Process GDPR and CCPA requests

  • Updated

You can process customer deletion and opt-out requests directly in Optimizely Data Platform (ODP) to maintain compliance with CCPA, GDPR, and LGPD.

  • Deletion – Customers request to delete or anonymize all of their personally identifiable information (PII).
  • Opt-out – Customers request that their personal information not be sold to a third party.

    Before July 2020, the CCPA regulation directed that opt-outs occur when a browser sends DNT (do-not-track) signals, but the regulation was later amended. Opt-outs can impact your brand's ability to deliver through different marketing channels.

Typically, you must process these requests within 30 days. However, these rights are not absolute and can depend on the context of the request, so you should be familiar with your current business situation and local privacy laws. Learn more about Data Subject Access Rights by visiting the privacy policy.

You should not process these requests unless prompted by a customer. While these features and resources are available from ODP, ask your legal team for advice on your specific compliance situation.

Deletion request

  1. Go to Settings > Compliance Requests.
  2. Select CCPA: Delete, GDPR: Delete, or LGPD: Delete for the Request Type.
  3. Select the Identifier to locate the customer (for example, email) and enter the value.
  4. Click Submit Request to delete the profile.

Following a deletion request, ODP deletes all customer information within 30 days. During the 30-day period:

  • Customers cannot be rediscovered using any identifiers associated with a profile requested for deletion.
  • Identifiers linked to a profile requested for deletion cannot be moved to or associated with other profiles. New identifiers cannot be added to the profile.
  • Events tied solely to the identifiers of the profile under deletion are ignored and dropped by the system.
  • Events including identifiers from both a profile under deletion, and a high-confidence identifier (HCI) from an active profile, are processed using the HCI and attributed only to the active profile. Identifiers from the profile under deletion are ignored. 
  • Events including identifiers from a profile under deletion along with a new low-confidence identifier (LCI) are dropped. The LCI is not linked to the deleted profile or used to create a new one. 

Opt-out request

This action is only available for CCPA requests.
  1. Go to Settings > Compliance Requests.
  2. Select CCPA: Opt-out for the Request Type.
  3. Select the Identifier to locate the customer (for example, email) and enter the value.
  4. Click Submit Request to have the profile opted out.

Within 30 minutes of the submission, ODP attaches an opt-out identifier to the customer's profile. The opt-out also removes the customer from participating in marketing activities (like emails and segment syncing) to ensure the broadest level of compliance. 

If an identifier associated with a compliance opt-out moves from one profile to another, only the most recent profile the identifier touched is opted out. The profile's activity feed displays an event with this as the reason for the customer's current ineligibility.

Impact on marketing channel delivery

A CCPA opt-out request is a request not to send personal information to a vendor classified as a third party by the CCPA regulations. This includes fulfilling a request from a brand with a preexisting relationship with the consumer. Vendors classified as service providers can continue to receive information about opted-out customers.

CCPA opt-out is not a request to stop receiving marketing messages, although that can be a side effect. Instead, a consumer should revoke marketing consent to stop receiving messages.

ODP uses sub-processors to deliver a few services, or you can integrate your own partners (like Facebook or Google). If these vendors are classified as third parties, you cannot send the information, and the customer does not receive the marketing message even if they have provided marketing consent.

Only your brand and legal team can say if you would consider these partners as service providers (meaning you can transfer opted-out customer information to them) or third parties (meaning you should not transfer this customer information). ODP defaults to the most conservative classification to prevent you from violating these regulations. However, you may update your preferences in App Consent Settings.

  • CCPA ComplianceService Provider – Customer information is transferred (at your direction) to fulfill requests on this channel, even if the customer is CCPA opted-out.
  • CCPA ComplianceThird Party – Customer information is not transferred to fulfill requests on this channel, effectively making the customer opt out of marketing activity derived from this channel.
Consult with your legal team for the appropriate settings for your business.