CPRA)

  • Right to know, delete, opt-out

  • Expanded definitions of personal information

  • Financial incentives must be disclosed

Nevada

  • Opt-out of sale of personal information

Vermont

  • Data broker registration (may apply to vendors)

Catchlight's responsibility: Catchlight should comply with applicable laws

Your responsibility: Use data appropriately and honor individual rights

Incident Response

If Data Breach or Unauthorized Access:

  1. Immediately secure systems

  2. Assess scope of breach

  3. Notify affected individuals (if required by law)

  4. Notify regulators (if required)

  5. Document incident

  6. Prevent future occurrences

If Receive Privacy Complaint:

  1. Take complaint seriously

  2. Remove individual from marketing immediately

  3. Document complaint

  4. Investigate and respond

  5. Report to compliance if significant

International Considerations

GDPR (European Union)

If you contact EU residents:

  • GDPR applies to their data

  • Requires lawful basis for processing

  • Enhanced consent requirements

  • Right to be forgotten

Best practice: If you don't serve EU clients, exclude EU-based prospects from campaigns

Other Countries

Canada (CASL), Australia, UK, and others have privacy laws.

Consult legal counsel if doing international marketing.

Compliance Checklist

✅ Privacy policy in place

✅ GLBA notice provided to clients

✅ Opt-out mechanism in all emails

✅ Do Not Call list maintained

✅ Data security procedures documented

✅ Access controls implemented

✅ Staff trained on privacy practices

✅ Records retention policy followed

✅ Compliance approvals obtained for campaigns

✅ Third-party agreements reviewed

✅ Regular audits conducted

When in Doubt

Always:

  • Consult your compliance department

  • Seek legal counsel for complex questions

  • Err on the side of caution

  • Document your decision-making

  • Put client privacy first

Don't:

  • Assume something is permissible

  • Use data in ways that feel ethically questionable

  • Ignore privacy requests

  • Share data without authorization

Related Articles

  • 7.1: Data Accuracy and Limitations

  • 5.2: Profile & Identity Data

  • 6.2: Personalizing Outreach

  • 8.4: Getting Help

Related Articles
Accessing Your Dashboard
Profile & Identity Data
Catchlight Score Explained
Social Media Profiles
Combining Catchlight with CRM
Did this answer your question?