Process GDPR and CCPA requests

  • Updated
 

Optimizely Data Platform (ODP) Lite has a process for following data subject requests related to various compliance frameworks, including CCPA and GDPR. These frameworks entitle customers to more control of their personal information. The customers have the right to request actions like:

  • Deletion – Direct a business to delete or anonymize all of their personally identifiable information.
  • Opt-out – Direct a business not to sell its personal information to a third party. Before July 2020, the CCPA regulation directed that opt-outs occur when a browser sent DNT (do-not-track) signals, but the regulation was amended accordingly. Opt-outs can impact your brand's ability to deliver through different marketing channels.
  • Access – Direct a business to provide all of the information that they have collected on them. 

Typically, you must process these requests within 30 days. These rights are not absolute and can depend on the context of the request, so you should be familiar with your current business situation and local privacy laws. Learn more about Data Subject Access Rights by visiting our privacy policy.

You should not process these requests unless prompted by a customer. Additionally, while these features and resources are available from ODP Lite, your legal team remains the best resource for advice concerning your specific compliance situation.

Process a deletion request

  1. Go to Account Settings > Compliance Requests.
  2. Select the regulation type, then select Delete.
  3. Expand the CHOOSE AN IDENTIFIER drop-down list and select the identifier to locate the customer, for example, Email.
  4. Input a value for the selected customer identifier.
  5. Click Submit request then Delete.

mceclip0.png

Following the submission, ODP Lite deletes all of the customer's personally identifiable information within 30 minutes but retains the customer's ODP Lite ID, which is the ID shown in the browser URL when viewing their profile, for reporting purposes. Any references to the ODP Lite ID are completely anonymized or redacted. If the ID is used to return directly to a previous profile, a deletion event will display on the customer profile.

Delete_event.png

If an identifier associated with a compliance deletion moves from one profile to another, each profile the identifier touches is opted out. An event indicating this as the reason for the customer's ineligibility appears in the profile’s activity feed.

Process an opt-out request

This action is currently only available for CCPA requests.

  1. Go to Account Settings > Compliance Requests.
  2. Select CCPA and Opt-out.
  3. Expand the CHOOSE AN IDENTIFIER drop-down list and select the identifier to locate the customer, for example, Email.
  4. Input a value for the selected customer identifier.
  5. Click Submit request then Opt-out.

mceclip1.png

Following the submission, ODP Lite attaches an opt-out identifier to the customer's profile within 30 minutes. The opt-out also removes the customer from all marketing activities (like emails and segment syncing) to ensure the broadest level of compliance.

Opt_out_event.png

If an identifier associated with a compliance opt-out moves from one profile to another, only the most recent profile the identifier touched is opted out. An event indicating this as the reason for the customer's current ineligibility displays in the profile’s activity feed.

Impact on marketing channel delivery

A CCPA opt-out request is a request not to send personal information to a vendor classified as a third party by the CCPA regulations, even to fulfill a request from a brand with which that consumer already has a relationship. Vendors classified as service providers can continue to receive information about opted-out customers. CCPA opt-out is not a request to stop receiving marketing messages, although that can be a side effect, as seen below; to stop receiving messages, a consumer should revoke marketing consent.

To deliver some services in ODP Lite, ODP uses sub-processors. If these vendors are classified as third parties, the information cannot be sent, and the customer will not receive the marketing message, even if they have provided marketing consent.

Only your brand and your legal team can say if you would consider these partners to be service providers (meaning you can transfer opted-out customer information to them) or third parties (meaning you should not transfer this customer information). ODP Lite defaults to the most conservative classification so that you do not violate these regulations.

Process an access request

  1. Go to Account Settings > Compliance Requests.
  2. Select the regulation type, then select Access.
  3. Click Submit request, then complete and submit the subsequent form.

mceclip4.png

Following the submission, a request will be sent to ODP Lite and processed within two weeks. Following this review, ODP Lite emails you a collection of CSVs containing the customer information.