Done-for-you offer · Fractional CMO with AI Swarm · audience 4-skill bundle · audience agent
Demographic data ingestion for DTC ecommerce, subscription-commerce, marketplace, multi-location retail, multi-unit franchise, multi-location service brand, multi-location healthcare, and PE-sponsored portfolio operators — Ingest + Resolve + Suppress + Attest 4-skill bundle on the audience agent, under a 5-anchor compliance overlay anchored on FTC + FCRA + FTC Data Broker enforcement (Kochava + X-Mode + Mobilewalla + Avast 2024) + California DELETE Act (effective January 2026), CCPA Sensitive Personal Information + MHMDA + GDPR Article 9, ECOA + Fair Housing + Title VII + Mobley v Workday + per-vendor protected-class-fields prohibition, per-vertical FDA + DEA + cannabis + state insurance + medical-board, and NIST AI RMF + EU AI Act Article 9 + 10 + 13 + 14 + per-vendor LLM zero-retention + DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2
You ingest demographic and firmographic data into operator-controlled CDP and identity graphs. FTC data- broker enforcement (FTC v Kochava ND Idaho 2024 + FTC v X-Mode/Outlogic January 2024 + FTC v Mobilewalla December 2024 + FTC v Avast February 2024) and State Data Broker Registration (California SB 362 DELETE Act effective January 2026 + Vermont + Texas + Oregon) govern per-vendor source-of-data posture. CCPA Section 1798.121 + CPRA Sensitive Personal Information + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive- privacy + GDPR Article 9 special-category + Article 6 lawful basis + UK GDPR apply. ECOA 15 USC 1691 + Fair Housing Act 42 USC 3604 + Title VII + ADEA + ADA + per-state similar + EEOC + HUD enforcement + state attorney + Mobley v Workday (ND Cal 2024) disparate- impact-on-protected-class + per-vendor protected-class- fields prohibition apply. Per-vertical product-claim regulator (FDA OPDP + DEA + DISCUS + cannabis + FDA CTP + FTC Health Products + state insurance + state real-estate + state medical-board) applies. NIST AI RMF + ISO 42001 + EU AI Act (Regulation 2024/1689) Article 9 risk management + Article 10 data-governance + Article 13 + Article 14 + Article 26 + per-vendor LLM zero-retention apply when demographic data feeds AI scoring or ranking. DSA + COPPA + AADC + cookie consent + IAB TCF v2.2 + Google Consent Mode v2 apply broadly. The demographic data, CDP, identity resolution, paid-media audience, and onsite personalization vendors below ship strong primitives. The orchestration above them is operator-side architecture. You keep all subscriptions, posture libraries, suppression policies, and audit trail. You keep the ability to in-house at any time.
Published September 25, 2026
The real ecosystem this sits above
Demographic data + CDP + identity resolution
Demographic data: Experian, Acxiom, TransUnion, Epsilon, LiveRamp, Neustar, Oracle Data Cloud, Bombora, ZoomInfo, Clearbit. CDP: Segment, mParticle, RudderStack, Snowplow, Tealium, Treasure Data. Identity resolution: LiveRamp RampID, ID5, The Trade Desk Unified ID 2.0, Lotame Panorama ID, Adstra, Audigent, InfoSum. Each ships strong primitives. Per- vendor source-of-data attestation + per-vendor consent-pass-through + per-vendor sub-processor + per-vendor international-transfer above them is operator-side architecture.
Paid-media audience + onsite personalization
Paid-media: Meta Custom Audiences, Google Customer Match, TikTok Custom Audience, LinkedIn Matched Audiences, Pinterest Audiences. Onsite personalization: Klaviyo, Bloomreach, Dynamic Yield, Bloomreach Engagement, Rebuy. Each ships strong primitives. Protected-class-fields prohibition + Sensitive Personal Information handling + per-vertical regulator restriction + EU AI Act Article 10 data-governance above them is operator-side architecture.
Policy-as-code + WORM + legal research
Policy-as-code: OPA Rego, AWS Cedar, Casbin, Cerbos, Oso. WORM: AWS S3 Object Lock, GCS retention, Azure Blob immutable, Snowflake Time Travel. Legal: Westlaw, Lexis+, Bloomberg Law, Practical Law. Each ships strong primitives. The 5-anchor compliance gate is operator-side architecture.
Frequently asked
What does demographic data ingestion deliver, and how does the 4-skill bundle decompose?
An orchestration layer above the operator demographic data vendor + CDP + identity resolution + paid-media audience + onsite personalization + policy-as-code + WORM-storage stack that ingests demographic and firmographic data into operator-controlled CDP and identity graphs under operator-counsel-and-privacy-officer-and-AI-governance-team-approved FTC + FCRA + data-broker enforcement + state-comprehensive-privacy + Sensitive Personal Information + GDPR Article 9 + ECOA + Fair Housing + Title VII + per-vertical + NIST AI RMF + EU AI Act + DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode gates. Skill 1 — Ingest: ingest demographic and firmographic data through operator demographic data vendor (Experian + Acxiom + TransUnion + Epsilon + LiveRamp + Neustar + Oracle Data Cloud + Bombora + ZoomInfo + Clearbit — operator chooses) under operator-counsel-approved per-vendor data licensing + per-vendor DPAs + per-vendor source-of-data attestation. Per-vendor source-of-data attestation distinguishes vendors with consented-first-party-data sources from vendors with inferred/modeled data and from vendors implicated in FTC data-broker enforcement (FTC v Kochava ND Idaho 2024 settled + FTC v X-Mode/Outlogic FTC January 2024 settled + FTC v Mobilewalla FTC December 2024 settled + FTC v Avast FTC February 2024 settled). State Data Broker Registration registries (California SB 362 DELETE Act effective January 2026 + Vermont + Texas + Oregon) apply. Skill 2 — Resolve: resolve identity across operator CDP (Segment + mParticle + RudderStack + Snowplow + Tealium + Treasure Data — operator chooses) + identity resolution graph (LiveRamp RampID + ID5 + The Trade Desk Unified ID 2.0 + Lotame Panorama ID + Adstra + Audigent + InfoSum — operator chooses) under operator-counsel-approved identity-resolution posture. Identity-resolution posture distinguishes consented-first-party-keyed identity from probabilistic and inferred identity; per-vendor identity-resolution posture under per-vendor consent-pass-through + per-vendor sub-processor under GDPR Article 28 + per-vendor international-transfer posture (EU Standard Contractual Clauses + UK IDTA + Data Privacy Framework). Skill 3 — Suppress: suppress demographic fields that may not enter scoring + targeting + ranking + personalization paths under operator-counsel-and-DEI-team-and-compliance-team-approved protected-class-fields prohibition per ECOA 15 USC 1691 + Fair Housing Act 42 USC 3604 + Title VII + ADEA + ADA + per-state similar + EEOC + HUD enforcement + state attorney + Mobley v Workday (ND Cal 2024) disparate-impact-on-protected-class — race + color + religion + national origin + sex + age + disability + familial status + source-of-income + per-state-protected-class + per-vertical regulator restriction (FDA OPDP + DEA + DISCUS + cannabis + FDA CTP + FTC Health Products + state insurance + state real-estate + state medical-board) on protected-class proxies + Sensitive Personal Information categories per CCPA Section 1798.121 + CPRA Sensitive + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive-privacy + GDPR Article 9 special-category. Skill 4 — Attest: emit per-record per-data-source attestation (per-vendor source-of-data + per-vendor consent-class + per-vendor identity-resolution-posture + per-vendor sub-processor + per-state-comprehensive-privacy compliance + Sensitive Personal Information class + GDPR Article 9 special-category + protected-class-field suppression + per-vertical regulator restriction + counsel-policy-version + EU AI Act Article 10 data-governance) to the operator WORM audit trail.
Where does single-vendor demographic data tooling stop compounding for demographic data ingestion at DTC ecommerce scale?
Single-vendor demographic data ingestion is solved. Experian + Acxiom + TransUnion + Epsilon + LiveRamp + Neustar + Oracle Data Cloud + Bombora + ZoomInfo + Clearbit ship strong demographic data. Segment + mParticle + RudderStack + Snowplow + Tealium + Treasure Data ship strong CDP. LiveRamp RampID + ID5 + The Trade Desk Unified ID 2.0 + Lotame Panorama ID + Adstra + Audigent + InfoSum ship strong identity resolution. Meta Custom Audiences + Google Customer Match + TikTok Custom Audience + LinkedIn Matched Audiences + Pinterest Audiences ship strong paid-media custom-audience activation. Klaviyo + Bloomreach + Dynamic Yield + Bloomreach Engagement + Rebuy ship strong onsite personalization. The compound case the audience agent has to handle is the one where (a) operator runs DTC ecommerce + subscription-commerce + marketplace catalogs × paid-acquisition channel × onsite personalization × CRM lifecycle, (b) FTC Section 5 + FCRA 15 USC 1681 + FTC Data Broker enforcement (FTC v Kochava ND Idaho 2024 + FTC v X-Mode/Outlogic January 2024 + FTC v Mobilewalla December 2024 + FTC v Avast February 2024) + CFPB Section 1033 + State Data Broker Registration California SB 362 DELETE Act (effective January 2026) + Vermont + Texas + Oregon apply, (c) CCPA + CPRA Sensitive Personal Information Section 1798.121 + Section 1798.140(ae) + Washington MHMDA + Colorado CPA Sensitive + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive-privacy + GDPR Article 9 special-category + Article 6 lawful basis + UK GDPR apply, (d) ECOA 15 USC 1691 + Fair Housing Act 42 USC 3604 + Title VII + ADEA + ADA + per-state similar + EEOC + HUD enforcement + state attorney + Mobley v Workday (ND Cal 2024) disparate-impact-on-protected-class + per-vendor protected-class-fields prohibition apply, (e) per-vertical product-claim regulator (FDA OPDP + DEA + DISCUS + cannabis + FDA CTP + FTC Health Products + state insurance + state real-estate + state medical-board) applies, (f) NIST AI RMF + ISO 42001 + EU AI Act (Regulation 2024/1689) Article 9 risk management + Article 10 data-governance + Article 13 + Article 14 + Article 26 apply when demographic data feeds AI scoring or ranking, (g) per-vendor LLM zero-retention attestation chain when AI summarizes demographic data, (h) DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2 apply broadly. Without an orchestration layer above the vendors, per-vendor source-of-data posture fragments (consented vs inferred vs FTC-enforcement-implicated), per-vendor identity-resolution posture fragments under per-state-comprehensive-privacy + GDPR Article 9 + Article 28, protected-class-field suppression breaks under ECOA + Fair Housing + Title VII + EEOC + Mobley v Workday, Sensitive Personal Information handling breaks under CCPA Section 1798.121 + MHMDA + Colorado Sensitive + GDPR Article 9, per-vertical regulator restriction goes unmaintained, EU AI Act Article 10 data-governance fragments when demographic data feeds AI, per-vendor LLM zero-retention fragments. The orchestration above the vendors is what holds the cross-vendor + cross-state + cross-vertical invariants.
How does Skill 3 Suppress handle ECOA + Fair Housing + Title VII + Mobley v Workday + per-vendor protected-class-fields prohibition?
Protected-class-field suppression is operator-counsel-and-DEI-team-and-compliance-team-approved. Suppress identifies the operator-counsel-approved protected-class field list: race + color + religion + national origin + sex + age + disability + familial status + source-of-income + per-state-protected-class + per-vertical regulator restriction. Mobley v Workday (ND Cal 2024) permits disparate-impact claims under Title VII + ADEA + ADA against AI-decision systems when protected-class fields or proxies are used in employment-decision contexts. Although Mobley addresses employment, the disparate-impact analytical framework applies broadly to ECOA 15 USC 1691 credit + Fair Housing Act 42 USC 3604 housing + per-state public-accommodations contexts. Per-vendor protected-class-fields prohibition flows down to each demographic data vendor (Experian + Acxiom + TransUnion + Epsilon + LiveRamp + Neustar + Oracle Data Cloud + Bombora + ZoomInfo + Clearbit) and each identity-resolution vendor (LiveRamp RampID + ID5 + The Trade Desk Unified ID 2.0 + Lotame Panorama ID + Adstra + Audigent + InfoSum) — operator-counsel-approved field-level allow/deny lists. Per-state-protected-class adds operator-counsel-approved state-specific categories (California + New York + Illinois + Washington + Colorado + per-state). Per-vertical regulator restriction adds FDA OPDP + DEA + DISCUS + cannabis + FDA CTP + FTC Health Products + state insurance + state real-estate + state medical-board restrictions. Suppress enforces protected-class-field allow/deny at ingest + at identity resolution + at scoring + at targeting + at ranking + at personalization paths under policy-as-code (OPA Rego + AWS Cedar + Casbin + Cerbos + Oso — operator chooses) at every CDP write and audience push. Per-record per-field-suppression attestation writes to WORM audit trail with rule-citation evidence + counsel-policy-version + Mobley-evidence-pointer.
What compliance does the orchestration enforce, and how does it map to FTC + FCRA + data-broker enforcement + CCPA Sensitive + GDPR Article 9 + ECOA + Fair Housing + Mobley + per-vertical + NIST AI RMF + EU AI Act Article 9 + 10?
Five anchors. Anchor 1 — FTC + FCRA + FTC Data Broker enforcement + CFPB Section 1033 + State Data Broker Registration. FTC Section 5 + FCRA 15 USC 1681 (including notice + dispute + accuracy + permissible-purpose) + FTC Data Broker enforcement (FTC v Kochava ND Idaho 2024 settled prohibiting precise-location data sale + FTC v X-Mode/Outlogic FTC January 2024 settled banning sensitive-location data sale + FTC v Mobilewalla FTC December 2024 settled + FTC v Avast FTC February 2024 settled over browsing-data sale) + CFPB Section 1033 financial data portability + State Data Broker Registration (California SB 362 DELETE Act effective January 2026 + Vermont + Texas + Oregon). Anchor 2 — CCPA Sensitive Personal Information + GDPR Article 9 + state-comprehensive-privacy. CCPA Section 1798.121 + Section 1798.140(ae) Sensitive Personal Information (precise geolocation + race + ethnicity + religious or philosophical beliefs + union membership + content of communications + genetic data + biometric data + health data + sex life or sexual orientation) + Washington MHMDA consumer-health-data + Colorado CPA Sensitive (race + ethnicity + religious beliefs + mental or physical health + sex life or sexual orientation + citizenship or immigration status + genetic or biometric data + children data + precise geolocation) + Connecticut CTDPA + Texas TDPSA + Oregon OCPA + state-comprehensive-privacy + GDPR Article 9 special-category (racial or ethnic origin + political opinions + religious or philosophical beliefs + trade union membership + genetic data + biometric data + health data + sex life or sexual orientation) + Article 6 lawful basis + UK GDPR. Anchor 3 — ECOA + Fair Housing + Title VII + Mobley + per-vendor protected-class-fields prohibition. ECOA 15 USC 1691 + Fair Housing Act 42 USC 3604 + Title VII 42 USC 2000e + ADEA + ADA + per-state similar + EEOC + HUD enforcement + state attorney + Mobley v Workday (ND Cal 2024) disparate-impact-on-protected-class + per-vendor protected-class-fields prohibition. Anchor 4 — Per-vertical regulator. FDA OPDP + DEA + DISCUS + per-state cannabis-regulator + FDA Center for Tobacco Products + FTC Health Products Compliance Guidance + state insurance + state real-estate + state medical/dental/legal/accounting board. Anchor 5 — NIST AI RMF + ISO 42001 + EU AI Act Article 9 + 10 + 13 + 14 + per-vendor LLM zero-retention + DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2. NIST AI RMF (NIST AI 100-1) Map + Measure + Manage + ISO/IEC 42001 Clause 8 + EU AI Act (Regulation 2024/1689) Article 9 risk management + Article 10 data-governance + Article 13 transparency + Article 14 human oversight + Article 26 + per-vendor LLM zero-retention attestation chain (OpenAI Enterprise + Anthropic + Google Vertex + Azure OpenAI + AWS Bedrock zero-retention) + EU DSA Article 16 + Article 28 + COPPA + AADC + cookie consent + IAB TCF v2.2 + Google Consent Mode v2. Broader gate enforced via policy-as-code. WORM audit trail with per-statute retention per operator counsel policy.
What does the engagement look like across Tier 1 → Tier 2 → Tier 3, and what does the Tier 3 reporting cycle commit to?
Tier 1 AI Readiness Assessment ($10k, 2-3 weeks): audits the operator current demographic data ingestion posture; gap-pack identifies which per-vendor demographic data sources lack operator-counsel-approved source-of-data attestation under FTC data-broker enforcement (Kochava + X-Mode + Mobilewalla + Avast) + State Data Broker Registration (California DELETE Act effective January 2026), which lack per-vendor consent-pass-through under per-state-comprehensive-privacy + GDPR Article 9 + Article 28, which lack protected-class-fields suppression posture under ECOA + Fair Housing + Title VII + EEOC + Mobley v Workday, which lack Sensitive Personal Information handling posture under CCPA Section 1798.121 + MHMDA + Colorado Sensitive + GDPR Article 9, which lack per-vertical regulator restriction posture, whether NIST AI RMF + ISO 42001 + EU AI Act Article 9 + 10 + 13 + 14 is wired, whether per-vendor LLM zero-retention attestation chain is maintained, whether DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2 is wired. Tier 2 AI Swarm Setup Sprint ($25-50k, 4-8 weeks): builds the 4-skill bundle on the audience agent, wires demographic data + CDP + identity resolution + paid-media audience + onsite personalization + policy-as-code + WORM-storage (operator-chosen subset), configures the operator-counsel-and-privacy-officer-and-DEI-team-and-compliance-team-and-AI-governance-team-approved per-vendor source-of-data attestation register + per-vendor consent-pass-through + per-vendor sub-processor + per-vendor international-transfer + protected-class-fields prohibition + Sensitive Personal Information handling + per-vertical regulator restriction + NIST AI RMF + ISO 42001 + EU AI Act Article 9 + 10 + 13 + 14 + Article 26 + per-vendor LLM zero-retention attestation chain + DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2, runs 30-day shadow + canary with Suppress in audit-only before flipping to enforce-mode. Tier 3 Fractional CMO with AI Swarm ($15-25k/month, 6-month minimum): continues with continuous Ingest + Resolve + Suppress + Attest. Tier 3 reporting is a 6-workstream pre-engagement-baseline reporting cycle (per-vendor source-of-data attestation freshness + per-vendor consent-pass-through freshness + per-vendor sub-processor + per-vendor international-transfer freshness + protected-class-fields suppression rate + protected-class proxy detection rate + Sensitive Personal Information handling posture freshness + per-vertical regulator restriction posture freshness + EU AI Act Article 10 data-governance freshness + per-vendor LLM zero-retention attestation + WORM audit-trail completeness) measured against the operator pre-engagement baseline. Reporting carries explicit caveats sit outside Completions control + attorney-client privilege preservation.
Who owns the demographic data sources, the CDP, the identity-resolution graph, the protected-class suppression policy, and the audit trail?
Operator owns every artifact. Demographic data vendor subscriptions (Experian + Acxiom + TransUnion + Epsilon + LiveRamp + Neustar + Oracle Data Cloud + Bombora + ZoomInfo + Clearbit — operator chooses) run under operator billing with operator-counsel-approved DPAs. CDP (Segment + mParticle + RudderStack + Snowplow + Tealium + Treasure Data — operator chooses) runs under operator account. Identity resolution graph (LiveRamp RampID + ID5 + The Trade Desk Unified ID 2.0 + Lotame Panorama ID + Adstra + Audigent + InfoSum — operator chooses) runs under operator account. Paid-media custom audiences (Meta Custom Audiences + Google Customer Match + TikTok Custom Audience + LinkedIn Matched Audiences + Pinterest Audiences) run under operator-controlled ad accounts. Onsite personalization (Klaviyo + Bloomreach + Dynamic Yield + Bloomreach Engagement + Rebuy — operator chooses) runs under operator billing. LLM provider contracts (OpenAI Enterprise + Anthropic API + Google Vertex AI + Microsoft Azure OpenAI Service + AWS Bedrock — operator chooses) run under operator account with operator-counsel-approved DPAs + zero-retention attestation. The operator-counsel-and-privacy-officer-and-DEI-team-and-compliance-team-and-AI-governance-team-approved per-vendor source-of-data attestation register + per-vendor consent-pass-through register + per-vendor sub-processor register + per-vendor international-transfer register + protected-class-fields prohibition policy + Sensitive Personal Information handling policy + per-vertical regulator restriction policy + NIST AI RMF + ISO 42001 + EU AI Act Article 9 + 10 + 13 + 14 + Article 26 + per-vendor LLM zero-retention attestation chain + DSA + COPPA + AADC + cookie consent + IAB TCF + Google Consent Mode v2 records all live in operator counsel + privacy + DEI + compliance + AI-governance repo. The Ingest + Resolve + Suppress + Attest skill code lives in operator code repo. The policy-as-code policies live in operator code repo, counsel-aligned. The WORM audit trail lives on operator-controlled cloud storage. Completions owns the orchestration knowledge and transfers it under the Tier 3 transition path (30-60 days at engagement end). Completions credentials revoke on engagement-end.
Engage Completions
Start with the AI Readiness Assessment (Tier 1, 2-3 weeks, $10k). Hand off to Tier 2 AI Swarm Setup Sprint ($25-50k, 4-8 weeks). Continue under Tier 3 Fractional CMO with AI Swarm ($15-25k/mo, 6-month minimum, 1-2 days/wk embedded).
Related reading
- Done-for-you per-location behavioral enrichment with BANT + firmographic (the adjacent per-location behavioral enrichment paired with this demographic ingestion)
- AI agent governance (the broader governance posture this demographic ingestion operates within)
- Fractional CMO with AI Swarm (Tier 3 engagement that operates the demographic data ingestion cycle)