Information for: DEVELOPERS   PARTNERS

Privacy API: Data Erasure Process

Purpose

The Privacy API is provided for purging and/or anonymizing the personally identifiable information (PII) of individuals for the purposes of GDPR and CCPA compliance. Erasing the data of even a single individual from Customer Data Platform (CDP) requires reading all PII data across all data stores, and rewriting a significant volume of data. This is a resource intensive process that should not be used for data rectification purposes, as more often than not rectifying data does not require updating all PII data across all data stores and can be performed in a much more efficient manner. Abuse of the Privacy API for purposes other than regulatory compliance will not be tolerated.

Timelines

CDP is committed to acting upon GDPR and CCPA data erasure requests within a reasonable time of receiving the request. Please provide a lengthy lead time to accommodate the execution of a data erasure request. Since purging PII data is a resource intensive process the execution of data erasure requests will be batched, so timelines will vary across requests.

Data Erasure Requests from Data Subjects

By default, CDP will act on data erasure requests within 30 days of receiving a request, unless some additional urgency is communicated by the client. CDP needs a minimum of 14 days for validating, scheduling, and executing data erasure requests.

Lapse in Lawfulness of Processing (GDPR-only)

Only data erasure requests from the end user (i.e. data subject) can be considered urgent. A lapse in a lawfulness of processing cannot be considered urgent as these situations should be properly planned for and communicated ahead of time. When a lapse in lawfulness of processing is forthcoming please reach out to CDP Support at least 60 days in advance to plan for purging this data.

Process

Here is the process for requesting the erasure of personal data for a list of individuals:

  1. Client shares list of individuals (i.e. customers) to purge/anonymize and timeline (i.e. urgency) for completion: the client sends CDP Support the list of all CDP CustomerIDs of customers that should be purged in CSV format.CDP CustomerIDs are formed as a concatenation of an CDP-assigned SourceSystemID and a source system-assigned SourceCustomerNumber (i.e. record identifier). CustomerIDs are retrievable from the 360 Profiles Identities tab, or from querying the backend data warehouse using Interactive Queries or via a Template Report. If required, please ask your CDP Customer Success Manager (CSM) or the Help Desk (Support) for assistance. CDP CustomerIDs are generally not accessible via Actions or Metrics. The Privacy API is explicit (not implicit) so child CustomerIDs, and not PII, must be provided for the purge. CDP Support will not interpret/convert PII to CDP CustomerIDs, as this translation introduces a significant risk of unintentional data loss. Here are the format requirements for the CSV file:
    • Format and file extension: csv
    • encoding: UTF-8 (no Byte Order Mark)
    • record delimiter: line break (CRLF or LF)
    • field delimiter: comma (,)
    • text qualifier: double quotes (“)
    • escape character: backslash ()
    • header record present
    • encrypted (preferred but optional)
  2. CDP Support seeks verification of customer ID list: CDP Support will query CDP’s backend data warehouse to make sure that the CustomerIDs provided align with the data stored. Support will re-share this list of CustomerIDs with the client to request final validation that the CustomerIDs returned should be purged.
  3. Client purges upstream systems (IMPORTANT): Purging individuals from upstream systems before CDP purges the individual is extremely important. This will ensure that once the personal data is purged from CDP, that it will not reflow back into CDP. All data received by CDP is understood to have a lawful basis for processing, even if the data was previously purged via this data erasure process. To fully comply with the law, we do not retain a record of purge requests and won’t maintain a ban-list of recently purged individuals.
  4. CDP Support periodically performs the data erasure process: CDP Support will use the verified list of CustomerIDs and the CDP Privacy API to purge/anonymize all appropriate personal data within CDP. This is a resource intensive process (read all PII data, across all data stores, and rewrite a significant volume of data) that requires planning/scheduling to minimize impacts/conflicts in the cluster.
  5. CDP Support verifies purge success: Once the the data erasure is complete CDP Support will verify that all relevant customers were successfully purged.
  6. CDP Support informs the client: After purge verification, CDP Support will inform the client of the successful purge.
  7. Client verifies purge success in CDP and upstream systems (IMPORTANT): Once informed of purge completion, the client should independently verify that all relevant personal data was properly purged from CDP. Furthermore, the client should verify that all upstream systems are properly purged at this time. This is extremely important, because if CDP receives the purged data again in the future, this event will be interpreted as a new lawful basis for processing and the personal data will be ingested and processed accordingly. An example of this occurring correctly is: a customer that removes consent on day 1, but then transacts again on day 2. An example of this occurring incorrectly is: a customer that transacts on day 0, removes consent on day 1, and the day 0 transaction is re-ingested into CDP with all historical personal data still present. Such a scenario would result in regulation noncompliance.
  8. Client purges downstream systems: After the data is purged from CDP, the client should ensure that all downstream systems are purged appropriately.

Data Handling

What data is purged vs. anonymized?

The following data is deleted:

  • customer (& customer address cross-reference)
  • event
  • campaign history
  • campaign output
  • report output
  • data export output
  • custom entities containing PII

The following data is anonymized:

  • transactions - anonymized by removing customer identifiers and marking the transaction as anonymous

Where?

The following CDP data stores are managed:

  • Data Warehouse Layer
  • Business Intelligence Layer
  • Campaigns, Reports, & Exports
  • Metrics & Interactive Queries
  • 360 Search
  • 360 Profiles

The following CDP data stores are un-managed and therefore enforce ≤30-day retention policies:

  • CDP SFTP
  • CDP AWS S3 Buckets
  • Sparse Layer

Relevant Articles