Process GDPR and CCPA requests

Optimizely Data Platform (ODP) has a process for following data subject requests related to various compliance frameworks, including CCPA and GDPR. These frameworks entitle customers to more control of their personal information. The customers have the right to request actions like:

• Deletion – Direct a business to delete or anonymize all of their personally identifiable information.
• Opt-out – Direct a business not to sell their personal information to a third party. Prior to July 2020, the CCPA regulation directed that opt-outs occur when a browser sent DNT (do-not-track) signals, but the regulation was amended accordingly. Opt-outs can impact your brand's ability to deliver through different marketing channels.
• Access – Direct a business to provide all of the information that they have collected on them. 

Typically, these requests must be processed within 30 days. These rights are not absolute and can depend on the context of the request, so you should be familiar with your current business situation and local privacy laws. Learn more about Data Subject Access Rights by visiting our privacy policy.

Deletion request

1. In your ODP account, go to Account Settings > Compliance Request.
2. Select the regulation type
3. Select Delete.
4. Select the identifier to locate the customer, such as an email.
5. Enter a value (such as an email address) for the selected customer identifier.
6. Click Submit request then Delete.

   

Following the submission, ODP deletes all of the customer's personally identifiable information within 30 minutes but retains the customer's ODP ID, which is the ID shown in the browser URL when viewing their profile, for reporting purposes. Any references to the ODP ID are completely anonymized or redacted. If the ID is used to return directly to a previous profile, a deletion event will be present.

If an identifier associated with a compliance deletion moves from one profile to another, each profile the identifier touches is opted out. An event indicating this as the reason for the customer's ineligibility appears in the profile’s activity feed.

Opt-out request

This action is currently only available for CCPA requests.

1. In your ODP account, go to Account Settings > Compliance Request > CCPA > Opt-out.
2. Select the identifier to locate the customer, such as an email.
3. Input a value for the selected customer identifier.
4. Click Submit request then Opt-out.

   

Following the submission, ODP attaches an opt-out identifier to the customer's profile within 30 minutes. The opt-out also removes the customer from all marketing activities (like emails and segment syncing) to ensure the broadest level of compliance. 

If an identifier associated with a compliance opt-out moves from one profile to another, only the most recent profile the identifier touched is opted out. An event indicating this as the reason for the customer's current ineligibility appears in the profile’s activity feed.

Browser DNT opt-outs (Jan-July 2020)

This process no longer occurs with the latest update of the CCPA regulations.

Prior to July 2020, CCPA regulations required that you automatically opt-out a customer if DNT settings were enabled on their browser. Between January 2020 and July 2020, ODP handled this process through identity resolution if you had the ODP SDK installed on your site. When a browser accesses your site, the SDK checks for the presence of these DNT settings. If found, it applies a CCPA opt-out event to the customer. When the customer is "identified" (meaning that they have messaging identifiers or customer attributes associated with their record), you can view this event on the customer profile. ODP only notes the opt-out event the first time it sees the browser-cookie combination.

Impact on marketing channel delivery

A CCPA opt-out request is a request not to send personal information to a vendor classified as a "third party" by the CCPA regulations, even for the purposes of fulfilling a request from a brand with which that consumer already has a relationship. Vendors classified as "service providers" can continue to receive information about opted-out customers. CCPA opt-out is not a request to stop receiving marketing messages, although that can be a side effect, as seen below; to stop receiving messages, a consumer should revoke marketing consent.

To deliver some services in ODP, sub-processors are used or  your brand integrates your own partners (like Facebook or Google). If these vendors are classified as third parties, the information cannot be sent, and the customer will not receive the marketing message, even if they have provided marketing consent.

Only your brand and your legal team can say if you would consider these partners to be service providers (meaning you are able to transfer opted-out customer information to them) or third parties (meaning you should not transfer this customer information). ODP defaults to the most conservative classification so that you do not violate these regulations. However, you may update your preferences using App Consent Settings.

• CCPA Compliance > Service Provider – customer information is transferred (at your direction) to fulfill requests on this channel, even if the customer is CCPA opted-out.
• CCPA Compliance > Third Party – customer information is not transferred to fulfill requests on this channel, effectively making the customer opt out of marketing activity derived from this channel.

Consult with your legal team as to the appropriate settings for your business.

Access request

1. Go to Account Settings > Compliance Request.
2. Select the regulation type.
3. Click Access.
4. Click Submit request and complete the subsequent form.

   

Following the submission, a request is sent to ODP and processed within two weeks. Following this review, ODP emails you a collection of CSVs containing the customer information.