TeleSign and Privacy
TeleSign is a world leader in Digital Identity and Programmable Communications, based in Los Angeles, California. Combining real-time data & analytics, phone verification and two-factor authentication, TeleSign is trusted by the world’s largest brands to prevent online fraud and helps secure billions of end-user accounts from compromise on behalf of our Customers.
TeleSign connects, protects and defends companies, customers and the digital interactions between them. We verify over five billion unique phone numbers a month, representing half of the world’s mobile users, and provide critical insight into the remaining billions. Our powerful AI and extensive data science deliver identity with a unique combination of speed, accuracy and global reach.
We started with phone-based authentication services, and as we anticipated changes in attack techniques, we introduced our line of data products. Leveraging our insight into the volume of traffic and the data captured by our products, we’ve developed the ability to predict potential fraud based on phone attributes, machine learning algorithms, data and patterns in behavior and traffic.
At TeleSign, privacy is in our DNA – it is embedded in everything that we do in service to our Customers and taken very seriously by all TeleSign employees. In this Privacy Whitepaper, we will provide an in-depth explanation of TeleSign’s privacy practices, including a detailed review of our compliance program with applicable privacy laws. Although this Whitepaper considers certain market-specific laws and regulations, privacy practices described within are complied with and enforced globally by all TeleSign staff and providers, to the extent they process Personal Data on our behalf.
It is impossible for us to discuss rules for Personal Data unless we are sure that we are all talking about the same thing. Where appropriate, some terms may be explained in context, but other more fundamental terms are defined below.
Applicable Data Protection Laws – shall mean any legislation in a relevant jurisdiction relating to the processing of Personal Data and privacy, including but not limited to the California Consumer Privacy Act (“CCPA”), EU General Data Protection Regulation (“GDPR”), Brazilian Lei General de Protecao de Dados (“LGPD”), Serbian Zakon o zaštiti podata oličnosti (“ZZPL”), Chinese Personal Information Protection Law (“PIPL”), Singaporean Personal Data Protection Act (“PDPA”), and Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Controller – for the most part, our enterprise Customers determine the purposes and means of the processing of Personal Data, and they are therefore Data Controllers. For example, our Customers send us phone numbers of their End Users so that we can send One-Time Passwords (OTPs) to the End Users’ phone numbers. Under Applicable Data Protection Laws, a Controller may be referred to as a Covered Business (CCPA), ‘personal information handler’ (PIPL) or ‘organization’ (PDPA).
Customer – an organization or a company that engages TeleSign for the provision of Services. Our Customers give us instructions in contracts (usually, Data Processing Agreements) on what to do with the Personal Data they are sending to us and are, therefore, Data Controllers. In the delivery of our products and services, we only use Personal Data for Customer approved purposes or legitimate interests based on Applicable Data Protection Laws.
Processor – for the most part, TeleSign is a Data Processor because we only process Personal Data on behalf of our Customer, the Controller. TeleSign sends OTPs to End Users’ phone numbers only when instructed by the Data Controller (our Customers). Under Applicable Data Protection Laws, the Processor is called a Service Provider (CCPA) or ‘entrusted person’ (PIPL) or ‘data intermediary’ (PDPA)
End Users or Data Subjects or Consumers – individuals who interact directly with the Controller, and whose Personal Information is processed by the Processor, for purposes defined by the Controller. For the most part, TeleSign is not in a direct relationship with the End User. Our Customers are collecting the End User Personal Data (transparently and on their terms and conditions) and passing the data to TeleSign for further processing. In those situations, TeleSign is a Data Processor for traffic data, which includes End User phone numbers and other CDR (call detail record) data. In other cases, TeleSign is a Data Controller for Personal Data processed in billing data, employee data, Score machine learning algorithms, and our Customer Self-Service Portal. Data subjects are called Consumers under CCPA.
Personal Information / Personal Data – information relating to an identified or identifiable natural person (data subject or consumer), whether true or not. An identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to the individual. Examples of data that are broadly accepted to be Personal Information include: name, email, social security number or other national identification number, phone number, DNA, fingerprints, voice recordings and credit card number. Other, less obvious, data that have been found to be Personal Information include online identifiers such as: IP address, location data, search engine query history, and globally unique identifiers (GUIDs) associated with website cookies to distinguish different users from each other. The terms Personal Information, personally identifiable information (aka, ‘PII’), and Personal Data are all used interchangeably, with Personal Information and PII being the common terms in the United States and Personal Data being the common term in Europe.
It’s important to note that even if TeleSign is unable to identify a natural person from a piece of information, it does not necessarily mean that it isn’t Personal Information. For instance, TeleSign may handle mobile telephone numbers belonging to any number of individuals. Those numbers are still Personal Information even though TeleSign may not have the means of identifying the name of the person to whom the phone number belongs. The mere fact that information is Personal Information does not mean it cannot be processed, only that the principles in Applicable Data Protection Laws, Customer contracts and internal policies must be followed.
Finally, non-Personal Information may become Personal Information in two important ways. First, any information associated with Personal Information becomes part of the Personal Information (e.g., if a postal code is associated with a person’s name or telephone number, the postal code becomes part of the record associated with the individual and must be treated as Personal Information). Second, enough non-Personal Information may be combined and analyzed in such a manner as to allow for it to identify an individual (e.g., enough location data points from an individual’s mobile phone over time is likely to identify the individual).
Sensitive Personal Information – Personal Information with which there are higher risks to the privacy interests of the individuals involved. Sensitive Personal Information includes Personal Information relating to an individual’s medical treatment, health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, and sex life or sexual orientation. TeleSign does not process Sensitive Personal Information.
Processing - any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Privacy versus Data Protection. Privacy, as a concept and fundamental right, is the premise that people should be free from the intrusion of others in their personal lives. This includes intrusion by government and private citizens into personal property and communications. In application, broad privacy laws protect us against people listening in on our telephone calls, opening our mail, snooping in on our medical records and sneaking into a celebrity wedding to take photos without authorization.
Data protection, on the other hand, is a narrower concept that establishes rules for how people will and will not collect and process Personal Information. It identifies the circumstances under which organizations can receive Personal Information from or about individuals, what those organizations may and may not do with the Personal Information, what rights individuals have regarding the processing of their Personal Information, and the penalties for non-compliance.
Despite the differences between these two terms, this document may refer generally to the substance as one of ‘privacy’.
Provider/Supplier/Sub processor – means any processor engaged by TeleSign who agrees to receive the Personal Data exclusively intended for processing activities to be carried out on behalf of TeleSign after the transfer in accordance with Controller’s instructions and in connection with the agreement for the provision of services to TeleSign; or a Service Provider as defined in the CCPA. TeleSign has two major types of general Service Providers:
- Group of carriers, network transit Providers or transport service Providers, Providers responsible for the transmission of telecommunications services such as Voice and SMS communications (“Routing Providers”). Routing Providers are transmitted the EndUser phone number and used for delivery of SMS/Voice calls with OTP codes, for example. They are in the position of Processors in relation to TeleSign, and sub processors in relation to TeleSign’s Customer.
- Group of commercial and telecommunications data services Providers (“Data Providers”). Data Providers are used for building TeleSign’s data intelligence product suite. The privacy matrix of responsibilities becomes a bit more complex in relation to Data Providers. First, TeleSign’s Customer obtains End User consent from the End User to check on their phone number and reputation status and conveys the consent and phone number to TeleSign for further processing (Controller-Processor relationship). Separately, TeleSign enters a contractual relationship with the Data Provider, allowing TeleSign to access their data pool and extract necessary information, with each party remaining responsible for their separate processing purposes (independent Controller relationship). And last, TeleSign matches the data sent by Customer to the information in its data product suite, (which consists of information from a variety of Data Providers), if such information is available, and sends the result to the Customer (Processor-Controller relationship).
Sell – under CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means for “monetary or other valuable consideration”. Selling would equate to activities of a Data Controller under GDPR.
Personal Data Processing Principles at TeleSign
In general, when we conduct privacy compliance due diligence, we use the following 6-phase compliance roadmap to ensure compliance with Applicable Data Protection Law:(1) Training/Awareness for the entire company; (2) Data Mapping; (3) Gap Analysis; (4) Data Protection Impact Assessments (DPIA); (5) Implementation; and (6) Steady State (aka long-term compliance post deadline).
When adding new laws (such as CCPA after the GDPR) we choose to follow “one privacy framework” rule for all regulations materially addressing the privacy matter, based on the strictest, but still allowing for specific differences to be addressed and implemented separately. Where GDPR imposed stricter rules than CCPA, we chose to follow the GDPR. For example, under the GDPR, Controllers have 30 days to respond to data subject requests, and under the CCPA, Covered Businesses have 45 days to respond to verified consumer requests, so we chose to follow the 30-day rule globally for all types of requests. Similarly, consumers are considered to be equal to data subjects under the GDPR generally, but some CCPA specific changes were still made to our existing privacy program.
In 2020, in addition to GDPR and CCPA, we included LGPD and PIPEDA rules to our privacy framework. Even though TeleSign is not geographically located in Brazil, TeleSign is involved in offering and supplying goods or services in Brazil which relate to individuals who are geographically located in Brazil, and as a result we added the LGPD. The GDPR and LGPD are very similar, and so existing GDPR compliance efforts were leveraged for further compliance with the LGPD. On the other hand, PIPEDA applies to organizations in Canada. TeleSign does not have to comply with PIPEDA to operate as an international service provider in Canada mandated by a domestic organization conducting commercial activities because the organization remains liable for Personal Information even if transferred to third parties (TeleSign). Organizations must use contractual privacy protection clauses or other means to ensure a comparable level of protection to PIPEDA while the information is being processed by the third party, which can be ensured through a Data Processing Agreement (DPA) with TeleSign, but there are no other restrictions. However, to sign DPAs with Canadian Customers, demonstrating PIPEDA compliance has become a significant factor for winning business in Canada, and therefore, it was implemented in TeleSign’s existing privacy framework.
In 2021, we included PIPL and PDPA to the list of laws TeleSign complies with, leveraging our previously established global privacy framework. In Singapore, TeleSign complies with the PDPA both as an organization and a data intermediary. In China, TeleSign already complies with PIPL even though it doesn’t apply directly to TeleSign as a Processor of Customer’s data. As the PIPL was heavily based on the GDPR, and the GDPR still imposes more stringent obligations on both Controllers andProcessors, TeleSign’s Customers will easily satisfy the standard of protection asked for in PIPL when transferring personal information to TeleSign. Similarly, the PDPA asks for a comparable standard of personal data protection outside of Singapore. For the purposes of personal data transfers from China and Singapore to TeleSign, we offer a Data Processing Agreement (DPA) based on the highest privacy and security industry standards, with both Customers and Suppliers.
Accountability is the fundamental principle of all existing privacy regulations. At TeleSign, our privacy governance program is based on the recognized principle of Privacy-by-Design and the ability of establishing a relationship of trust with the data subject, by means of transparency and mechanisms for data subjects to participate.
We keep detailed records of all processing of Personal Data so that we can ensure adequate security throughout the data protection lifecycle. We have an established Privacy Office (PO)to ensure continuous and long-term compliance with Applicable Data Protection Laws, which is led by our Data Protection Officer (DPO). Our team of privacy experts is comprised of IAPP-certified members of the Legal, Privacy and Security teams, and complemented by IAPP-certified employees in the Sales and Engineering teams. Privacy cannot exist without security, which is why we are committed to protecting Personal Data using appropriate security measures. The design, acquisition, implementation, configuration, and management of our business processes, infrastructure, assets, systems, products, and services are routinely reviewed for consistency with existing internal policies and related Applicable Data Protection Laws.
Privacy (and security) risk is considered throughout the data processing lifecycle, and we hold ourselves accountable for the protection of Personal Data from the start (collection) till the very end (deletion), and specifically make sure that Personal Data is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”);
- Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed (“data minimization”);
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that is inaccurate is erased or rectified without delay (“accuracy”);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data is processed (“storage limitation”);
- processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”)
There can be no trust without transparency, and we can only be successful if we earn and maintain our partners’ trust.
As a Data Controller, when TeleSign is acting on its own behalf (not on behalf of our Customers), we provide End Users with notices about how we collect, use, retain, and disclose Personal Information about them. To that end we are committed to disclosing in our Privacy Notice:
- TeleSign as the organization collecting the Personal Information, including TeleSign’s contact information, the contact information of TeleSign’s Data Protection Officer (DPO), or a simple means to acquire such contact information;
- what Personal Information is collected and why; how the Personal Information is collected;
- how the Personal Information is used, including the types of third parties and/or third countries to which the Personal Information will be disclosed or transferred;
- any choices End Users have regarding the use or disclosure of their Personal Information;
- the ability to access, change and delete Personal Information;
- the ability to opt out of further processing through our publicly accessible web page;
- how long the Personal Information will be retained and how it is protected from unauthorized access or use;
- how End Users will be notified of any changes made to the notice; and
- the methods through which End Users may raise their privacy complaints and requests concerning their Personal Information.
As a Data Processor, when we are processing Personal Information on behalf of our Customers, we are similarly transparent about how we collect, use, retain, and disclose such data. Specifically, our contracts (including the Data Processing Agreement) and communications accurately reflect:
- the Personal Information that will be processed by TeleSign, its employees and vendors;
- the nature of the processing to be conducted by TeleSign;
- the geographic locations from which TeleSign will process the Personal Information;
- the duration of TeleSign’s data processing and any relevant data retention and deletion periods; and
- the security measures that will be used to protect the data.
Consent and Other Legal Basis for Processing
In the delivery of our products and services, we are using Personal Information for approved business purposes, which are defined in relevant contracts (business agreement or DPA). Personal Information belongs to the End User (consumer/data subject). The owners of the Personal Information have given permission (consent) to use their Personal Information, either directly to us or to our Customers, or we have a legitimate interest to process the Personal Information in accordance with Applicable Data Protection Laws, for purposes that have been transparently disclosed to End Users. In short, the consumer is giving a restricted license to use his/her Personal Information, and TeleSign conducts business strictly within those limitations.
When the personal data in question is from our own databases, it will have been obtained directly from the End User in one of the following ways:
- Phone or email correspondence
- Participation in surveys, evaluations, and promotions
- Signing up to an email mailing list
- Submitting Personal Data through our Websites and Customer Portals
- Using our Services.
Where this is the case, TeleSign ensures complete transparency to data subjects and provides appropriate privacy information in our Privacy Notice; ensuring data subjects are fully aware of the purposes for which their personal data is being processed, the lawful basis being relied upon for such processing, the categories of information being collected, and all other information as required under the Applicable Law.
In most cases, the lawful basis being relied upon to process individuals’ personal data for the purpose of enabling and improving our products (and consequently including it in our databases fo ruse in Services), will be either consent or legitimate interest.
Where relying on consent, this is obtained from data subjects at the point when they first provide their personal data to us via one of the ways stated above. Data subjects can withdraw this consent at any time via our online platform, where permitted by applicable law.
Where relying on legitimate interest as the lawful basis for processing personal data, we consider the impact on individuals’ interests, rights and freedoms and carry out an assessment as to whether this overrides TeleSign’s legitimate interest in developing solutions that prevent fraudulent and illegal behaviors. We record all our decisions and justifications for processing on this basis.
Customers and Providers which provide PersonalInformation to TeleSign for processing must ensure that End Users have been provided with sufficient notice and choice or that some other lawful basis exists for TeleSign’s processing of the Personal Information.
Our Providers acquire personal data from a variety of different sources: publicly available databases, public search engines, telecom operators’ directories, consumer transaction records and scoring services. TeleSign conducts due diligence on all Providers to ensure that such sources of personal data are legitimate and in line with applicable data privacy laws and regulations.
We carry out a comprehensive risk assessment to thoroughly assess the Providers data privacy and security program and practices. We will only contract with companies that provide sufficient answers and guarantees that ensure us that they are acting in compliance with data privacy laws and treating personal data in a manner aligned with the key principles of data protection, namely: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. If the company does not pass this initial assessment, then TeleSign will not contract with them.
Once the Provider has passed this initial assessment, they can then enter a business contract with TeleSign. All our business contracts obligate the Provider to adhere to TeleSign’s information security and privacy policies/ standards as well as complying with all Applicable Data Protection Laws. This again ensures that the personal data provided to TeleSign for use in our products is only sourced via lawful means, based on a lawful basis and with respect for the rights and freedoms of data subjects.
Data subjects are made aware of the fact their data will be shared with TeleSign by the Provider via the Providers own consent forms, privacy notices and/or other privacy information. TeleSign’s privacy notice also provides full transparency regarding the sources we obtain personal data from, including where such data is not obtained directly from the data subject.
The processing of personal data in our products is based on both consent and contractual obligation (includingData Processing Agreements) and is fully compliant with Applicable Data Protection Laws. Our commitment to all our Customers is to only process Personal Data lawfully and legitimately. If we are thinking about changing the way we process Personal Data, our Customers will always be notified prior to any changes.
Use and Retention
We use Personal Information only for the purposes we identify in the privacy notices we provide and, where choice is given, in accordance with any consent that End Users provide.
When we process End User personal data from our Customers, we use and retain such data only as specified in our contracts with such Customers.
We review our data retention periods for Personal Data on a regular basis. We are legally required to hold some types of information to fulfill our statutory obligations. We will hold Personal Data in our systems for as long as is necessary to provide the Services our Customer has contracted for, and thereafter for a variety of legitimate legal or business purposes. These might include retention periods:
- mandated by law, contract or similar obligations applicable to our business operations;
- for preserving, resolving (customer support), defending or enforcing our legal/contractual rights; or
- needed to maintain adequate and accurate business and financial records (billing purposes).
Unless otherwise required under applicable law, we do not retain Personal Information for longer than is necessary to fulfill the purposes for which it was collected and to maintain reasonable business records, as required by law. When the retention of Personal Information is no longer necessary for such purposes, the information will be destroyed in a manner sufficient to prevent unauthorized access to that information or it will be de-identified in a manner sufficient to make the data no longer personally identifiable.
Data Subject Rights
We respond to End Users who exercise their data subject rights within 30 days, whether they do so directly (through our website contact us form at https://www.telesign.com/privacy-requests) or through our Customers, as Data Controllers.
As a Data Processor, we are committed to facilitating Data Subject Rights (DSRs) on behalf of our Customers as Data Controllers, including: the Right to be Informed/Transparency (via our Privacy Notice), the Right to Access, the Right to Rectification, the Right to Erasure, the Right to Restriction of Processing, the Right to Data Portability, the Right to Object (including Profiling), and the Right to Withdraw Consent. An individual’s right to access their personal data is guaranteed in almost all Applicable Data Protection Laws. Under LGPD, we are committed to responding to access requests within 15 days.
Under CCPA, we established processes for responding to requests for access, deletion and opt-out of sale of Personal Information in a timely and effective manner. Most of the End Users of our products should be contacting our Customers, CCPA covered Businesses, to exercise their consumer rights. As a Service Provider, we are committed to facilitating the consumer rights on behalf of our Customers. In addition, ourSMS (two-factor authentication) product provides universal verification of identity using mobile phone numbers, thus ensuring that the end user’s identity is verified before he/she submits a request to exercise any of their rights.
Third-Party Providers Risk Assessment
When we disclose Personal Information to third parties, it is only for purposes that are identified in our Privacy Notice, our Customer or Provider contracts, and any additional notices to End Users we may provide. We disclose Personal Information in a reasonably secure manner, with adequate assurance of protection by relevant third parties, according to contracts, laws and other agreements, and, where needed, with the consent of End Users.
TeleSign follows a framework and defined process for assessing third-party privacy and security risks for all our Third-Party Providers (e.g., external vendors, suppliers, consultants, service Providers and individuals) that provide goods and services to TeleSign before they are allowed access to Personal Data. The assessment of the Third-Party Provider’s information security (based on the ISO 27002:2013 security domains) and privacy controls (based on EU’s GDPR, CA’s CCPA and other Applicable Data Protection Laws) is conducted by TeleSign’s Privacy and Security (PSO) team. The PSO team is engaged in analyzing and controlling risks associated with the outsourcing of services to Third-Party Providers, their screening, onboarding and annually re-assessment.
The process includes any Third-Party Provider who is processing Personal Data on behalf of TeleSign, to sign a Data Processing Agreement (DPA) with TeleSign, r committing them to compliance with the Applicable Data Protection Law, as well as completing a Vendor Self-Assessment (VSA) questionnaire which allows our Privacy and Security teams to assess the overall risk involved.
The VSA collects details on the privacy and security practices at Third-Party Provider’s organizations, enabling an assessment to be made in advance of contracting with such third party. The questions in the VSA are divided into 10 groups based on the requirements defined within ISO 27002:2013. Precise answers with respective comments and supporting documentation (such as ISO certification or SOC2 reports) are required to be provided. Only after the risk assessment process is completed, the Third-Party Provider may enter a business contract with TeleSign, which is reviewed and approved by our Legal team. The business contract obligates the Third-Party Provider to adhere to TeleSign’s information security and privacy policies/standards, as well as applicable law.
International Data Transfers
TeleSign is headquartered in Los Angeles, California (US) and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Personal data is transferred from our Customers to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. TeleSign’s current data center set up includes four data centers located in the US, UK, and the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability. Furthermore, TeleSign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally. It is impossible to determine which provider is applicable to a specific Customer for the purposes of this document because TeleSign has connections with more than250 different service providers worldwide, and such analysis would be disproportionate to the required result.
We ensure that a Data Processing Agreement (DPA) is in place with all Customers (defining us as a Data Processor) and Providers (where we are defined as a Data Controller).
In the DPA, we commit to the obligations required under Applicable Data Protection Law, and flow down these obligations to our Processors and sub processors. Such obligations include having in place an appropriate safeguard for any international transfers of personal data.
TeleSign did not rely on the recently invalidated Privacy Shield as an international data transfer mechanism under the GDPR, so the invalidation did not affect the way we do business. From the get-go, were lied on the EU Model Clauses (Standard Contractual Clauses/SCCs) as the adequate safeguard to legally operationalize international transfers from the EEA/EU. Effective September 27, 2021, the newly updated SCCs are applied to address all international transfers. These new SCCs are designed by theEuropean Commission to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II.
To review applicable SCCs, please visit: TeleSign SCCs.
TeleSign remains committed to comply with the SCCs and respond to any additional transfer impact analysis questionnaires coming from our Customers to the best of our ability and without undue delay. As a data importer, TeleSign is open to negotiating any supplementary measures (technical, contractual or organizational) for such transfers, in good faith, as long as they are not contradictory to any applicable law. In addition, TeleSign commits to being compliant with any privacy regulations in their existing form and, as and when they are updated (e.g. updates to SCCs to neutralize US surveillance laws). Even though the data exporter (TeleSign’s Customer) is liable for assessing its transfers and supplementary measures, TeleSign, as a data importer, wishes to offer its response to supplementary measures in compliance with the EDPB recommendations. Please visit: Transfer Impact Analysis for more information.
Most U.S.companies do not deal in data that is of any interest to U.S. intelligence agencies and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the European Court of Justice (ECJ) in the Schrems II case, leading to the invalidation of Privacy Shield.
As a US-based company, we understand our Customers’ concern when it comes to EU-US transfers and FISA Section 702/Executive Order 12333 (US surveillance laws) that were largely the reason for the Schrems II decision. To provide some clarity, Schrems II was not a ruling on whether privacy protections inU.S. law per se, as of either 2016 or 2020, are consistent with EU law. The European Court of Justice (ECJ) ruled only on the validity of Decision 2016/1250 (Privacy Shield) and the ECJ’s assessment of US law (including FISA) accordingly relied primarily on the limited findings about U.S law recorded by the Commission in 2016 in Decision 2016/1250.
In TeleSign’s case, personal data is transferred from the Customer in the EU to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. TeleSign’s current data center set up includes four data centers located in the US, UK, and the Netherlands (EU). The personal data is replicated across all four data centers for purposes of traffic load balancing and service availability. The EU-US personal data typically transferred for the provision of TeleSign services involves ordinary commercial information, such as phone numbers, IP addresses, and names of end users. The use cases for TeleSign’s services involve authentication, fraud prevention and securing enduser accounts on behalf of its Customers. Such transferred data would not be of interest to US foreign intelligence agencies. To date TeleSign has not received any government requests to disclose data under FISA 702.
Nevertheless, all data is transferred while having in place and maintaining network protection intended to deny the ability to intercept data and encryption of personal data whilst in transit. The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular, does not increase the risk of such unilateral access to EU citizens’ data.
In summary, as a practical matter, TeleSign has no reason to believe our data transfers from the EU to the US present the type of data protection risks that concerned the CJEU in Schrems II.
Outside of its US headquarters, TeleSign has an office in Belgrade, Serbia. The office has more than two thirds of TeleSign’s employees working on service delivery, engineering, operational and billing support. In late 2018, Serbia updated its data protection law to better align with the GDPR. Serbian data protection practices and laws are largely harmonized with the EU, even though Serbia is not afforded an adequacy decision yet. International data transfers outside of Serbia are based onStandard Contractual Clauses issued by the Serbian Data Protection Commissioner which are based on the provisions offered in EU Model Clauses. To conclude, Serbian data protection practices offer the same level of protection offered to data subjects under the GDPR and therefore, the risk to personal data that is transferred outside of the EU to Serbia is very low.
On 28 June 2021, the EU Commission adopted an adequacy decision for transfers of personal data to the UK from EEA/EU, therefore UK data protection practices fall within scope of adequate safeguards under the GDPR.
Privacy by Design calls for privacy to be considered throughout the whole engineering process. Our products and services are developed and designed, with privacy as a priority, in accordance with the seven Privacy-by-Design principles:
- Proactive not reactive, preventative not remedial. We attempt to anticipate privacy risks before they arise – not after a data breach – and build measures to reduce their likelihood and impact.
- Privacy as the default setting. End Users privacy must be protected by default, without their having to take any action. We give End Users the maximum privacy protection, e.g. explicit opt-in, safeguards to protect Personal Data, restricted sharing, minimized data collection, and retention policies. The less data we have, the less damaging a breach will be.
- Privacy embedded into design. We consider privacy in each phase of the development lifecycle: from planning, to development, to operations. Embedding Privacy-by-Design is not just for technical systems but also for business practices.
- Full functionality – positive-sum, not zero-sum. To the greatest extent possible, we will look for ways to deliver all of the functionality of our products and services without a compromise to the principles established in this policy. For us, Privacy-by-Design culture helps the business; it is an enabler, not a blocker.
- End-to-end security – full lifecycle protection. We implement appropriate security measures in all of our products and services to protect Personal Information. Information is secured through implementing security best practices, wherever possible, from start (collection/creation) till the very end (archived/deletion) of the information life cycle.
- Visibility and transparency – keep it open. We are clear and transparent with our End Users, Customers and partners about how we are processing Personal Information. Building trust is fundamental to the success of our business.
- Respect for user privacy – keep it user-centric. We aim to see privacy interests through the eyes of our users and make design choices that empower users to control their data.
Additional guidelines, considering these principles, are developed with the engineering and operations staff to identify the specific points of integration of privacy into the engineering and operations processes.
Appropriate and Reasonable Security Measures
TeleSign has an internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. We employ independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard and GISP. For more information, please visit: Security.
Data Breach Obligations
We are committed to doing everything we can to stop a breach from ever happening within our systems, but in the event that one were to occur, we will notify the relevant Data Controllers and/or supervisory authorities upon becoming aware, but not later than within 72 hours of a data breach.
Mandatory Employee Training
Our Customers are Businesses covered by the CCPA in whose service TeleSign is acting as a Service Provider. Customers disclose Personal Information to TeleSign solely for a valid business purpose and for TeleSign to perform the services.
TeleSign warrants that we shall not further sell, retain, use, or disclose Personal Information for a commercial purpose other than the defined business purpose.
TeleSign will not abuse or in anyway compromise the trust given to us by our Customers and End Users (consumers). We understand we have earned this trust by how we handle Personal Information and are determined to maintain full compliance with the CCPA.
To avoid being characterized as “selling” Personal Information to third parties that receive Personal Information from TeleSign, we identified and contacted all third parties to include appropriate contract terms to address CCPA requirements. Through our diligent Third-Party Provider risk assessment process, any company that wants to do business with TeleSign is made aware of our privacy and security standards and their obligation to comply with them.
Information privacy is becoming more complex by the minute as more data is being collected and exchanged in real-time. Data privacy is focused on the use and governance of Personal Data and data privacy regulations are not going to go away anytime soon.
As a company built on fraud prevention and security, we are committed to making the online world a safer place. Our SMS (two-factor authentication) solution strengthens privacy rights of individuals by providing universal verification of identity using mobile phone numbers, thus ensuring that an individual's identity is verified before the legitimate processing of Personal Data can occur.
TeleSign has built a privacy program that we are proud to share, and that we will continue to improve on. For us, compliance with Applicable Data Protection Laws isn’t simply about avoiding penalties. In the world of ever rising threats to End User liberties, commitment to personal information privacy is one of the main pillars of customer trust and competitive advantages.
- Phone number reputation scoring API based on phone number intelligence, traffic patterns, machine learning, and a global data consortium.
- The aim of this Whitepaper is to show a well-documented privacy program and due diligence under LGPD.
- Throughout this Whitepaper, TeleSign’s goal is to show commitment to PIPEDA Schedule 1 fair information principles: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure, and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.
- The goal of this Whitepaper is to show compliance with the 10 PDPA data protection obligations (accountability, notification, consent, purpose limitation, protection, accuracy, retention limitation, transfer limitation, access and correction, and data breach notification).
- If you are a CCPA covered Business and need an identity verification method for consumer requests, please reach out to our Sales team to ask about our SMS 2FA solution.
- The Court of Justice of the European Union (CJEU) judgment of 16 July 2020 (Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18)
- The Privacy by Design principles were first developed by Ann Cavoukian, Ph.D., former Information & Privacy Commissioner of Ontario, Canada. See https://gdpr-info.eu/issues/privacy-by-design/ for more information.