Process GDPR and CCPA requests

Zaius Product Enablement
  • Updated

Open in new tab share.png

Overview

Zaius has a process for honoring data subject requests related to various compliance frameworks, including CCPA and GDPR. These frameworks entitle customers to more control of their personal information. The customers subject to these frameworks have the right to request actions like:

  • Deletion: The right of deletion gives customers the ability to direct a business to delete or anonymize all of their personally identifiable information.
  • Opt-out: The right to opt-out gives customers the ability to direct a business not to sell their personal information to a third party. Prior to July 2020, the CCPA regulation directed that opt-outs occur when a browser sent DNT (do-not-track) signals, but the regulation was amended accordingly, as was Zaius' interpretation of it. Opt-outs can impact your brand's ability to deliver through different marketing channels.
  • Access: The right of access gives customers the ability to direct a business to provide all of the information that they have collected on them. 

Typically, these requests must be processed within 30 days. That said, these rights are not absolute and can depend on the context of the request, so it is essential to be familiar with your current business situation and local privacy laws. Learn more about Data Subject Access Rights by visiting our privacy policy.

Note: These requests shouldn't be processed unless prompted by a customer. Additionally, while these features and resources are available from Zaius, your legal team remains the best resource for advice concerning your specific compliance situation.

Deletion request

To perform a compliant customer deletion:

  • In your Zaius account, click the Account Settings Account_Settings.pngicon in the main navigation bar.
  • In the sidebar, select the Compliance Request option. 
  • Select the regulation type, then the Delete option. 
  • Select the identifier you'd like to use to locate the customer from the drop-down menu. The most common identifier is an email.
  • Input a value for the selected customer identifier. 
  • Click the Submit request button and then Delete in the confirmation prompt. 

Delete_customer.png

Following the submission, all of the customer's personally identifiable information will be scrubbed within 30 minutes. The customer's Zaius ID, which is the ID shown in the browser URL when viewing their profile, is retained for reporting purposes. However, any references to the Zaius ID are completely anonymized or redacted. If the ID is used to return directly to a previous profile, a deletion event will be present. 

Delete_event.png

It's important to note that if an identifier (e.g., Email) associated with a compliance deletion moves from one profile to another, each profile the identifier touches will be opted out. An event indicating this as the reason for the customer's ineligibility will appear in the profile’s activity feed.

Opt-out request

This action is currently only available for CCPA requests. To perform a compliant customer opt-out:

  • In your Zaius account, click the Account Settings Account_Settings.pngicon in the main navigation bar.
  • In the sidebar, select the Compliance Request option. 
  • Select the CCPA regulation type, then the Opt-out option. 
  • Select the identifier you'd like to use to locate the customer from the drop-down menu. The most common identifier is an email.
  • Input a value for the selected customer identifier. 
  • Click the Submit request button and then Opt-out in the confirmation prompt. 

Opt_out_customer.png

Following the submission, an opt-out identifier will be attached to the customer's profile within 30 minutes. If you return to the customer profile, an opt-out event will be present. The opt-out also removes the customer from all marketing activities (e.g., Emails and Segment syncing) to ensure the broadest level of compliance. 

Opt_out_event.png

It's important to note that if an identifier (e.g., Email) associated with a compliance opt-out moves from one profile to another, only the most recent profile the identifier touched will be opted out. An event indicating this as the reason for the customer's current ineligibility will appear in the profile’s activity feed.

Browser DNT opt-outs (Jan-July 2020)

Prior to July 2020, CCPA regulations required that customers be automatically opted-out if DNT settings on their browser are enabled. Between January 2020 and July 2020, Zaius handled this process for you through identity resolution if you have the Zaius sdk installed on your site. When a browser accesses your site, the Zaius sdk checks for the presence of these DNT settings. If found, a CCPA opt-out event associated with the Zaius cookie ID (aka "VUID") is applied to the customer. In cases where the customer is "identified" (meaning that they have messaging identifiers or customer attributes associated with their record), this event can be seen on the customer profile and the entire profile is considered opted-out. The opt-out event will only be noted the first time the browser-cookie combination is seen.

This process no longer occurs with the latest update of the CCPA regulations.

Impact on marketing channel delivery

A CCPA opt-out request is specifically a request not to send personal information to a vendor classified as a "third party" by the CCPA regulations, even if for the purposes of fulfilling a request from a brand with which that consumer already has a relationship. Vendors classified as "service providers" can continue to receive information about opted-out customers. CCPA opt-out is not a request to stop receiving marketing messages, although that can be a side effect, as seen below; to stop receiving messages, a consumer should revoke marketing consent.

In order to deliver some services in Zaius, we use sub-processors (or allow your brand to integrate your own partners (like Facebook or Google). If these vendors are classified as third parties, the information cannot be sent, and thus the customer will not receive the marketing message, even if they have provided marketing consent.

Only your brand and your legal team can say with certainty if you would consider these partners to be service providers (meaning you are able to transfer opted-out customer information to them) or third parties (meaning you should not transfer this customer information). Zaius will default to the most conservative classification, to ensure that you do not violate these regulations. However, you may update your preferences using App Consent Settings

App_Consent_Settings_-_Admin_-_Zaius.png

By setting the CCPA Compliance value to "Service Provider," customer information will be transferred (at your direction) to fulfill requests on this channel, even if the customer is CCPA opted-out. By setting the CCPA Compliance value to "Third Party," customer information will not be transferred to fulfill requests on this channel, effectively opting the customer out of marketing activity derived from this channel. Please consult with your legal team as to the appropriate settings for your business.

Access request

To perform a compliant data access request:

  • In your Zaius account, click the Account Settings Account_Settings.pngicon in the main navigation bar.
  • In the sidebar, select the Compliance Request option. 
  • Select the regulation type, then the Access option.
  • Click the Submit request button and then complete the subsequent form.

Data_access_request.png

Following the submission, a request will be sent to Zaius and processed within two weeks. Following this review, you will be emailed a collection of CSVs containing the customer information.

Was this article helpful?
0 out of 0 found this helpful

Related articles