LiveRamp

Overview

LiveRamp Holdings is an American data connectivity company spun off from Acxiom Corporation in 2018, now headquartered in San Francisco, California. While LiveRamp began as Acxiom's data connectivity unit (originally called Acxiom Data Connectivity), it has grown into the world's leading data collaboration and identity resolution company, with a market capitalization exceeding $3 billion.

LiveRamp's core business is enabling companies to connect their customer data to external data sources and advertising platforms, a function described as "data connectivity" that in practice means LiveRamp sits at the center of the most sensitive commercial data flows in the advertising ecosystem. When a retailer wants to target its loyalty program customers with ads on streaming TV platforms, or when an advertiser wants to measure whether online advertising drove in-store purchases, LiveRamp's RampID identity system and Safe Haven data collaboration environment are the infrastructure that makes these connections possible.

The company's technical product, RampID (formerly IdentityLink), is a persistent pseudonymous identifier that replaces personally identifiable information in data flows. RampID functions as a master identity graph that connects offline customer records to online advertising identifiers across channels, cookies, mobile advertising IDs, connected TV identifiers, and email hashes. This "identity resolution" capability makes LiveRamp indispensable to the data-driven advertising ecosystem while centralizing an enormous quantity of sensitive consumer identity data within a single company.

Unlike Acxiom (which primarily aggregates and sells consumer data directly), LiveRamp's model is to be the neutral infrastructure through which data flows between companies, the "data plumbing" of the advertising industry. This positioning is strategically important because it means LiveRamp typically retains data in encrypted or hashed forms while enabling third parties to match against it, creating a legal and ethical gray area about what constitutes "data sharing."

Data Collection Practices

LiveRamp's data collection is distinctive because the company often processes data on behalf of clients rather than collecting it directly from consumers, but the identity graph this creates is uniquely comprehensive:

RampID identity graph is LiveRamp's core asset: a persistent identifier system that links offline consumer records (from retail, financial, healthcare, and other industries) to online advertising identifiers. Building and maintaining this identity graph requires LiveRamp to:

• Ingest customer PII (names, emails, phone numbers, postal addresses) from thousands of data-sharing partners
• Hash and pseudonymize this data into RampID tokens
• Match RampID tokens across different data environments (offline databases, digital advertising systems, connected TV platforms)
• Maintain the linkage between pseudonymous IDs and the underlying PII across changes in device, browser, and email address

Safe Haven data collaboration allows companies to upload sensitive customer data into a secure computation environment where it can be matched against another company's data without either party directly accessing the other's raw records. While presented as privacy-preserving, Safe Haven enables connections between datasets, say, a pharmacy's prescription records and a streaming platform's viewer profiles, that consumers would not expect or consent to.

Offline-to-online matching is LiveRamp's historically core function: ingesting offline purchase records, CRM databases, loyalty program data, and demographic profiles from data brokers and retailers, then linking these to digital advertising identifiers. This creates behavioral profiles that connect in-store purchase history to online browsing patterns to streaming viewing habits.

Publisher data monetization through LiveRamp's Authenticated Traffic Solution (ATS) enables publishers to share their logged-in user email hashes with advertisers in post-cookie environments. This creates email-hash-based cross-site tracking infrastructure that mirrors third-party cookie function.

Data marketplace connects buyers and sellers of audience data, with LiveRamp facilitating data sharing agreements between hundreds of data owners (retailers, credit agencies, health companies) and data buyers (advertisers, agencies, analytics firms).

Known Clients & Government Contracts

LiveRamp serves the largest advertisers, retailers, and financial institutions as primary clients:

Major consumer brands using LiveRamp for identity resolution and data collaboration include Procter & Gamble, Johnson & Johnson, Ford, and hundreds of Fortune 500 companies that need to connect their customer databases to digital advertising systems and measure cross-channel advertising effectiveness.

Retailers and financial institutions including Target, Walgreens, JPMorgan Chase, and major grocery chains use LiveRamp to connect loyalty program data, purchase records, and financial data to advertising targeting and measurement.

Advertising platforms including The Trade Desk, Amazon DSP, Google DV360, and major agency trading desks integrate with LiveRamp's identity infrastructure. LiveRamp's RampID functions as the shared identity layer that enables data portability between these platforms.

Healthcare data connections: LiveRamp has worked with healthcare organizations to connect patient and prescription data to advertising systems, enabling pharmaceutical companies to target based on health data. This application has been particularly controversial given the sensitivity of health information.

LiveRamp has no documented government surveillance or intelligence contracts. However, its identity resolution capabilities are potentially applicable to law enforcement data analysis contexts.

Privacy Incidents & Litigation

FTC Acxiom Data Broker Scrutiny (Historical): LiveRamp's origin within Acxiom, a company that the FTC identified in its landmark 2014 data broker report as one of the most significant commercial data aggregators, means it inherited regulatory attention focused on the data broker industry's practices. The FTC's data broker study highlighted the opacity of data collection and sharing in the industry and called for legislative action to improve consumer transparency and control.

GDPR Data Transfer Challenges: LiveRamp's identity resolution operations across the US-EU boundary have faced scrutiny under GDPR's data transfer requirements. The company's practice of ingesting European consumer PII and processing it in U.S. systems requires compliance with GDPR's international transfer mechanisms, which have been subject to successive legal challenges (Schrems I and II).

Healthcare Data Controversy: In 2023, investigations by privacy reporters documented that LiveRamp's data collaboration tools had been used by healthcare companies to connect patient data, including sensitive health conditions, to advertising systems, enabling targeted pharmaceutical advertising based on inferred health status. This use case raised questions about HIPAA compliance and the ethics of monetizing health information.

Pixel Tracking Lawsuits: Multiple healthcare providers that used LiveRamp's data connectivity tools faced class action lawsuits alleging that health data collected through tracking pixels was shared with advertising platforms in violation of HIPAA. While the lawsuits named healthcare providers as primary defendants, they implicated LiveRamp's role as the data connectivity infrastructure.

Illinois BIPA Exposure: LiveRamp's processing of biometric identifiers, facial recognition features and voiceprints, as part of identity resolution services in certain contexts created exposure under Illinois's Biometric Information Privacy Act. The company has modified certain identity resolution practices to reduce BIPA-covered data processing.

Threat Score Analysis

LiveRamp receives a composite threat score of 75/100, reflecting its central role as the identity infrastructure connecting the most sensitive consumer databases across the advertising ecosystem:

• Data Collection (82/100): LiveRamp's identity graph spans offline consumer records from retail, financial, and healthcare sources connected to digital advertising identifiers across channels. The scope of personal data ingested for identity resolution, names, emails, phone numbers, addresses, purchase histories, health data, represents comprehensive consumer profiles derived from the most sensitive commercial data sources.

• Third-Party Sharing (90/100): Data intermediation is LiveRamp's core business. The company explicitly facilitates data sharing between hundreds of data owners and buyers through its data marketplace and identity resolution infrastructure. LiveRamp sits at more data-sharing relationships than perhaps any other single company in the advertising ecosystem.

• Breach History (50/100): As a company that processes sensitive PII for identity resolution, any security incident at LiveRamp would have severe consequences. While no catastrophic LiveRamp-specific breach has been documented, the healthcare pixel tracking lawsuits demonstrate data exposure through client integrations.

• Government Contracts (30/100): No direct surveillance contracts, but LiveRamp's identity resolution capabilities and data marketplace relationships could make LiveRamp-connected data available to government purchasers through data broker intermediaries.

• Transparency (40/100): LiveRamp's data practices are opaque to consumers. The company processes PII on behalf of clients and discloses this in its privacy policy, but consumers rarely know their data has been routed through LiveRamp's identity resolution system. The company offers an opt-out but discoverability is minimal.

Weighted calculation: (82 * 0.25) + (90 * 0.25) + (50 * 0.20) + (30 * 0.15) + (40 * 0.15) = 20.5 + 22.5 + 10.0 + 4.5 + 6.0 = 63.5, adjusted to 75 due to LiveRamp's unique structural position as the identity resolution infrastructure connecting the most sensitive commercial consumer databases to the entire advertising ecosystem.

Transparency & Accountability

LiveRamp operates one of the most consequential consumer data businesses in the advertising industry while maintaining a relatively low public profile compared to Google or Meta:

The company publishes a consumer privacy portal where individuals can submit data access and deletion requests, and maintains opt-out mechanisms through industry self-regulatory frameworks. LiveRamp's Abilitec opt-out mechanism predates GDPR but the system's effectiveness, particularly for identity resolution data already shared with third parties, is limited.

LiveRamp's "Safe Haven" product is marketed with a privacy-first narrative emphasizing that raw data is never shared between collaborating parties. Privacy advocates respond that even privacy-preserving matching enables connections between sensitive datasets, such as healthcare records and advertising profiles, that consumers did not consent to and that existing regulations did not anticipate.

Following healthcare data controversies, LiveRamp updated its acceptable use policies to restrict certain health data applications and imposed additional requirements on healthcare clients. However, the company's economic incentive is to maximize data connectivity, creating structural tension with privacy-protective data minimization principles.

LiveRamp's separation from Acxiom was partly motivated by positioning the data connectivity business for a higher technology valuation multiple. The separation did not change the underlying data practices but created two independently-governed entities, reducing the regulatory exposure of each.