Process GDPR and CCPA requests

  • Updated

Process customer deletion and opt-out requests directly in Optimizely Data Platform (ODP) to maintain compliance with CCPA, GDPR, and LGPD.

  • Deletion – Customer request to delete or anonymize all of their personally identifiable information (PII).
  • Opt-out – Customer request not to sell their personal information to a third party.
    Prior to July 2020, the CCPA regulation directed that opt-outs occur when a browser sent DNT (do-not-track) signals, but the regulation was amended accordingly. Opt-outs can impact your brand's ability to deliver through different marketing channels.

Typically, you must process these requests within 30 days. These rights are not absolute and can depend on the context of the request, so you should be familiar with your current business situation and local privacy laws. Learn more about Data Subject Access Rights by visiting our privacy policy.

You should not process these requests unless prompted by a customer. Additionally, while these features and resources are available from ODP, your legal team remains the best resource for advice concerning your specific compliance situation.

Deletion request

  1. Go to Account Settings > Compliance Requests.
  2. From the Request Type drop-down list, select CCPA: Delete, GDPR: Delete, or LGPD: Delete.
  3. Select the Identifier to locate the customer (for example, email) and enter the value.
  4. Click Submit request then Delete Profile.

Within 30 minutes of the submission, ODP deletes all of the customer's personally identifiable information but retains the customer's ODP ID, which is the ID shown in the browser URL when viewing their profile, for reporting purposes. Any references to the ODP ID are completely anonymized or redacted. If the ID is used to return directly to a previous profile, a deletion event will be present.

If an identifier associated with a compliance deletion moves from one profile to another, each profile the identifier touches is opted-out. An event indicating this as the reason for the customer's ineligibility displays in the profile's activity feed. 

Opt-out request

This action is only available for CCPA requests.
  1. Go to Account Settings > Compliance Requests.
  2. From the Request Type drop-down list, select CCPA: Opt-out.
  3. Select the Identifier to locate the customer (for example, email) and enter the value.
  4. Click Submit request then Opt-out Profile.compliance-request-opt-out.png

Within 30 minutes of the submission, ODP attaches an opt-out identifier to the customer's profile. The opt-out also removes the customer from all marketing activities (like emails and segment syncing) to ensure the broadest level of compliance. 

If an identifier associated with a compliance opt-out moves from one profile to another, only the most recent profile the identifier touched is opted out. An event indicating this as the reason for the customer's current ineligibility displays in the profile’s activity feed.

Impact on marketing channel delivery

A CCPA opt-out request is a request to not send personal information to a vendor classified as a third- party by the CCPA regulations, even for fulfilling a request from a brand that the consumer already has a relationship with. Vendors classified as service providers can continue to receive information about opted-out customers.

CCPA opt-out is not a request to stop receiving marketing messages, although that can be a side effect. To stop receiving messages, a consumer should revoke marketing consent instead.

ODP uses sub-processors to deliver some services, or you can integrate your own partners (like Facebook or Google). If these vendors are classified as third parties, you cannot send the information, and the customer will not receive the marketing message, even if they have provided marketing consent.

Only your brand and your legal team can say if you would consider these partners to be service providers (meaning you are able to transfer opted-out customer information to them) or third parties (meaning you should not transfer this customer information). ODP defaults to the most conservative classification, so you do not violate these regulations. However, you may update your preferences using App Consent Settings page.

app-consent-settings.png

  • CCPA Compliance > Service Provider – Customer information is transferred (at your direction) to fulfill requests on this channel, even if the customer is CCPA opted-out.
  • CCPA Compliance > Third Party – Customer information is not transferred to fulfill requests on this channel, effectively making the customer opt-out of marketing activity derived from this channel.
Consult with your legal team for the appropriate settings for your business.