Is This Data Legal?

Yes, when it is sourced responsibly and used the right way.
There is no single certificate that makes marketing data “legal.” Legality comes from two
things working together: how the data was collected, and how it is used. This sheet covers both, so you can answer this question for your own clients with confidence.

Where our data comes from

  • Our audience and identity data is built from opt-in sources. People share their information through sign-ups, registrations, offers, surveys, purchases, and partner websites and apps that disclose how the data may be used.
  • For matching and online targeting, identifiers such as email addresses are hashed (turned into a scrambled code) and de identified, so audiences can be built and reached in a privacy-conscious way.
  • We work with established data partners whose agreements require lawful collection and prohibit illegal, deceptive, or offensive use.

What we do not collect or sell

  • No Social Security numbers.
  • No bank or financial account numbers.
  • No information knowingly collected from anyone under 18 years of age.
  • No sensitive categories used for targeting in ways the law restricts.

The laws that apply

Law
What it covers
Who it applies to
CAN-SPAM (federal)
Rules for commercial email: honest subject lines, clear sender identity, a working unsubscribe, and honoring opt-outs.
The business sending the email.
TCPA (federal)
Rules for calls and texts, especially to mobile numbers, including consent and Do Not Call.
The business placing the call or text.
CCPA / CPRA and other U.S. state
Consumer rights to know what data is held, to delete it, and to opt out of its sale or sharing.
Businesses that handle residents’ personal
Privacy laws
information.
GDPR / UK GDPR
European privacy rules. Not the focus here, since our data covers U.S. individuals only.
Businesses handling EU or UK residents’ data.

Who is responsible for what

What Lead Eagle and our data partners handle

  • Source data from opt-in providers
  • De-identify and hash identifiers for matching
  • Keep sensitive categories out of the data
  • Honor opt-out and deletion requests at the data level
  • Maintain a published privacy policy

What you and your client handle

  • Follow CAN-SPAM on every email: clear unsubscribe, honored promptly, accurate sender details
  • Follow TCPA before calling or texting: correct consent, respect Do Not Call
  • Post your own privacy policy and, where required, a Do Not Sell or Share option
  • Honor opt-out and deletion requests you receive
  • Keep offers and messages honest and relevant

The plain truth

Most compliance risk lives in how data is used, not in the data itself. Clean data sent with a deceptive offer, no opt-out, or through the wrong channel is what creates problems. Used correctly, this data is a normal and accepted part of modern marketing.

Consumer rights and opt-out

  • Individuals can opt out and request deletion of their information, and we honor those requests.
  • California residents can also use the state’s Delete Request and Opt-Out Platform (DROP), which lets a person send a single deletion request to registered data brokers. Registered brokers are required to begin processing these requests on August 1, 2026

A simple checklist to stay compliant

  1. Put a privacy policy on your site that says you use third-party marketing data and explains how people can opt out.
  2. Include a clear, working unsubscribe in every email, and honor it quickly.
  3. Get the right consent before calling or texting mobile numbers, and scrub against Do Not Call where it applies.
  4. Honor opt-out and deletion requests without delay.
  5. Keep your message honest and relevant to the person receiving it.
  6. If you serve regulated industries such as health, finance, or legal, confirm the extra rules for that space.