This QS Publisher Privacy and Data Security Annex (“PPDS Annex”) applies to any Publisher that collects and delivers Lead Data to QS pursuant to an Agreement. In case of a conflict between this PPDS Annex and an Agreement, this PPDS Annex will prevail unless the Agreement includes a specific cross-reference to the section of this PPDS Annex intended to be modified.
(a) “Agreement” means an agreement between Publisher and QS pursuant to which Publisher delivers Lead Data to QS.
(b) “Approved” and/or “Approval” means the written consent by a vice-president or senior vice president of QS (consent can be submitted via email).
(c) “Authorized Employees” means Publisher’s employees who have a need to know or otherwise access Lead Data to enable Publisher to perform its obligations pursuant to an Agreement.
(d) “Clear and Conspicuous” means (X) with respect to an online disclosure, a disclosure that: (i) is in a font size no smaller than the font size of the relevant surrounding text and in any case no less than 8-point font size; (ii) appears in a high degree of contrast from the background on which it appears; (iii) is in a format so that the disclosure is distinct from other text; (iv) in a font style (such as bold, colored, italicized or bordered) that has the effect of making the text easily readable; and (v) parallel and adjacent to the “I agree” or similar submit button; and (Y) with respect to a disclosure read to a Lead by a call center agent, disclosure that: (i) is read clearly and intelligibly to the Lead; and (ii) where more than one disclosure is made to a Lead during a call session, a disclosure is not grouped together with any other disclosure prior to the Lead’s consent or rejection of the applicable singular disclosure.
(e) “Consent” means the affirmative consent to a Disclosure of the consumer submitting the Lead Data, expressed by the consumer (i) clicking an “I agree”, a “Submit” or other Approved button, (ii) when responding verbally, replying “Yes” or “I agree” to a disclosure clearly and intelligibly read to the consumer by a call center agent (a Lead’s silence or ambiguous statement such as “uh huh” are not sufficient), or (iii) when a key-press is used to obtain consent, through a mechanism where Publisher has the capability of capturing and identifying the tone to substantiate that consent was received. Consent requires an affirmative action to be taken on the part of the consumer.
(f) “Disclosure” means disclosure language provided by QS to Publisher in writing or otherwise QS Approved that is Clearly and Conspicuously displayed or read to a Lead.
(g) “Lead Data” means PII provided by Publisher to QS pursuant to an Agreement.
(h) “Personally Identifiable Information” or “PII” means information provided to QS by Publisher, or to which access was provided to QS by or at the direction of Publisher, that: (i) identifies or can be used to identify a consumer (including names, signatures, addresses, telephone numbers, e-mail addresses and other unique identifiers); or (ii) can be used to authenticate a consumer (including, government-issued identification numbers, passwords or PINs, financial account numbers, credit report information, health data, answers to security questions and other personal identifiers). In case of both subclauses (i) and (ii), PII may include all Sensitive PII. Publisher’s business contact information is not by itself deemed to be PII.
(i) “Sensitive PII” or “sPII” means (i) a consumer’s government-issued identification number (including social security, driver’s license or other state-issued identified number); (ii) financial account number, credit or debit card number or credit report information; or (iii) health or medical data.
(j) “QS” means QuinStreet, Inc.
(k) “Security Incident” means any security incident if there is a reason to believe Lead Data has been or may have been accessed by or disclosed to an unauthorized party.
2. LEAD DATA RESTRICTIONS. Unless otherwise Approved, all Lead Data must be: (a) collected within the United States, (b) submitted directly by the consumer associated with the Lead Data and not by a third party on the consumer’s behalf, (c) submitted directly to Publisher and not to an affiliate or other third party; and (d) delivered to QS in as close to “real time” as commercially possible, but in no event later than fifteen (15) minutes following collection from the consumer (except in the event of technical issues that are notified to QS). Unless otherwise Approved, Publisher may not resell, redistribute or remarket to any Lead Data generated under this Agreement, or use any Lead Data to enhance a consumer’s profile.
3. CONSENT AND DISCLOSURES.
(a) Approved Consents and Disclosures. Prior to the delivery of any Leads to QS, Publisher must provide to QS for Approval a screen shot or script of each of the Disclosures appearing on mediums from which Consents will be collected and that are required pursuant to Exhibit A to this PPDS Annex. QS’s Approval shall not be unreasonably withheld or delayed. Publisher shall timely implement any reasonable edits or modifications to the Disclosures requested by QS.
(b) Modification to Approved Disclosures. Publisher must submit to QS for Approval any proposed material modifications to Approved Disclosures no later than three (3) business days prior to the proposed launch of such modifications. QS’s Approval shall not be unreasonably withheld or delayed. Publisher shall timely implement any reasonable edits or modifications to the Disclosures requested by QS.
(c) Consent. Publisher shall ensure that each Lead submitted to QS has given their prior express written consents to each Disclosure set forth on Exhibit A to this PPDS Annex and shall otherwise comply with the requirements set forth on Exhibit A.
5. INFORMATION SECURITY
(a) Publisher represents and warrants that it has implemented and maintains administrative, physical and technical safeguards to protect Lead Data, and has established and maintains a written information security program, that is based on a recognized industry security standard against which the program can be easily audited (e.g., ISO or NIST).
(b) At a minimum, Publisher’s safeguards for the protection of Lead Data must include: (i) limiting access of Lead Data to Authorized Employees; (ii) implementing authentication and access controls within media, applications, operating systems and equipment; (iii) implementing appropriate physical controls to prevent unauthorized physical access to Lead Data; (iv) implement and follow procedures to add new users, modify access levels of existing users, and removal of users who no longer need access consistent with the principle of “least privilege”; (v) requiring the encryption of Sensitive PII stored by Publisher; (vi) encrypting Sensitive PII transmitted over public or wireless networks; (vii) taking reasonable measures to ensure that Lead Data is not stored on any portable removable media; (viii) performing a network-level vulnerability assessment based on recognized industry best practice no less than annually; (ix) setting forth procedures to detect actual and attempted attacks into systems and proactively testing them; (x) providing appropriate privacy and information security training to Publisher’s employees; and (xi) maintaining a documented incident response plan.
(c) Transfers of Lead Data between Publisher and QS must take place using appropriate encrypted protocols (e.g., SSL).
(d) The following only applies to the extent Publisher provides Sensitive PII as part of the Lead Data. If Lead Data includes sPII, the following additional requirements apply:
i. Publisher shall not log, store or retain sPII included in Lead Data and must delete all such sPII from its systems following delivery to QS;
ii. All transfers of sPII must take place via secured transmissions (HTTPS) AND POST method;
iii. Publisher must maintain SSL certificates so that new valid certificates are installed before old ones expire.
iv. Publisher must send username, password and tokenID with every transmission of sPII.
v. Publisher must regularly test the effectiveness of the key safeguards protecting sPII and undertake audits of such safeguard. Publisher must make the results of these audits available to QS on request.
vi. Publisher shall not use any sPII in a development or test environment.
6. SECURITY BREACH PROCEDURES. Publisher will notify QS of a Security Breach as soon as practicable, but no later than forty-eight (48) hours after Publisher becomes aware of it, by e-mailing QS with a read receipt at firstname.lastname@example.org, with a copy by e-mail to Publisher’s primary business contact within QS. Publisher shall reimburse QS for actual reasonable costs incurred by QS in responding to, and mitigating damages caused by, any Security Breach, including all costs of notice and/or remediation.
7. OVERSIGHT. Unless otherwise QS Approved, if Publisher transfers Sensitive PII to QS, Publisher shall at least once per year and at its own expense, conduct site audits of the information technology and information security controls for all facilities used in complying with this PPDS Annex, including obtaining a network-level vulnerability assessment.
8. INSURANCE. Unless otherwise QS Approved, if Publisher transfers Sensitive PII to QS, Publisher must maintain: Errors & Omissions/Professional Liability/Cyber Insurance, in an amount not less than $2,000,000 per claim and annual aggregate, covering all acts, errors, omissions, negligence, and including infringement of intellectual property (except patent and trade secret) in the performance of services for QS or on behalf of QS hereunder. Publisher’s policy will provide for Data Security & Privacy “Cyber” coverage (including coverage for unauthorized access and use, failure of security, breach of confidential information, of privacy perils, as well as breach mitigation costs and regulatory coverage). Such insurance shall be maintained in force at all times during the term of the Agreement and for a period of two years thereafter for services completed during the term of the Agreement. QS shall be given at least thirty (30) days’ notice of the cancellation or expiration of the aforementioned insurance for any reason.
CONSENTS AND DISCLOSURES
Unless otherwise Approved by QS in writing, Publisher must gather the following express written Consents from each Lead submitted to QS and otherwise comply in all respects with the requirements of this Exhibit A:
A. REQUIRED CONSENTS:
1. Consent for Lead Data to be Shared. Each Lead provided to QS hereunder shall have expressly consented to have their Lead Data shared with QS and for QS to further share such Lead Data with QS clients for the purpose of identifying offers that may be available to consumer associated with the Lead Data.
2. Consent to be Contacted. Each Lead provided to QS hereunder shall have provided their prior express written consent as required by law, rule or regulation (including, the Telephone Consumer Protection Act, 47 USC 227 and 47 CFR, Sec 64.1200 and the Canadian Anti-Spam Law of 2014) so that QS, a QS designated representative and up to five (5) QS clients may (a) email the Lead at the email addresses provided and (b) call or send a text or SMS to any telephone number contained within the Lead Data, including through the use of an automatic telephone dialing systems and artificial or prerecorded voice, in each case for the purposes of marketing loan offers.
3. Consent to QS Privacy Policies and Terms of Services. Each Lead provided to QS hereunder shall have expressly consented to QS’s privacy policies and terms of service, in each case as provided to Publisher by QS in writing.
4. FCRA Consent to Obtain Credit Report (applicable only to Insurance, Personal Loans and Mortgage Leads), Each Lead provided to QS hereunder shall have provided their written instruction as required under the Fair Credit Reporting Act for QS, a QS designated representative, and up to five (5) QS clients to obtain the Lead’s consumer credit report from a credit reporting agency.
5. Consent to Receive Electronic Communications (applicable only to Insurance, Personal Loans and Mortgage Leads). Each Lead provided to QS hereunder shall have expressly consented to receive electronic communications from QS and QS Clients.
B. RECORDS. Publisher will provide a Record of the Consents to QS with each Lead generated hereunder.
1. Online Leads. With respect to Leads generated online, a “Record” means: (1) the LeadiD associated with the Lead, (2) a screenshot of the consent language appearing on mediums from which Lead Data was collected, (3) the IP address of the source of the Lead, and (3) the date and time the Lead was created, and (4) any other documentation confirming the Inquiry generated is the result of a specific inquiry from the Lead.
2. Leads Obtained via Telemarketing. With respect to a Lead generated via telemarketing, a “Records” means (i) an audio recording of the each distinct call session and each verbal Consent provided by the Inquiry, (ii) include the date and time the Consent was provided by the Inquiry; (iii) be made electronically and saved in a format as reasonably specified by QS (and not copied or otherwise transferred to any non-electronic media); (iii) be indexed such that each recording is easily searchable and accessible; (iv) be immediately stopped or otherwise terminated upon submission of the Inquiry to QS. Client must upload a digital copy of the voice recordings of each distinct call session to a QS-controlled online storage website for QS review and storage within 48 hours of its creation.
3. Recordkeeping. Publisher will use record keeping systems that can establish that the Consents can be evidenced under applicable laws. Unless another time frame is specified in an SO, Publisher will maintain such Records, and make Records available to QS upon request, for no less than five (5) years from the date of the Record collection.
C. FORMAT OF CONSENTS: Each Disclosure used to generate the Consents must be Clear and Conspicuous.
D. AFFIRMATIVE ACTION AND SIGNATURE.
1. Online Leads. If Consent is obtained online, Publisher can obtain the consumer’s Consent by requiring the consumer to either affirmatively check a box to demonstrate the consumer’s affirmative consent to the Disclosures or click on a box that states “Yes, find more offers” placed immediately under the Disclosures.
2. Leads Obtained via Telemarketing. If Consent is obtained via a telemarketing call, Publisher can obtain the consumer’s Consent by recording consumers' verbal consent or having them press a certain button on their phone after the required Disclosures have been made. When responding verbally, consumers must indicate their assent by providing an affirmative "Yes." Consumers' silence and/or ambiguous statements such as "uh huh" are not sufficient. If a key-press is used to obtain consent, Publisher should have the capability of capturing and identifying the tone to substantiate that consent was received.
Publisher Privacy and Data Security Annex - Version 10-03-2017