Authority Industries Data Privacy Practices
Data privacy within contractor-matching and home services directory networks involves a distinct set of obligations that differ from general consumer e-commerce. This page covers how Authority Industries approaches the collection, handling, and protection of personal information submitted through its directory platform, the regulatory frameworks that govern those practices, and the boundaries that separate permissible data sharing from prohibited disclosure. Understanding these practices matters because homeowners submitting service requests routinely provide contact details, property addresses, and project descriptions — data categories that carry legal protection under federal and state law.
Definition and scope
Data privacy, as applied to a home services directory network, refers to the policies and technical controls governing how personally identifiable information (PII) is gathered from users, stored, processed, and shared with third parties such as licensed contractors. The scope extends beyond name and email address to include geolocation data derived from ZIP codes, project-specific details that may reveal financial circumstances, and device identifiers collected through cookies or tracking pixels.
The Federal Trade Commission Act, Section 5 (15 U.S.C. § 45), prohibits unfair or deceptive acts in commerce — a provision the FTC has applied to inadequate privacy disclosures and misleading data-sharing representations. At the state level, the California Consumer Privacy Act (CCPA, Cal. Civ. Code §§ 1798.100–1798.199) established rights to access, deletion, and opt-out of the sale of personal information for California residents. As of 2023, at least 12 additional states have enacted comprehensive consumer privacy statutes (National Conference of State Legislatures, State Privacy Legislation Tracker), meaning multi-state directory operations face overlapping compliance obligations.
The authority-industries-compliance-and-regulatory-alignment page maps these overlapping statutory requirements in greater detail.
How it works
Data collection in a directory context follows a structured pipeline:
- Intake — A homeowner submits a service request form, providing contact details, service address, project description, and availability windows.
- Categorization — The platform assigns the request to a service category, creating a structured record that may be matched against contractor profiles.
- Controlled disclosure — Matched contractor records and the homeowner's contact details are shared only with contractors who meet verified criteria, as outlined in the authority-industries-verified-contractor-criteria page.
- Retention and deletion — Records are retained for a defined period to support dispute resolution and quality auditing, then deleted or anonymized in accordance with applicable retention schedules.
- Third-party transfers — Any transfer of data to analytics vendors, advertising partners, or technology providers is governed by data processing agreements that restrict downstream use.
The distinction between data processors and data controllers — a framework established under the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and echoed in U.S. state statutes — determines accountability. A directory platform acting as a controller sets the purpose and means of processing; a contractor receiving the referral acts as a separate controller for any further use of that information.
Encryption in transit is enforced via TLS 1.2 or higher, consistent with NIST guidance (NIST SP 800-52 Rev. 2). Access to raw PII is restricted to authorized personnel through role-based access controls aligned with NIST SP 800-53 Rev. 5, §AC-2.
Common scenarios
Three scenarios illustrate where data privacy obligations become operationally significant in a home services context:
Scenario A — Contractor referral and data minimization. A homeowner requests roofing estimates. The platform shares the homeowner's name, phone number, ZIP code, and project scope with 3 pre-screened contractors. Sharing the full street address with all 3 contractors before any engagement is confirmed raises data minimization questions under CCPA and similar statutes, which require that only the data necessary for the stated purpose be transferred.
Scenario B — Background check data handling. Contractors submit to screening as part of onboarding (see authority-industries-background-check-policy). Background check reports are governed by the Fair Credit Reporting Act (FCRA, 15 U.S.C. §§ 1681–1681x), which prohibits sharing consumer report information outside permissible purposes. Misuse carries civil liability up to $1,000 per willful violation (15 U.S.C. § 1681n).
Scenario C — Marketing re-engagement. Using a homeowner's project data submitted for a one-time match to build a targeted marketing list constitutes a secondary use. Under CCPA, this secondary use requires either prior notice in the privacy policy or an opt-in if classified as a "sale" or "sharing" of personal information.
Decision boundaries
Decision boundaries define which data practices fall within the platform's permissible scope and which require additional consent, regulatory filing, or prohibition.
| Practice | Permissible | Requires additional action |
|---|---|---|
| Sharing contact info with matched, verified contractors | Yes | None beyond disclosed privacy policy |
| Retaining project records for dispute resolution | Yes | Must align with stated retention schedule |
| Transferring data to analytics vendors | Conditional | Data processing agreement required |
| Selling homeowner data to third-party marketing lists | No | Prohibited under CCPA opt-out rights and FTC Act § 5 |
| Using background check reports for non-permissible purposes | No | Prohibited under FCRA |
The authority-industries-consumer-protection-framework page describes how these boundaries interact with broader consumer rights enforced through the platform's dispute and accountability mechanisms.
Operators running multi-state networks must distinguish between opt-out models (California, Colorado, Virginia) — where data sharing proceeds unless a user objects — and opt-in models applicable to sensitive data categories such as precise geolocation and health information. Misclassifying sensitive data as non-sensitive is a documented enforcement priority for the FTC and state attorneys general.
References
- Federal Trade Commission — FTC Act Section 5
- California Attorney General — California Consumer Privacy Act (CCPA)
- National Conference of State Legislatures — State Privacy Legislation Tracker
- NIST SP 800-52 Rev. 2 — Guidelines for TLS Implementations
- NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems
- Federal Trade Commission — Fair Credit Reporting Act (FCRA)
- EU General Data Protection Regulation — GDPR Full Text