On May 25th, 2018, new data privacy and protection regulations went into effect for nations in the European Union (EU) and European Economic Area (EEA). The General Data Protection Regulation, or GDPR, includes provisions restricting or requiring subscriber insight and control into the processing of Personally Identifiable Information (PII).

The restrictions require companies collecting and using data belonging to residents of the EU and EEA to, among other things, verify that subscribers have given consent for data to be collected and used, as well as to provide proper opt-out and even deletion of stored PII.

These regulations are similar to, but in many ways go even further than the United States' own CAN-SPAM regulation.

At this time, Questline's clients consist solely of energy companies and utilities operating in North America. These clients provide Questline with lists of and data for their customers, including PII. Those customers may be residential or business accounts for people or companies located in North America and using energy from North American energy utilities.

Because of this, Questline is not modifying its privacy policy to include additional GDPR constraints at this time.

Additionally, other than in cases of our own marketing and transactional communications with our direct clients, Questline relies on our clients to provide customer addresses or numbers to contact. Clients are therefore the 'instigators' of communication and would, under GDPR, be the primary party responsible for initial opt-in vetting. Questline already advises its client to verify that they are giving us current and clean lists of subscribers. We advise our clients on how to get accurate and recent subscriber information, and we work on regular cleanup of inactive and unengaged subscribers. We provide electronic methods of opt-out on all Marketing emails, and work closely to follow US CAN-SPAM laws.