# Privacy & Consent Management
**The Untitled ID Tag is both CCPA and GDPR Compliant.** Our data is collected through user opt-ins, including marketing opt-ins, only within the United States/for U.S.-based contacts. In this model, we act as a data processor, enabling our customers—as the data controllers—to **leverage information originating from their own web properties.** Our clients are able to collect data from their websites and access their results by properly disclosing the data being collected and transmitted within their website’s Privacy Policy, and by providing users with a method to decline data collection **upon entry to the site.**
Privacy and disclosures are a critical component to the Untitled ID Tag process. In order to remain in good standing there are **two core disclosures** that must be available on any website that includes our iframe or javascript tag. Those disclosures include a privacy policy and a consent management string/service (also known as Cookie Consent Banner).
### Privacy Policy Information
The privacy policy must be globally accessible on the website. It must also include specific references to the use of cookies for the purpose of marketing and re-marketing. Untitled has provided a [template](/misc/privacy-and-consent-management/sample-privacy-policy.md) as reference. **However, we strongly encourage each client to review the policy with their legal counsel and tailor it for their website to accurately reflect their data collection, usage, and disclosure practices, as well as any applicable regulatory requirements.**
### Consent String
In addition to maintaining an appropriate Privacy Policy, Untitled requires notification and consent for cookies through a consent management solution. By implementing a consent banner (e.g., “This website uses cookies”) for new visitors, users are given the ability to opt out, preventing the Untitled tag from firing if consent is not provided. Many publishing platforms include this functionality by default, and third-party services are also available for websites without a built-in solution. The following list is provided for convenience and is not exhaustive.
**Consent Management Services**
* Osano
* CookieYes
* Cookiebot
### Allowing Customers to Opt Out
To support compliance with CCPA requirements, we ask that customers include a link to the [Untitled CCPA request form](https://getuntitled.ai/do-not-sell-my-info/) within their Privacy Policy. If a California resident submits a request for deletion, Untitled will remove all associated records from our data sets in accordance with CCPA standards.
Additionally, for California residents who have opted out of advertising on your web property, we ask that you maintain appropriate suppression controls within your marketing systems to prevent recontacting.
## Data Landscape and Privacy
Is the Untitled ID Tag compliant in the USA?
**Yes, when implemented correctly.** The Untitled ID Tag is designed to operate within applicable U.S. data privacy frameworks and is built around a first-party and second-party data model. This means the data originates from a direct interaction between a visitor and your website, rather than third-party tracking across sites.
However, compliance is not automatic. It depends on how you configure and use the tag within your broader privacy and consent framework. To remain compliant, you should:
* Clearly disclose data collection and usage practices in your website’s privacy policy, including marketing use cases
* Implement a consent management platform (CMP) that allows users to opt out of non-essential data collection
* Honor user preferences and opt-out signals in accordance with applicable laws and standards
* Avoid misrepresenting how data is collected, processed, or activated
For a more detailed overview of how consent and compliance should be handled, please review our [Privacy and Consent Management article](/misc/privacy-and-consent-management.md).
Is the Untitled ID Tag GDPR compliant?
Yes - the Untitled ID Tag services does not collect or store any data from individuals in the EU. Only within the United States/for U.S.-based contacts.
Is any personally-identifiable information (PII) transmitted to 3rd-parties?
No. We do not transmit any PII to third parties in order to resolve your website visitors. Instead, we leverage joint first-party data through a consent-based framework, collecting information from the visitor’s browser and matching those signals against second- and third-party data sources through out-of-band or offline processes.
If you have any questions about how this works, or would like to confirm compliance before enabling the ID Tag feature, feel free to reach out. We’re happy to help.
Are visitors captured even if they don’t hit “Accept All” to my consent policy?
Whether a visitor is captured depends on how your consent management platform (CMP) is configured and implemented on your website. For clarity, a "Cookie Consent Banner" is the user-facing feature of a CMP.
In the United States (an “opt-out” jurisdiction), many CMPs allow tags to fire by default unless a user explicitly rejects non-essential cookies. This means a visitor may be included if they continue browsing without interacting with the consent banner, depending on your CMP’s settings. However, some CMPs provide more granular controls, allowing users to selectively disable certain categories of cookies, which can impact whether data is collected.
Ultimately, capture behavior is determined by how your consent framework is set up and whether it accurately enforces the user’s preferences. Untitled’s tag will follow the consent signal provided by your CMP and will not fire where a user has explicitly opted out of applicable data collection.
For a more detailed overview, we recommend reviewing our [Privacy and Consent Management article](/misc/privacy-and-consent-management.md), which covers implementation considerations and consent handling in greater depth.
Why would someone who accepted my Cookie policy NOT be resolved?
Even with consent, not every visitor can be resolved. Common reasons include:
* **Not in our dataset:** The individual may not exist in our data.
* **Geography:** We exclusively resolve U.S.-based visitors only.
* **Age:** Our data covers individuals 18 and older.
* **Insufficient signal:** We require high-confidence, deterministic matches. If signals are weak or conflicting, we will not resolve the visitor.
* **Browser limitations:** Resolution is strongest on Chrome; other browsers may have lower match rates.
* **Private browsing:** Incognito or similar modes reduce the ability to resolve users.
* **VPNs or proxies:** These can obscure device signals and prevent accurate matching.
If you have questions about specific edge-cases, your Customer Success Manager can help review.
If a website visitor opts out of the cookie policy, will their visit to the site still be tracked in other tools such as Google Analytics?
Whether a visitor's site visit is tracked in tools like Google Analytics after opting out of the cookie policy depends on your cookie consent tool settings. In the U.S., you can inform visitors about the use of cookies for marketing and tracking, and allow them to opt in or out. Tools like Osana and CookieYes offer options to customize this.
Can I email my website visitors, even if they didn’t ask to be contacted?
**Yes, with conditions.** You can email your website visitors, but you must comply with the requirements of the CAN-SPAM Act. This includes (but is not limited to) providing clear identification of the sender, an accurate subject line, a physical mailing address, and a clear, functioning opt-out mechanism in every message. Recipients must be able to unsubscribe easily, and those requests must be honored promptly.
We also encourage users to conduct their own research to develop a more complete understanding of CAN-SPAM requirements and how they apply to their specific use case.
Can I text my website visitors?
Having a phone number in Untitled does **not** constitute consent for SMS messaging. Under the Telephone Consumer Protection Act (TCPA), SMS requires a higher standard of consent than most other marketing channels. This includes explicit opt-in requirements and compliance with restrictions such as “quiet hours” (generally 9 PM–8 AM in the recipient’s local time zone).
SMS consent must be collected and managed deliberately, and requirements can vary by state. If you are already using platforms like Klaviyo or Mailchimp, their built-in SMS tools and consent workflows are often the most straightforward way to stay compliant. Alternatively, you can implement third-party consent management solutions on your website to capture and store proper opt-ins.
Additional Resources:
[Untitled Messaging Policy Agreement](https://getuntitled.ai/messaging-policy/)
[SMS Compliance and Consent Overview from Klaviyo](https://help.klaviyo.com/hc/en-us/articles/360035056972)
What does the JavaScript code send Untitled?
IP Address, Time Stamp, Cookies, Browser Specifications, and the referring URL.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.getuntitled.ai/misc/privacy-and-consent-management.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.