Best Practices for Handling Data Privacy Concerns with Clay

Pontus Bäckman · 2025-10-14 08:43:06.461801+00

Hey community, I’m facing an important data-related issue. Recently, we’ve had an increasing number of cases when using Clay together with mobile phone providers, where people contact us upset and want to know how we obtained their private mobile numbers. Since this potentially violates privacy laws in countries like the Netherlands and Germany, I’d love to hear how others handle these situations in the best and most compliant way.

Best Practices for Handling Data Privacy Concerns with Clay | Clay

8 comments

· Sorted by Oldest

Arpit (Clay Community Cop)
·
·
Stephanie Holland Marina (C101 TA - Bamboo Bay) Do you have any insights here?
Stephanie Holland
·
·
Research the data privacy laws for each country/ region and be sure to follow them to avoid hefty fines. As you're experiencing, basic communication protocol needs to be followed anyway, such as introducing immediate relevance for the recipient - which for GDPR for example legally requires letting them know where you got their contact information, and making it easy to unsubscribe. Honestly, this is a matter for your legal team. Someone in your company should be responsible for making sure that all your customer touch points are compliant both legally and ethically. If it's annoying or upsetting, it's also off-brand. Marina Ghilchik
1
2
Arpit (Clay Community Cop)
·
·
Appreciate your insights Stephanie Holland! ⭐
🌻1
Marina Ghilchik
·
·
Pontus, literally no provider is able to distinguish between private and corporate mobile numbers. Compliance element should be stitched into your internal process and the way your team communicates with prospects. If you are concerned about the legal aspect of a specific provider, you can trace the origin in Clay. Please keep in mind that Clay is not a data provider - it’s an aggregate of various data sources, hence the onus of compliant data acquisition lies directly with the source. Upset… understand it’s unpleasant for both parties, but “upset” doesn’t mean what your team is doing is against the law. Developing a diplomatic script to fall back on for your team helps a great deal. I’ve lead global SDR teams and we had this come up daily across various regions. For Clay partnership team: I’m sure you do this already, but just in case - upon signing a data provider, perhaps enquire about what is their GDPR compliance opt out policy. Maybe even stitch the unsubscribe link directly into the waterfall. This way if someone is disgruntled, the Clay customer’s rep can offer them the opt out link straight away. (Opt out should be done both in the internal CRM and the original data provider). Pontus Bäckman Arpit (Clay Community Cop) Stephanie Holland
Marina Ghilchik
·
·
Pontus Bäckman ha! Just added you on linkers - small world. I grew up in Umeå, went to Östra though not Dragon… 😸
✊1
❤️1
Stephanie Holland
·
·
Data privacy is sooooo complicated! Further to what Marina said - if the individual can be identified from the data, it's considered personal data - whether a mobile number is "private" or "business" doesn't matter under GDPR - both require lawful basis for processing. Article 14 GDPR: When personal data has NOT been obtained directly from the data subject (e.g., from data enrichment tools like Clay), the controller MUST inform the data subject of "from which source the personal data originate, and if applicable, whether it came from publicly accessible sources" Information to be provided where personal data have not been obtained from the data subject is here: https://gdpr-info.eu/art-14-gdpr/ You can check https://www.gdpreu.org/ and https://gdpr-info.eu/ for full compliance info, as well as each region/ individual country where your prospects live.
Germany: Bundesdatenschutzgesetz (BDSG) - Federal Data Protection Act.
Netherlands: Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) - Implementation Act for the General Data Protection Regulation
In the US there are multiple privacy acts: California’s CCPA Colorado Privacy Act Connecticut Data Privacy Act (including amendments regulating consumer health data, children’s data, and social media platforms) Delaware Personal Data Privacy Act Florida Data Privacy and Security Act Iowa Consumer Data Protection Act Montana Consumer Data Privacy Act Nebraska Data Privacy Act New Hampshire Consumer Expectation of Privacy Act New Jersey Personal Data Privacy Act Oregon Consumer Privacy Act Texas Data Privacy and Security Act Utah Consumer Privacy Act Virginia Consumer Data Protection Act
Pontus Bäckman
·
·
Stephanie Holland and Marina Ghilchik Thank you so much both of you for your answer. Really love the help and guidance people in this community offers. Highly appreciate it!
Pontus Bäckman
·
·
And Marina Ghilchik small world indeed! See you on LI 🙏

Arpit (Clay Community Cop)
·
·
Stephanie Holland Marina (C101 TA - Bamboo Bay) Do you have any insights here?
Stephanie Holland
·
·
Research the data privacy laws for each country/ region and be sure to follow them to avoid hefty fines. As you're experiencing, basic communication protocol needs to be followed anyway, such as introducing immediate relevance for the recipient - which for GDPR for example legally requires letting them know where you got their contact information, and making it easy to unsubscribe. Honestly, this is a matter for your legal team. Someone in your company should be responsible for making sure that all your customer touch points are compliant both legally and ethically. If it's annoying or upsetting, it's also off-brand. Marina Ghilchik
1
2
Arpit (Clay Community Cop)
·
·
Appreciate your insights Stephanie Holland! ⭐
🌻1
Marina Ghilchik
·
·
Pontus, literally no provider is able to distinguish between private and corporate mobile numbers. Compliance element should be stitched into your internal process and the way your team communicates with prospects. If you are concerned about the legal aspect of a specific provider, you can trace the origin in Clay. Please keep in mind that Clay is not a data provider - it’s an aggregate of various data sources, hence the onus of compliant data acquisition lies directly with the source. Upset… understand it’s unpleasant for both parties, but “upset” doesn’t mean what your team is doing is against the law. Developing a diplomatic script to fall back on for your team helps a great deal. I’ve lead global SDR teams and we had this come up daily across various regions. For Clay partnership team: I’m sure you do this already, but just in case - upon signing a data provider, perhaps enquire about what is their GDPR compliance opt out policy. Maybe even stitch the unsubscribe link directly into the waterfall. This way if someone is disgruntled, the Clay customer’s rep can offer them the opt out link straight away. (Opt out should be done both in the internal CRM and the original data provider). Pontus Bäckman Arpit (Clay Community Cop) Stephanie Holland
Marina Ghilchik
·
·
Pontus Bäckman ha! Just added you on linkers - small world. I grew up in Umeå, went to Östra though not Dragon… 😸
✊1
❤️1
Stephanie Holland
·
·
Data privacy is sooooo complicated! Further to what Marina said - if the individual can be identified from the data, it's considered personal data - whether a mobile number is "private" or "business" doesn't matter under GDPR - both require lawful basis for processing. Article 14 GDPR: When personal data has NOT been obtained directly from the data subject (e.g., from data enrichment tools like Clay), the controller MUST inform the data subject of "from which source the personal data originate, and if applicable, whether it came from publicly accessible sources" Information to be provided where personal data have not been obtained from the data subject is here: https://gdpr-info.eu/art-14-gdpr/ You can check https://www.gdpreu.org/ and https://gdpr-info.eu/ for full compliance info, as well as each region/ individual country where your prospects live.
Germany: Bundesdatenschutzgesetz (BDSG) - Federal Data Protection Act.
Netherlands: Uitvoeringswet Algemene verordening gegevensbescherming (UAVG) - Implementation Act for the General Data Protection Regulation
In the US there are multiple privacy acts: California’s CCPA Colorado Privacy Act Connecticut Data Privacy Act (including amendments regulating consumer health data, children’s data, and social media platforms) Delaware Personal Data Privacy Act Florida Data Privacy and Security Act Iowa Consumer Data Protection Act Montana Consumer Data Privacy Act Nebraska Data Privacy Act New Hampshire Consumer Expectation of Privacy Act New Jersey Personal Data Privacy Act Oregon Consumer Privacy Act Texas Data Privacy and Security Act Utah Consumer Privacy Act Virginia Consumer Data Protection Act
Pontus Bäckman
·
·
Stephanie Holland and Marina Ghilchik Thank you so much both of you for your answer. Really love the help and guidance people in this community offers. Highly appreciate it!
Pontus Bäckman
·
·
And Marina Ghilchik small world indeed! See you on LI 🙏