TechTarget Privacy and Compliance

TechTarget has strong privacy, security, and general compliance programs in place which make our organization a safe place to do business. The below information highlights key privacy laws, requirements, and aspects of our programs which may be of interest to you.

What is the General Data Protection Regulation (GDPR)?

GDPR is a comprehensive European privacy regulation that went into effect on May 25, 2018. The regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of their personal data (as defined in the regulation). Among other things, GDPR requires that personal data be processed lawfully, fairly and in a transparent manner in relation to the data subject and collected for specific, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. One of the goals of GDPR is to harmonize data privacy laws across the various Member States in the European Union (EU). Additionally, Member States may have one or more data protection authorities that are vested with supervising and administering the application of GDPR and Member State-specific data protection laws.

Who does GDPR apply to?

GDPR has “extra-territorial effect” and applies to organizations that handle the personal data of EU data subjects, regardless of where they are located.  Specifically, Article 3 of GDPR provides that it applies to:

  • the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.
  • to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to ((i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU, or (ii) the monitoring of their behavior as far as their behavior takes place within the EU.
  • to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.

What are the principles of GDPR?

Article 5 of GDPR outlines the “principles relating to processing personal data” as set forth below:

Lawfulness, fairness and transparency

Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject

Purpose limitation

Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes

Data minimization

Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed


Personal data shall be accurate and, where necessary, kept up to date

Storage limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed

Integrity and confidentiality

Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures


The controller shall be responsible for, and be able to demonstrate compliance with the GDPR

With respect to the personal data that TechTarget is sharing with its Customers by way of its services, is TechTarget a controller, a joint controller or processor?

With regard to TechTarget’s collection and processing of its member’s contact data and the disclosure of such data to TechTarget’s Customers, TechTarget is a controller. TechTarget has a direct relationship with its members, that is independent of any relationship between TechTarget and its Customers. The relationship between TechTarget and its members begins before and continues after any relationship between TechTarget and the Customer. Further, Techtarget does not collect personal data from its members exclusively for or on the behalf its Customers. TechTarget processes personal data for its own purposes, including the operation of its business. To the extent that TechTarget discloses personal data to Customers, it does so on an arm’s length basis, subject to the provisions of a contract. The Customer does not determine the purposes for which, or means by which, TechTarget processes the personal data of its members. On the contrary, TechTarget determines the terms of its relationship with each member and TechTarget determines the categories of data that can be made available to the Customer under TechTarget’s terms of business.

Further, it is important to note that TechTarget and its Customers do not collaborate to determine the purposes for which, or means by which, member data is processed. Accordingly, TechTarget and Customers are not joint controllers.

Can TechTarget provide me with information around how a specific member’s information is being processed if the member requests it?

Our systems are designed to store the details of a member’s registration or subscription together with the subsequent usage of an individual member record. If a member shared by TechTarget with a Customer were to request details about how their information was collected, TechTarget can deliver it to the member and the Customer in a timely manner. Other marketing service providers that license or trade user information may struggle to provide an accurate and comprehensive response to member inquiries like this.

How would a Customer find out if a member states that they no longer wish to have their data processed?

Members can unsubscribe from TechTarget emails at any time. Additionally, members can opt to remove themselves entirely from our database and from having their information processed by our Customers. This “right to be forgotten” is an important component of GDPR, and other similar privacy laws, and is a requirement upon which we can deliver. Further, if a member wishes to access, rectify, erase, restrict, transfer, or otherwise objects to the use of their information they can submit a request directly to, or through our Rights Request Forms (for GDPR, UK GDPR, CCPA, and other privacy regulations). If a member asks to be deleted, we provide timely notice to our Customers of the member’s request so that they can take the appropriate action as may be necessary with respect to the processing of that information. Additionally, TechTarget will not share member personal data with Customers if, prior to disclosure, the member has objected to their personal data being shared with third parties. For more information, please refer to our Privacy Policy.

What safeguards do you have in place to protect member information?

TechTarget has appropriate technical and organizational measures in place to ensure a level of security appropriate to our risk as a controller. This includes maintaining policies, controls, and other processes to document and protect personal data from unauthorized use, destruction, and/or disclosure. Moreover, these policies, controls, and other processes require processing activities to be planned, designed and performed with data security, privacy, and compliance in mind. Among other technical and organizational measures in operation:

  • We store personal data on secure servers, protected by firewalls.
  • We regularly test our network security and vulnerability controls.
  • We employ controls to monitor access to and use of our systems.
  • We have policies, procedures and program controls in place to document how we process and store personal data.
  • We have security mechanisms (such as encryption) in place for the secure transfer of data.
  • We have processes in place to investigate potential security incidents involving personal data.

What is the California Consumer Privacy Act (CCPA)?

The CCPA went into effect on January 1, 2020 with enforcement commencing on July 1, 2020. The CCPA applies to all companies that handle the personal information (as defined in the CCPA) of California residents (referred to as “consumers”). The CCPA applies to for-profit businesses that do business in California and meet any of the following requirements: (i) have a gross annual revenue of over $25 million, (ii) buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices, or (iii) derive 50% or more of their annual revenue from selling California residents’ personal information. The CCPA gives consumers more control over the personal information that a business collects about them and the applicable regulations provide guidance to businesses on how to implement the CCPA. The CCPA provides California consumers with the following rights:

  • The right to know about the personal information a business collects about them and how it is used and shared;
  • The right to delete personal information collected from them (with some exceptions);
  • The right to opt-out of the sale of their personal information; and
  • The right to non-discrimination for exercising their CCPA rights.

TechTarget has drafted a Privacy Notice for California Residents, which is publicly available on our website and linked within our general Privacy Policy. Additionally, we include a “Do Not Sell My Personal Info” link on our website and an associated webform for processing CCPA Rights Requests

What is the California Privacy Rights Act (CPRA)?

The CPRA will go into effect on January 1, 2023 and becomes fully enforceable on July 1, 2023. The CPRA builds upon and expands many aspects of the CCPA including, creating a new California Privacy Protection Agency that will serve as a lead supervisor and enforcer of the CCPA/CPRA and modifying existing rights available to California consumers under the CCPA while establishing four new rights (i.e., right to correction, right to opt-out of automated decision making, right to know about automated decision making, and right to limit use of sensitive personal information). While the CPRA maintains the key principles of the CCPA. companies will need to review their existing privacy practices and implement any necessary changes into their policies, procedures, contracts, notices, and consumer rights responses to ensure compliance by the effective date.


Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request