This Billion Dollar Company Considers Privacy Laws a Threat to Its Business

ZoomInfo, a data broker that collects contact information by harvesting it from peoples' email inboxes, sees increased attention on privacy legislation as a core risk to its billion dollar business, according to public records.

A recent filing from ZoomInfo's public offering shows in stark detail how valuable contact data can be, and how companies in the data harvesting space see their business as potentially impacted by changing perceptions around privacy. ZoomInfo went public in June, raising nearly a billion dollars.

One of ZoomInfo's products is its vast contact database that lets customers look up the email addresses and phone numbers of specific people. ZoomInfo collects this contact data via its "contributor network" of users of its free Community Edition as as well "many of our paying customers," the filing reads. The filing says "Our intelligence is kept up to date in real time."

In short, users can access the Community Edition of ZoomInfo—giving the user access to the company's data—in exchange for downloading and using ZoomInfo's Contact Contributor software, which a user links to their email provider and which then scrapes the data ZoomInfo is interested in. This includes the users' business contacts, email headers, and email signature blocks, according to a disclaimer on its website.

This contributor network approach captures 50 million records everyday, the filing says.

ZoomInfo also collects information from integration with its own customer's customer relationship management (CRM) systems, the filing adds.

"Search and Find Anyone's Email Address, Direct Phone Number and Much More," ZoomInfo's website reads. "ZoomInfo’s database provides access to over 209 million professional profiles and 13 million business profiles." The target audience for these sorts of contact tools is sales and marketing teams.

ZoomInfo does appear to collect consent from its free users to collect their data before they download the company's software, but ZoomInfo does see legislation around privacy as a potential risk to the company.

The filing says one risk is ZoomInfo's ability to adapt "our platform for changes in laws and regulations or public perception, or changes in the enforcement of such laws, relating to data privacy." Specifically, ZoomInfo points to the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), as well as the Federal Trade Commission's (FTC) "increasingly active approach to enforcing data privacy in the United States."

"The uncertain and shifting regulatory environment and trust climate may cause concerns regarding data privacy and may cause our vendors, customers, users, or our customers’ customers to resist providing the data necessary to allow us to offer our services to our customers and users effectively, or could prompt individuals to opt out of our collection of their personal data. Even the perception that the privacy of personal data is not satisfactorily protected or does not meet regulatory requirements could discourage prospective customers from subscribing to our products or services or discourage current customers from renewing their subscriptions," the filing reads, adding that the CCPA is making it easier for people to opt-out of having their data collected.

Ultimately, this could lead to less valuable data, with "a decrease in participation in our contributory network or increased opt-out rates impacting the depth, breadth, and accuracy of our platform," the filing adds.

ZoomInfo told Motherboard in a statement, “ZoomInfo takes data privacy and security very seriously. We have strict policies in place to comply with privacy and data protection laws. We only collect business contact information, i.e., the information that is customarily found on a business card, and our privacy practices go well above and beyond those of our peers and what is required by law.”

“We also provide active notification to all of our contacts in the EU and California—even where we are not required to do so. We have expanded this notification program across our entire database so that consumers in every jurisdiction have the same notice and choice,” the statement added.

Many other companies harvest or build products on top of the contents of users' email inboxes. Motherboard reported how email productivity app Edison scraped user inboxes for profit, as well as other companies Foxintelligence and Rakuten.

Subscribe to our cybersecurity podcast, CYBER.