Note: This is just a quick follow up with the data aggregator’s explanation of their opt-in sourcing and GDPR compliance.

If you missed yesterday’s installment in my ongoing curiosity research on how our personal contact information gets aggregated and sold, read it here to make sense of the reply below. My take is that once you ‘opt-in’ to any website with a thousand word plus ToS page, they believe that they have the right to resell your information as ‘permission passed data’. Frankly, that does not pass my sniff test. While my good friend at Sullivan Cromwell might have surrendered his name and email address to register for a webinar or order yet another crate of thumb drives for collections, I sincerely doubt that he provided his formal job title, the number of firm employees, the firm’s gross revenue, his LinkedIn profile URL and the fact that he was a Relativity One user. (Relativity confirmed that it does not sell its customers’ personal information and that all collection and use of personal information is in accordance with its Privacy Policy.) That information probably came from other sources and the aggregation itself creates a pretty personal profile. All of DataXpander’s ‘permission passed data’ rational falls apart on the premise that once I have opted-in to receive unsolicited emails from a specific source that I have agreed to receive spam from anyone they choose to sell my address to. I hope that you have all enjoyed the investigation and my thanks for all the good comments and questions.

Here is the email response from DataXpander:

From: Neil Johnson
Sent: Thursday, July 8, 2021 3:15 PM
To: Greg Buckles <>
Subject: RE: eDiscovery Users

Hi Greg, Sorry about the delay in getting back to you.

All of the emails are opted in permission passed data. Again we back that up with data re-verification by working with vendors like OneTrust GDPR Validation (

  • 100% of our data set is sourced through publishers and publication, event companies where we manage the opt-in information for each and every records. However our internal policies doesn’t allow us to share the complete details. We can share the details of any particular record as such …case by case.

–          All these records comes to are opt-in to receive third party email solicitations and further more we run the file through One Trust which is been our supporting partner for UK and all European client requirements abiding by GDPR guidelines. Our team should be able address and fulfill the transparency regarding the source of their B2B data.

Hope the above is helpful.

Let me know if you have any other questions or concerns.



Greg Buckles wants your feedback, questions or project inquiries at Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients.

Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment or advice. Greg is no longer a journalist and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being published. Do you want to share your own perspective? Greg is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations. 

 See Greg’s latest pic on Instagram.

0 0 votes
Article Rating