Not every dataset can legally power every use case. FCRA limits consumer-report use in credit, employment, and insurance eligibility decisions. GLBA restricts redisclosure of financial nonpublic personal information. DPPA governs motor-vehicle and driver-record-linked data. FERPA covers student education records. VPPA reaches video viewing history tied to identifiable subscribers. Procurement teams licensing mortgage leads, insurance leads, CTV/ACR, or identity graphs must paste a restricted-source matrix into RFPs *before* requesting samples — otherwise vendors answer with marketing language that breaks on first legal review. Use RFP scorecard, FCRA vs non-FCRA, and data licensing red flags in the same packet.
Restricted-source diligence is where marketing velocity meets legal gravity. Sales wants samples this week; counsel needs use-case clarity first. The matrix forces both sides to align before bytes move. Vendors that push back on the matrix are signaling they sell SKUs faster than they govern them.
A consumer report under FCRA triggers permissible purpose, adverse action notices, and furnisher duties. Marketing refi outreach on non-FCRA property or cashflow signals is a different lane than denying credit based on a broker score. Vendors should offer SKU separation: FCRA-licensed files vs marketing-only files. If a vendor will not bifurcate, assume everything is tainted for eligibility use. Cross-read non-FCRA mortgage leads compliance when building early-warning stacks. The CFPB FCRA resources are the authoritative buyer reference.
Employment and tenant screening are frequent surprise FCRA triggers — HR tech buyers licensing “firmographic plus” files may import consumer reports without HR counsel review. Add explicit prohibited use cases rows for employment eligibility and tenant screening if your program is marketing-only.
Fraud and identity teams sometimes believe fraud exceptions swallow FCRA — they do not. If the output affects credit, insurance, or employment eligibility, map the use case first. Risk management solutions still need SKU-level boundaries.
GLBA-covered data from financial institutions cannot be repurposed through a generic “data broker” license without notice and opt-out alignment at source. DPPA restricts motor vehicle records and certain DMV-linked fields — a frequent surprise in “public records” bundles. Ask vendors which fields are DMV-sourced vs aggregated from non-DMV sources. For property and lien context without DPPA risk, real estate data may be appropriate when sourced from assessor/recorder files rather than driver records.
Insurance underwriting uses its own state and federal overlays — an “insurance leads” SKU may be marketing-only or may touch eligibility depending on fields and scoring. Paste explicit underwriting vs marketing rows into the matrix. GLBA NPI combined with health or financial fields can trigger parallel HIPAA-adjacent or HBNR questions — route those SKUs to healthcare diligence guides when applicable.
Federal buyers and defense-adjacent contractors increasingly paste PADFAA and DOJ bulk data clauses beside GLBA/DPPA — treat export and foreign-parent screening as part of the same RFP packet. See PADFAA screening and DOJ bulk data thresholds for geolocation-specific addenda.
Student records under FERPA are not a workaround because data came from an ed-tech app. Pair FERPA questions with COPPA minors in panels when licensing MAID or mobility. RFP language should ask for under-13 incidence on seeds and school geofence scrubbing evidence. Education-adjacent intent products need purpose limitation to non-eligibility analytics.
State student privacy laws (California SOPIPA-style regimes and others) add purpose limitation beyond federal FERPA when ed-tech data is involved. Ask vendors for state-level attestations when campaigns target K-12 or higher-ed contexts, even for B2B SaaS buyers selling into districts.
Video Privacy Protection Act exposure appears when identifiable subscribers’ video viewing is disclosed without consent. CTV/ACR programs must document household matching, consent, and aggregation rules. Combining ACR with clickstream without separate web consent chains compounds risk. Media buyers should require VPPA-specific reps and prohibited-field lists in addition to general privacy policies.
Litigation under VPPA has targeted apps and platforms that shared viewing identifiers with third parties. Even B2B measurement contracts should list prohibited fields (title-level viewing tied to name/email) and require aggregation thresholds. If your use case is reach/frequency only, say so — and reject row-level viewing logs.
Paste matrix language: “Vendor shall identify each restricted source statute per SKU and shall not ship samples until Buyer’s use-case matrix is complete.” Require vendor legal initials, not sales-only answers. For identity, email, and mobility, add rows for marketing vs credit vs sensitive location. Include a table in every RFP attachment:
Trigger legal review when a vendor: (1) refuses to name restricted sources; (2) claims public record clears all uses; (3) will not separate FCRA SKUs; (4) sends samples before receiving use-case matrix; (5) offers indemnity instead of use limitations. Score responses in the RFP scorecard governance section, not only coverage and price.
Weight governance at 25–40% of total score for regulated categories (credit-adjacent, location, health-adjacent). A cheap feed that fails restricted-source answers is not cheap — it is deferred legal spend. Document scoring in the RFP so vendors know compliance answers matter as much as match rate.
After award, attach the matrix as Schedule A to the data license so vendor answers become contractual reps. Annual re-certification should repeat the matrix — sources change when brokers acquire panels or lose SDK partners.
Restricted-source diligence is unglamorous — and it is what keeps a seven-figure data contract from becoming a seven-figure consent order headline.
Train procurement and RevOps on the matrix — legal cannot be the only team that knows FCRA from marketing SKUs. A one-hour workshop with sample RFP answers (“compliant for everything” vs acceptable SKU-bound answers) prevents expensive pilot starts. Store approved matrices by use case in your internal wiki and attach them to federal procurement packets when defense or civilian agencies are involved.
When vendors offer “compliance packs,” verify they map to your matrix rows — packs are marketing collaterals, not substitutes for SKU-level source lists. Insist on field-level dictionaries with statute tags (FCRA-eligible, GLBA-NPI, DPPA-restricted). Your seed match test should run only after legal clears the matrix for the stated use case.
Retain RFP responses and matrix attachments in your contract repository — they are evidence in disputes about permitted use. When vendors change sources mid-contract, require amended matrix rows before accepting new fields in production feeds.
Auditors and regulators ask for data lineage — the matrix is the buyer-side map that proves you knew which statutes applied before activation.
Revisit the matrix when you add a new activation channel — CTV, email, and property feeds each introduce different restricted-source rows.
Counsel should sign off on matrix templates once per year — statutes and vendor SKUs change faster than static PDF playbooks.