TeleSign is one of the world’s largest and most trusted CPaaS (“Communications Platform as a Service”) and Customer identity and engagement solutions Provider, based in Los Angeles, California. Combining real-time data & analytics, phone verification and two-factor authentication, TeleSign is trusted by the world’s largest brands to prevent online fraud and helps secure billions of end-user accounts from compromise on behalf of our Customers.
We started with phone-based authentication services, and as we anticipated changes in attack techniques, we introduced our line of data products. Leveraging our insight into the volume of traffic and the data captured by our products, we’ve developed the ability to predict potential fraud based on phone attributes, machine learning algorithms, data and patterns in behavior and traffic.
At TeleSign, privacy is in our DNA – it is embedded in everything that we do in service to our Customers and taken very seriously by all TeleSign employees. In this Privacy Whitepaper, we will provide an in-depth explanation of TeleSign’s privacy practices, including a detailed review of our compliance program with applicable privacy laws. Although this Whitepaper considers certain market-specific laws and regulations, privacy practices described within are complied with and enforced globally by all TeleSign staff and providers, to the extent they process Personal Data on our behalf.
It is impossible for us to discuss rules for Personal Data unless we are sure that we are all talking about the same thing. Where appropriate, some terms may be explained in context, but other more fundamental terms are defined below.
Applicable Data Protection Laws – shall mean any legislation in relevant jurisdiction relating to the processing of Personal Data and privacy, including but not limited to California Consumer Privacy Act (“CCPA”), General Data Protection Regulation (“GDPR”), Lei General de Protecao de Dados (“LGPD”) and Personal Information Protection and Electronic Documents Act (“PIPEDA”).
Controller – for the most part, our enterprise Customers determine the purposes and means of the processing of Personal Data, and they are therefore Data Controllers. For example, Customers send us phone numbers of their End Users so that we can send One-Time Passwords (OTPs) to the End Users’ phone numbers. Under CCPA, a Controller is referred to as Covered Business.
Customer – an organization or a company that engaged TeleSign for provision of Services. Our Customers are giving us instructions in contracts (usually, Data Processing Agreements) on what to do with the Personal Data they are sending to us and are, therefore, Data Controllers. In the delivery of our products and services, we only use Personal Data for approved purposes.
Processor – for the most part, TeleSign is a Data Processor because we only process Personal Data on behalf of our Customer, the Controller. TeleSign sends OTPs to End Users’ phone numbers only when instructed by the Data Controller. Under CCPA, the Processor is called a Service Provider.
End Users or Data Subjects or Consumers– individuals who interact directly with the Controller, and whose Personal Information is processed by the Processor, for purposes defined by the Controller. For the most part, TeleSign is not in a direct relationship with the End User. Our Customers are collecting the End User Personal Data (transparently and on their terms and conditions) and passing the data to TeleSign for further processing. In those situations, TeleSign is a Data Processor for traffic data, which includes End User phone numbers and other CDR (call detail record) data. In other marginal cases, TeleSign is a Data Controller for: billing data, employee data, Score(1) machine learning algorithms, and Customer Self-Service Portal. Data subjects are called Consumers under CCPA.
Personal Information / Personal Data – information relating to an identified or identifiable natural person (data subject or consumer). An identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or one or more factors specific to the individual. Examples of data that are broadly accepted to be Personal Information include: name, email, social security number or other national identification number, phone number, DNA, fingerprints, voice recordings and credit card number. Other, less obvious, data that have been found to be Personal Information include online identifiers such as: IP address, location data, search engine query history, and globally unique identifiers (GUIDs) associated with website cookies to distinguish different users from each other. The terms Personal Information, personally identifiable information (aka, ‘PII’), and Personal Data are all used interchangeably, with Personal Information and PII being the common terms in the United States and Personal Data being the common term in Europe.
It’s important to note that even if TeleSign is unable to identify a natural person from a piece of information, it does not necessarily mean that it isn’t Personal Information. For instance, TeleSign may handle mobile telephone numbers belonging to any number of individuals. Those numbers are still Personal Information even though TeleSign may not have the means of identifying the name of the person to whom the phone belongs. The mere fact that information is Personal Information does not mean it cannot be processed, only that the principles in Applicable Data Protection Laws, Customer contracts and internal policies must be followed.
Finally, non-Personal Information may become Personal Information in two important ways. First, any information associated with Personal Information becomes part of the Personal Information (e.g., if a postal code is associated with a person’s name or telephone number, the postal code becomes part of the record associated with the individual and must be treated as Personal Information). Second, enough non-Personal Information may be combined and analyzed in such a manner as to allow for it to identify an individual (e.g., enough location data points from an individual’s mobile phone over time is likely to identify the individual).
Sensitive Personal Information – Personal Information with which there are higher risks to the privacy interests of the individuals involved. Sensitive Personal Information includes Personal Information relating to an individual’s medical treatment, health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, and sex life or sexual orientation. TeleSign does not process Sensitive Personal Information.
Processing - any operation or set of operations which is performed upon Personal Information, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Privacy versus Data Protection. Privacy, as a concept and fundamental right, is the premise that people should be free from the intrusion of others in their personal lives. This includes intrusion by government and private citizens into personal property and communications. In application, broad privacy laws protect us against people listening in on our telephone calls, opening our mail, snooping in on our medical records and sneaking into a celebrity wedding to take photos without authorization.
Data protection, on the other hand, is a narrower concept that establishes rules for how people will and will not collect and process Personal Information. It identifies the circumstances under which organizations can receive Personal Information from or about individuals, what those organizations may and may not do with the Personal Information, what rights individuals have regarding the processing of their Personal Information, and the penalties for non-compliance.
Despite the differences between these two terms, this document may refer generally to the substance as one of ‘privacy’.
Provider/Supplier/Sub processor – means any processor engaged by TeleSign who agrees to receive the Personal Data exclusively intended for processing activities to be carried out on behalf of TeleSign after the transfer in accordance with Controller’s instructions and in connection with the agreement for the provision of services to TeleSign; or a Service Provider as defined in the CCPA. TeleSign has two major types of general Service Providers:
Sell – under CCPA, means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” for “monetary or other valuable consideration”. Selling would equate to activities of a Data Controller under GDPR.
We have laid out a 6-phase compliance roadmap to get us to any Applicable Data Protection Law compliance: (1) Training/Awareness for the entire company; (2) Data Mapping; (3) Gap Analysis; (4) Data Protection Impact Assessments (DPIA); (5) Implementation; and (6) Steady State (aka long-term compliance post deadline).
When adding new laws (such as CCPA after the GDPR) we choose to follow “one privacy framework” rule for all regulations materially addressing the privacy matter, based on the strictest, but still allowing for specific differences to be addressed and implemented separately. Where GDPR imposed stricter rules than CCPA, we chose to follow the GDPR. For example, under the GDPR, Controllers have 30 days to respond to data subject requests, and under the CCPA, Covered Businesses have 45 days to respond to verified consumer requests, so we chose to follow the 30-day rule globally for all types of requests. Similarly, consumers are considered to be equal to data subjects under the GDPR generally, but some CCPA specific changes were still made to existing privacy program.
In 2020, in addition to GDPR and CCPA, we included LGPD and PIPEDA rules to our privacy framework. Even though TeleSign is not geographically located in Brazil, TeleSign is involved in offering and supplying goods or services in Brazil which relate to individuals who are geographically located in Brazil, and as a result we added the LGPD. The GDPR and LGPD are similar to high degrees, so existing GDPR compliance efforts were leveraged for further compliance with the LGPD(2). On the other hand, PIPEDA applies to organizations in Canada. TeleSign does not have to comply with PIPEDA to operate as an international service provider in Canada mandated by a domestic organization conducting commercial activities because the organization remains liable for Personal Information even if transferred to third parties (TeleSign). Organizations must use contractual privacy protection clauses or other means to ensure a comparable level of protection to PIPEDA while the information is being processed by the third party, which can be ensured through a Data Processing Agreement (DPA) with TeleSign, but there are no other restrictions. However, to sign DPAs with Canadian Customers, demonstrating PIPEDA compliance has become a significant factor for winning business strategy in Canada, and therefore, it was implemented in TeleSign’s existing privacy framework(3).
Accountability is the fundamental principle of all existing privacy regulations. At TeleSign, our privacy governance program is based on the recognized principle of Privacy-by-Design and the ability of establishing a relationship of trust with the data subject, by means of transparency and mechanisms for the data subject to participate.
We keep detailed records of all processing of Personal Data that occurs so we can ensure adequate security throughout the data protection lifecycle. We have established a Privacy Office (PO) to ensure continuous and long-term compliance with Applicable Data Protection Laws, led by our Data Protection Officer (DPO). Our team of privacy experts is comprised of IAPP-certified members of the Legal, Privacy and Security teams, and complemented by IAPP-certified employees in the Sales and Engineering teams. Privacy cannot exist without security, which is why we are committed to protecting Personal Data using appropriate security measures. The design, acquisition, implementation, configuration, and management of our business processes, infrastructure, assets, systems, products, and services are routinely reviewed for consistency with existing internal policies and related Applicable Data Protection Laws.
Privacy (and security) risk is considered throughout the data processing lifecycle and we hold ourselves accountable for the protection of Personal Data from start (collection) till the very end (deletion), and specifically that Personal Data is:
There can be no trust without transparency, and we can only be successful if we earn and maintain our partners trust.
As a Data Controller, when TeleSign is acting on its own behalf (not on behalf of Customers), it provides End Users with notices about how we collect, use, retain, and disclose Personal Information about them. To that end we promise to disclose in our Privacy Notice:
As a Data Processor, when we are processing data on behalf of our Customers, we are similarly be transparent about how we collect, use, retain, and disclose their data. Specifically, our contracts (including the Data Processing Agreement) and communications accurately reflect:
In the delivery of our products and services, we are using Personal Information for approved business purposes, which are defined in relevant contracts (business agreement or DPA). Personal Information belongs to the End User (consumer). The owners of the Personal Information have given permission (consent) to use their Personal Information, either directly to us or to our Customers, for purposes that have been transparently disclosed to them. In short, the consumer is giving a restricted license to use his/her Personal Information, and TeleSign conducts business strictly within those limitations.
Customers and Providers which provide Personal Information to TeleSign for processing must ensure that End Users have been provided with sufficient notice and choice or that some other lawful basis exists for TeleSign’s processing of Personal Information.
All our products operate on consent and contracts (including Data Processing Agreements) and are fully compliant with Applicable Data Protection Laws. Our commitment to all Customers is to only process Personal Data lawfully and legitimately. If we are thinking about changing the way we process Personal Data, our Customers will be notified prior to any changes.
We use Personal Information only for the purposes we identify in the notices we provide and, where choice is given, in accordance with any consent that End Users provide.
When we process End User data of our Customers, we use and retain such data only as specified in our contracts with Customers.
Unless otherwise required under applicable law, we do not retain Personal Information for longer than is necessary to fulfill the purposes for which it was collected and to maintain reasonable business records. When the retention of Personal Information is no longer necessary for such purposes, the information will be destroyed in a manner sufficient to prevent unauthorized access to that information or it will be de-identified in a manner sufficient to make the data no longer personally identifiable.
We respond to End Users who exercise the data subject rights within 30 days, whether they do so directly (through our website contact us form at https://www.telesign.com/privacy-requests) or through our Customers, as Data Controllers.
Under GDPR, as a Data Processor, we are committed to facilitating the Data Subject Rights (DSRs) on behalf of the Data Controllers, including: the Right to be Informed/Transparency (via our Privacy Notice), the Right to Access, the Right to Rectification, the Right to Erasure, the Right to Restriction of Processing, the Right to Data Portability, the Right to Object (including Profiling), and the Right to Withdraw Consent. An individual’s right to access data is guaranteed in almost all Applicable Data Protection Laws. Under LGPD, we are committed to responding to access requests within 15 days. Under PIPEDA, the timeframe luckily coincides with existing 30-day rule.
Under CCPA, we established processes for responding to requests for access, deletion and opt-out of sale of Personal Information in a timely and effective manner. There are two methods Most of our End Users should be contacting our Customers, CCPA covered Businesses, to exercise their consumer rights. As a Service Provider, we are committed to facilitating the consumer rights on behalf of our Customers. In addition, our SMS (two-factor authentication) product provides universal verification of identity using mobile phone numbers, thus ensuring that consumer’s identity is verified before he/she submits a request to exercise any of their rights(4).
When we disclose Personal Information to third parties, it is only for purposes that are identified in the Privacy Notice, our Customer or Provider contracts, and any additional notices to End Users we may provide. We disclose Personal Information in a reasonably secure manner, with adequate assurance of protection by those third parties, according to contracts, laws and other agreements, and, where needed, with the consent of End Users.
TeleSign follows a framework and defined processes for assessing third-party risk from privacy and security side for all Third-Party Providers (e.g., external vendors, suppliers, consultants, service Providers and individuals) that provide goods and services to TeleSign before they are allowed access to Personal Data. The assessment of the Third-Party Provider information security (based on the ISO 27002:2013 security domains) and privacy controls (based on EU’s GDPR, CA’s CCPA and other Applicable Data Protection Laws) is conducted by TeleSign’s Privacy and Security (PSO) team. The PSO team is engaged in analyzing and controlling risks associated with outsourcing of services to Third-Party Providers, their screening, onboarding and annually re-assessing.
The process includes the Third-Party Provider signing a Data Processing Agreement (DPA) with TeleSign for compliance with the Applicable Data Protection Law measures and completing a Vendor Self-Assessment (VSA) questionnaire.
The VSA has been designated to collect details on privacy and security practices at Third-Party Provider’s organization, enabling an assessment to be made in advance/in place of an onsite audit. The questioned controls in VSA are divided into 10 groups following requirements defined within ISO 27002:2013. Precise answers with respective comments and supporting documentation (such as ISO certification or SOC2 reports) are required. Once the process of risk assessment is completed, the Third-Party Provider may enter a business contract with TeleSign, which is reviewed and approved by our Legal team. The business contract obligates the Third-Party Provider to adhere to TeleSign’s information security and privacy policies/standards.
We ensured that a Data Processing Agreement (DPA) is in place with all existing Customers (defining us as a Data Processor) and Providers (where we are defined as a Data Controller).
In the DPA, we commit to the obligations of all controllers and flow down those obligations to all our Processors/sub processors, including the all-important data protection adequacy for international data transfers. Luckily, TeleSign did not rely on the recently invalidated Privacy Shield as an international data transfer mechanism under the GDPR, so the invalidation did not affect the way we do business. From the get-go, we relied on the EU Model Clauses (Standard Contractual Clauses/SCCs) to operationalize international transfers from the EEA/EU on legal grounds.
TeleSign remains committed to comply with the SCCs and respond to any additional transfer impact analysis questionnaires coming from our Customers to the best of our ability without undue delay. As a data importer, TeleSign is open to negotiating any supplementary measures (technical, contractual or organizational) in good faith, as long as they are not contradictory to any applicable law. In addition, TeleSign commits to being compliant with any privacy regulations in their existing form and, also when they get updated (e.g. updates to SCCs to neutralize US surveillance laws).
Most U.S. companies do not deal in data that is of any interest to U.S. intelligence agencies and have no grounds to believe they do. They are not engaged in data transfers that present the type of risks to privacy that appear to have concerned the ECJ in the Privacy Shield invalidation decision (Schrems II).
As a US-based company, we understand our Customers concern when it comes to EU-US transfers and FISA Section 702/Executive Order 12333 (US surveillance laws) that were the reason for Schrems II decision. To provide some clarity, Schrems II was not a ruling on whether privacy protections in U.S. law per se, as of either 2016 or 2020, are consistent with EU law. The European Court of Justice (ECJ) ruled only on the validity of Decision 2016/1250 (Privacy Shield) and the ECJ’s assessment of US law (including FISA) accordingly relied primarily on the limited findings about U.S law recorded by the Commission in 2016 in Decision 2016/1250.
The U.S. government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. Sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States.
Data transferred outside the EU, whether destined for the United States or any other country, flows through numerous transmission networks and is potentially subject to access by such countries’ intelligence agencies, as well as by private entities acting illicitly, and will be more or less protected from such access depending on the data security measures taken by a company and on the laws and practices in each jurisdiction through which the data passes. No country acknowledges the specific locations and operational details of its clandestine overseas intelligence activities. Many countries do not even regulate such activities by law, including some EU Member States. Were the lawfulness of data transfers outside the EU to depend on an assessment of intelligence agencies’ clandestine access to data outside a given destination country while in transit, no data transfers could be found lawful under EU standards because intelligence agencies worldwide potentially could access the data as it travels over global networks. The theoretical possibility that a U.S. intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data. Moreover, this theoretical possibility exists with respect to data held anywhere in the world, so the transfer of data from the EU to the United States in particular does not increase the risk of such unilateral access to EU citizens’ data. In summary, as a practical matter, companies have no reason to believe their data transfers present the type of data protection risks that concerned the ECJ in Schrems II.
There is a wealth of public information about privacy protections in U.S. law concerning government access to data for national security purposes, including information not recorded in Decision 2016/1250, new developments that have occurred since 2016, and information the ECJ neither considered nor addressed. Companies may wish to take this information into account in any assessment of U.S. law post-Schrems II.
The United States government has prepared this White Paper to provide a detailed discussion of privacy protections in current U.S. law and practice relating to government access to data for national security purposes, focusing in particular on the issues that appear to have concerned the ECJ in Schrems II, for consideration by companies transferring Personal Data from the EU to the United States. The European Data Protection Board (EDPB) has recently published 6-step recommendation list on measures to supplement transfer tools for Controllers (TeleSign Customers). We are hoping that this US Government Schrems II Whitepaper will be able to help our Customers in their assessment of the US law that may impinge on the effectiveness of the appropriate safeguards on the transfer tools they are relying on.
(Note: TeleSign operates out of the US, the EU and Serbia.)
Privacy by Design calls for privacy to be considered throughout the whole engineering process. Our products and services are developed and designed, with privacy as a priority, in accordance with the seven Privacy-by-Design principles(5):
Additional guidelines, considering these principles, are developed with the engineering and operations staff to identify the specific points of integration of privacy into the engineering and operations processes.
TeleSign has an internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. We employ independent third parties to perform an ISO 27002-based Enterprise Risk Assessment (ERA) across the entire network on an annual basis to measure our compliance with the ISO-based standard and GISP. For more information, please visit: Security.
We are committed to doing everything we can to stop a breach from ever happening within our systems, but in the event one were to occur, we will notify the relevant Data Controllers and/or supervisory authorities upon becoming aware, but not later than within 72 hours of a data breach. Since we are based in California, we are already in compliance with the state's Data Breach Notification law.
Our Customers are Businesses covered by the CCPA in whose service TeleSign is acting as a Service Provider. Customers disclose Personal Information to TeleSign solely for a valid business purpose and for TeleSign to perform the services.
TeleSign warrants that we shall not further sell, retain, use, or disclose Personal Information for a commercial purpose other than the defined business purpose.
TeleSign will not abuse or in any way compromise the trust given to us by our Customers and End Users (consumers). We understand we have earned this trust by how we handle Personal Information and are determined to maintain full compliance with the CCPA.
To avoid being characterized as “selling” Personal Information to third parties, that receive Personal Information from TeleSign, we identified and contacted all third parties to include appropriate contract terms to address CCPA requirements. Through our diligent Third-Party Provider risk assessment process, any company that wants to do business with TeleSign is made aware of our privacy and security standards and their obligation to comply with them.
With speed-of-light of technological innovation, information privacy is becoming more complex by the minute as more data is being collected and exchanged. Data privacy is focused on the use and governance of Personal Data and data privacy regulations are not going to go away anytime soon.
As a company built on fraud prevention and security, we are committed to making the online world a safer place. Our SMS (two-factor authentication) product strengthens privacy rights of individuals by providing universal verification of identity using mobile phone numbers, thus ensuring that an individual's identity is verified before the legitimate processing of Personal Data can occur.
TeleSign is building a privacy program that we are proud to share. For us, compliance with Applicable Data Protection Laws isn’t simply about avoiding penalties. In the world of ever rising threats to End User liberties, commitment to personal information privacy is one of the main pillars of customer trust and competitive advantages.