Compliance

GDPR and CCPA Compliance for Lead Routing

Lead Router provides the controller-processor split, a public DSR workflow with a 30-day SLA, consent timestamps stored per lead, and Standard Contractual Clauses for EU and UK transfers. A Data Processing Agreement is available on request.

Submit a Data RequestStart Free Trial

/dsr Form

Data subject requests

30 Days

Response SLA

SCCs

EU and UK transfers

This page is informational, not legal advice. Privacy compliance obligations depend on your business, jurisdiction, and the data you process. Consult qualified privacy counsel for advice on your specific situation.

EU and UK

What GDPR requires

The General Data Protection Regulation applies to any organization processing personal data of people in the EU, EEA, or UK, regardless of where the processor is located.

Lawful basis for processing. Every processing activity needs a legal basis: consent, performance of a contract, legal obligation, vital interests, public task, or legitimate interest. For lead generation, the two bases you will use in practice are consent (opt-in forms) and legitimate interest (in narrow B2B contexts with a documented balancing test). You decide and document the basis; Lead Router processes under your instruction.

Controller versus processor. Under GDPR Article 4, the controller decides why and how personal data is processed. The processor acts on the controller's instructions. When you use Lead Router to route leads, you are the controller of the lead-subject data, and Lead Router is the processor. Article 28 requires a written agreement between controller and processor that covers security, sub-processors, breach notification, and return of data at termination. Our Data Processing Agreement covers those obligations.

Data subject rights. Articles 15 through 22 grant EU and UK residents the right to access their data, rectify inaccuracies, erase it (the right to be forgotten, Article 17), restrict processing, object, port their data in a machine-readable format, and withdraw consent. Requests must be responded to within one month, extendable to three months for complex cases. Our DSR workflow handles the intake, verification, and fulfillment.

International transfers. Chapter V restricts transfers of personal data outside the EEA unless an adequacy decision, Standard Contractual Clauses, or another approved mechanism is in place. Lead Router relies on the 2021 EU SCCs and the UK International Data Transfer Addendum for transfers to the United States.

Breach notification. Article 33 requires controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach. As processor, we notify the controller without undue delay so you can meet that clock.

California

What CCPA and CPRA require

The California Consumer Privacy Act (CCPA), amended by the California Privacy Rights Act (CPRA), applies to most businesses processing the personal information of California residents.

  • Right to know. Section 1798.110 grants consumers the right to know what personal information is collected, the sources, the business purpose, and the categories of third parties it is disclosed or sold to.
  • Right to delete. Section 1798.105 grants the right to request deletion of personal information, subject to statutory exceptions (fraud prevention, legal compliance, internal uses aligned with consumer expectations).
  • Right to correct. Added by CPRA, Section 1798.106 grants the right to correct inaccurate personal information a business maintains.
  • Right to opt out of sale or sharing. Sections 1798.120 and 1798.120(a) as amended require a clear Do Not Sell or Share link for businesses that sell or share personal information for cross-context behavioral advertising.
  • Right to limit sensitive personal information. Added by CPRA, Section 1798.121 lets consumers limit the use of sensitive categories (precise geolocation, race, religion, health, biometric) to what is necessary to provide the requested service.
  • Private right of action on breaches. Section 1798.150 gives consumers a private right of action with statutory damages when nonencrypted personal information is exposed in a breach caused by inadequate security.

Response SLA is 45 days, extendable another 45 days for complex requests with written notice to the consumer. Lead Router operates under the stricter 30-day target as the default.

Beyond California

State privacy laws

More than twenty US states have passed comprehensive privacy laws. Most grant the same core rights as CCPA and follow the same controller-processor model.

Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA took effect in 2023. Texas DPDPA, Oregon OCPA, Montana MCDPA, Florida FDBR, Delaware DPDPA, Iowa ICDPA, New Jersey NJDPA, Tennessee TIPA, Minnesota MCDPA, Maryland MODPA, Nebraska NDPA, New Hampshire NHPA, Indiana ICDPA, Kentucky KCDPA, and Rhode Island RIDTPPA have followed in 2024 and 2025. More states are pending.

The common thread across these laws: residents have the right to access, correct, delete, and opt out of sale or targeted advertising. Most also require an opt-out honoring mechanism (many recognize the Global Privacy Control signal). Controllers must publish a privacy notice and sign a data processing agreement with service providers.

The Lead Router DSR workflow, consent tracking, and retention controls cover these rights the same way they cover CCPA. The practical difference from state to state is the threshold for applicability, the response clock (usually 30 to 45 days), and whether a private right of action exists. Your privacy counsel should confirm which statutes apply to your business.

How Lead Router Does It

Lead Router's privacy architecture

Six capabilities that make the platform usable for operators subject to GDPR, CCPA, or any state privacy law.

DSR workflow with 30-day SLA

A public data subject request form lives at /dsr. Any resident of a covered jurisdiction can submit an access, correction, deletion, portability, or opt-out request. We verify identity via email confirmation, route the request to the privacy team, and respond within 30 days. CCPA allows up to 45 days with a documented extension for complex requests; GDPR Article 12 allows a similar extension for complex cases.

Consent tracking per lead

Every lead that comes through a partner form carries a consent record: the exact consent text the subject agreed to, the IP address, user agent, timestamp, and URL where consent was captured. That record stays attached to the lead through every buyer distribution, so when a buyer downstream gets a TCPA or GDPR inquiry, the consent trail is auditable.

Data minimization by contract

Buyer contracts declare the exact fields required for that buyer. Partner posting specs only surface the fields mapped to the offer. We do not silently collect extra fields for future use. If a field is not on the contract, it is not forwarded. This keeps the processing scope aligned with GDPR Article 5 data minimization.

Per-tenant retention controls

Operators configure retention windows per tenant. When the window elapses, lead-subject personal data is purged or pseudonymized according to your policy. The platform does not force a fixed retention; you set the schedule that matches your legal basis and your downstream buyer contracts.

Standard Contractual Clauses

Lead Router is operated from the United States. For personal data originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on the 2021 EU Standard Contractual Clauses and the UK International Data Transfer Addendum as the transfer mechanism. SCCs are incorporated by reference in our Data Processing Agreement.

Data Processing Agreement

A Data Processing Agreement reflecting GDPR Article 28 processor obligations is available on request. The DPA covers subject matter and duration, nature and purpose of processing, categories of data, sub-processor notice, security measures, breach notification timing, DSR assistance, audit rights, and return or deletion of data at termination. CPRA-equivalent controller-to-service-provider language is included for California.

DSR Workflow

How a data subject request moves through the system

The same workflow handles GDPR access and erasure requests, CCPA know and delete requests, and the equivalent rights under state privacy laws.

  1. 1Request submitted. The data subject fills out the form at theleadrouter.com/dsr. The form collects the request type (access, correction, deletion, portability, opt-out of sale or sharing, consent withdrawal), identifying information, and the jurisdiction the subject is claiming rights under.
  2. 2Identity verification. We send a verification email to the address on the request. For higher-risk requests (deletion, access to sensitive data) we may ask for additional confirmation. GDPR Article 12 and CCPA Section 1798.140 both permit reasonable identity verification before action.
  3. 3Routed to the privacy team. Verified requests are assigned to our privacy team, logged, and tracked against the response SLA. If the request concerns data where a customer is the controller and Lead Router is the processor, we coordinate with that customer so the response is consistent across the chain.
  4. 4Response within 30 days. Access requests return a machine-readable export. Deletion requests trigger a purge across primary storage, backups within the backup retention window, and any downstream systems where the subject's data was forwarded by the controller. CCPA complex requests can extend to 45 days with a written notice.
  5. 5Confirmation and audit trail. The subject receives written confirmation of the action taken. An audit log entry captures who handled the request, when, what action was taken, and what data was returned or purged. That log is retained to demonstrate compliance if a regulator asks.

Scope

What this covers and what it does not

Being clear about where Lead Router's obligations end is part of the controller-processor split.

Covered

  • Personal data about your customer account users (admins, operators, agents using the Lead Router platform).
  • Lead-subject data you process through the Lead Router routing engine, while it is in our systems.
  • Consent records and audit logs captured on lead submission and delivery.

Not covered

  • XLead-subject data you store in your own CRM, spreadsheets, or systems outside Lead Router.
  • XData handled by your downstream buyers after delivery. Buyers are separate controllers for the data they receive and they carry their own obligations.
  • XYour partners' consent collection practices. You set the contract requirements; partners execute. Lead Router records what they send.

Frequently Asked

FAQ

The questions privacy officers and compliance leads ask during vendor review.

Is Lead Router GDPR compliant?

Lead Router is architected to support GDPR obligations. GDPR compliance itself is the controller’s responsibility. As a processor under Article 28, we provide the controller-processor split, a Data Processing Agreement on request, Standard Contractual Clauses for international transfers, a data subject request workflow at /dsr with a 30-day SLA, consent timestamps and IP stored per lead, data minimization tied to buyer contract field mapping, and tenant-level deletion controls. A customer using Lead Router still needs to establish lawful basis, publish a privacy notice, and respond to their own data subject requests.

How do I submit a data subject request?

Submit the request at theleadrouter.com/dsr. The form captures the request type (access, correction, deletion, portability, opt-out, or consent withdrawal), the subject’s contact information, and enough detail to identify the record. We verify identity via email confirmation, route the request to the privacy team, and respond within 30 days. CCPA allows a 45-day maximum with a documented extension for complex requests.

Do you sell personal information?

No. Lead Router does not sell personal information as defined by CCPA, CPRA, or any other state privacy statute. We also do not share personal information for cross-context behavioral advertising. The lead distribution the platform performs happens under the customer’s instruction as controller; the customer’s own disclosures and opt-out mechanisms govern whether that distribution is a sale under their own privacy notice.

Do you use personal data for AI training?

No. Customer data and lead-subject data processed through Lead Router are never used to train AI models without explicit consent. No default model training on customer data, no aggregate sharing with third-party model providers, no silent data harvesting for future product features.

What about state privacy laws like Virginia VCDPA or Colorado CPA?

The same controller-processor model applies. Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas DPDPA, Oregon OCPA, and the other state laws that took effect in 2024 through 2026 all grant residents the right to access, correct, delete, opt out, and in most cases port their data. Lead Router’s DSR workflow, consent tracking, and retention controls cover those rights the same way they cover CCPA and GDPR. Specific statutory citations vary by state; your own privacy counsel should confirm applicability to your business.

Built for Regulated Operators

Route leads with a privacy stack that holds up

DSR workflow, consent tracking, SCCs, and a DPA on request. One platform, one set of controls, one privacy story across every lead your team handles.

Start Free TrialSubmit a Data Request

This page is informational, not legal advice. Consult qualified privacy counsel.