Request or delete records for EU General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA)

  • Updated
  • Optimizely Feature Experimentation
  • Optimizely Full Stack (Legacy)
  • Optimizely Web Experimentation
  • Optimizely Performance Edge
Disclaimer

This document is for informational purposes only and does not constitute legal advice. Readers should always seek legal advice before taking any action with respect to the matters discussed herein.

You can respond to an European Union (EU) or California data subject’s request for access, rectification, erasure, or portability of their personal data.

  • Data cannot be recovered after it is deleted.
  • Data exports may contain information that your company considers confidential, such as the change history for a particular project. You are responsible to review this information before providing it to the requestor.
  • This information in this topic covers Optimizely Experimentation processes on behalf of its customers as part of its online SaaS services. If you want to file a request related to personal data that Optimizely Experimentation controls, email privacy@optimizely.com. Review the Optimizely privacy policy for more information about this type of data and your options.

You are responsible to review this information before providing it to the requestor.

To learn more about the data Optimizely Experimentation processes, review Privacy@Optimizely FAQ.

To learn more about your role as a data controller, or for more detail about meeting your privacy and data protection obligations for other Optimizely Experimentation products, see Compliance.

Access and deletion obligations

Under the EU's General Data Protection Regulation (GDPR), each EU citizen has a right of access to their personal data. Upon request, you (as the data controller) have an obligation, with certain exceptions, to inform the individual (often referred to as data subjects under GDPR) where their personal data is being held and for what purposes. In addition, each EU citizen has a right to erasure (sometimes known as the right to be forgotten). Upon request, you have an obligation, with certain exceptions, to delete the personal data of a data subject.

The California Consumer Privacy Act (CCPA) provides similar access and deletion rights to California residents.

To make the process easy for our customers, Optimizely Experimentation offers the following options for customers who receive a request to begin the deletion or access process:

  • A user interface that is easy-to-use for a small number of access or deletion requests.
  • A REST API to automatically submit access or deletion requests to Optimizely Experimentation.
You may only make a request if you hold a collaborator role of Administrator on your company's Optimizely Experimentation account.

Submit a GDPR or CCPA access or deletion request

You can submit a GDPR or CCPA access or deletion request directly from the Optimizely Experimentation application. 

Accounts-11.png

  1. Go to Account Settings > Access or Deletion Requests.
  2. Click Create New Request.
  3. Fill in the following information:
    • Request type – You can submit two types of requests: 
      • Delete – Removes all data within an account that is associated with the identifier defined in the identifier field
      • Access – Finds all data stored in Optimizely Experimentation systems associated with the identifier defined in the identifier field and exports it to an AWS S3 bucket for you to access.
    • Data type – Any access or deletion request will apply to one of two data types:
      • User data – End-users (also known as collaborators) who are added to the accounts of our customers. A user can be a collaborator on multiple accounts.
      • Visitor data – Individuals who visit or use our customers’ websites, apps, and other digital products. Optimizely Experimentation stores visitor data to calculate experiment results and to tailor content.
    • Identifier type – User data is identified by the email address used to create the end-user account. The form does not display the Identifier type field (see below) if you selected User data as your data type in the previous step. If you selected Visitor data, the form will display these five options for personal identifier types:
      • DCP ID – Any ID used to identify targeting records in Optimizely Experimentation.
      • Email Address – The email address of a visitor.
      • Full Stack ID – The unique identifier used for Full Stack experiments.
      • optimizely_end_user_id – An Optimizely Experimentation-generated user cookie.
      • Other – Any other identifier that was uploaded to Optimizely Experimentation.
    • Identifier – The identifier value you want Optimizely to use when searching. If you selected User in the previous step, the identifier is the email address for the user.
      If you use DCP or list attributes, submit the primary keys used to identify records in DCP data sources and list attributes. Optimizely uses these keys to identify relevant records in these data sources; they cannot be searched using other identifiers. You may submit these keys using either the DCP ID or Other data type.

      Under Optimizely terms, email addresses and similar personally identifiable information (PII) should not be uploaded into DCP. For more information, see PII – Personally identifiable information in Optimizely Experimentation.

  4. Click Submit Request.

Automate GDPR or CCPA requests

Optimizely Experimentation customers can automate the requests using the REST API. These API endpoints are documented in our developer documentation.

The same considerations apply when using the API:

  • Data cannot be retrieved once it is deleted.
  • Data exports we provide may contain information that your company considers confidential, such as the change history for a particular project.
  • DCP users must provide the DCP ID for us to identify the applicable record. We cannot search these records with other identifier types.

The endpoints that Optimizely Experimentation offers are:

Retrieve data from a completed access request

Where Optimizely receives a data access request, Optimizely searches the records for the identifiers you provide and place matching records in an Amazon S3 bucket. When an access request is completed, you can call the list subject access requests API as described in the Automate GDPR or CCPA requests section above. Alternatively, you can log into your account to view and download one or more existing requests.

Confirm data deletion

Where Optimizely receives a data deletion request, Optimizely searches the records for the identifiers you provide and overwrite any matching data. When the request is completed, you can get the status of your request in the UI or with the REST API.

Optimizely may retain some user data in Change History logs and for other security purposes to ensure you have an audit trail of significant changes that may have been made to your account.

Rectification Requests

Optimizely Experimentation users may correct their own data by signing into http://app.optimizely.com and editing the data in User Settings.

Rectification is not applicable for visitor data because the nature of the requests—records of events for users’ interactions with websites and apps, such as clicking on a button—is not compatible with the rectification process.