---

Use of Student Data for Upload to Third-Party Marketing and Matching Platforms

 

 

Purpose

These guidelines provide information regarding the use of student and prospective student data when uploading information to third-party platforms that support audience matching or targeted communication services (e.g., Google Customer Match, Meta Custom Audiences, LinkedIn Matched Audiences). The purpose is to ensure compliance with institutional data governance standards, legal requirements, ethical expectations, and contractual obligations.

Scope

These guidelines apply to all institutional units, employees, contractors, and affiliates who request, access, or use student-related Boston University data for the purpose of creating or uploading audience lists to third-party services.

Approved Third-Party Vendors

The following Third-Party Marketing and Matching Platform vendors have been reviewed and approved by BU Information Security and the data executive or trustee to receive Approved Data Elements in line with the guidance provided here:

• Google Customer Match
• Meta Custom Audiences
• LinkedIn Matched Audiences

Use of Approved Data Elements with vendors not listed here must be approved in advance of submission by Information Security and the data executive or trustee.

Approved Data Elements

Only the following data attributes may be uploaded to Approved Third-Party Matching Platforms, and only when required for the platform’s matching process:

• Email address
• Phone number
• Mailing address
• Mobile device ID

For currently enrolled students, those who have restricted directory access to their personal data may not be included in any information provided to vendors.

No other personally identifiable information (PII) may be used without explicit approval from the responsible Data Executive or Trustee.

Data Source Restrictions

 

1. Enterprise System Data

• • These Guidelines permit use of the Approved Data Elements with the vetted matching platforms listed above.  Additional student and prospective student information sourced from enterprise systems (e.g., MyBU Student, Academic Data Warehouse) may only be used with approval from the appropriate Data Executive or Trustee.
  • Use must comply with all institutional privacy policies, data governance standards, FERPA requirements, and any enterprise-level data classification guidelines.
  • The Data Trustee has discretion to allow or restrict use based on the sensitivity, intended purpose, and risk profile of the data.

 

2. Vendor-Purchased or Third-Party Contact Lists

• • Contact data acquired from external vendors may carry specific legal or contractual limitations on use, including restrictions against targeted advertising, data sharing, or uploading to audience-matching platforms.
  • Units must verify that contractual terms explicitly allow the intended use before uploading such data to any third-party platform.
  • If the terms of use are unclear, restrictive, or unavailable, the data must be considered not permissible for upload.

 

3. Self-Provided or Opt-In Contacts

• • If individuals have opted into receiving communications or marketing messages, their data may be used in accordance with the consent they provided.
  • Consent terms must be documented and retained.

Responsibilities

• Data Requestors must ensure compliance with these guidelines and seek approval when required.
• Data Trustees must review and authorize or deny use of enterprise data based on these guidelines.
• The university may audit usage for compliance.
• Marketing/Communications Units must ensure platforms are configured and used consistent with institutional privacy commitments.

 

Consequences of Non-Compliance

Failure to comply with these  Guidelines may result in revocation of data access privileges, reporting to appropriate oversight authorities, disciplinary action, or institutional liability associated with misuse of personal data.

 

---