Best Practices for Managing Privacy Requests with Ethyca CHOICE

The goal of this manual is to provide you with best practices on how to execute data privacy requests under the CCPA.

The goal of this manual is to provide you with best practices on how to execute data privacy requests under the CCPA.

This article assumes you only use Ethyca for the handling of Do Not Sell My Personal Information and managing the intake process of your Data Subject Requests. In this scenario, all erasures and retrievals are handled manually outside of Ethyca.

Keeping a Record of Your Known Systems

The first step in fulfilling your data privacy requests for CCPA is keeping an inventory of all the places across your business where personal information is held. This way you'll have a centralized place to go when processing your data subject requests. We recommend identifying the internal stakeholder involved, the type of PII held in the system, and the different rules for each system to set in a place a system a system of accountability across your organization.

System

Internal Team

Type of PII

Note

Kustomer

Customer Service

Phone number, email, name, address

Kustomer admin panel provides for ability to search by contact identity, retrieve and/or erase user data.

Stripe

Operations

Name, Phone number, email, address, credit card information

Please login to Stripe admin panel, search based on user identity or transaction ID (from primary application DB order table) to retrieve or erase user data.

Braze

Marketing

Name, email

Please login to Braze admin panel and execute a request for user data under GDPR either erasure or retrieval.

Segment

Engineering

Name

Please login to Segment control panel for production data and search for userId. You can then retrieve or erase user data.

Managing Requests Using the Privacy Center

Once your Ethyca Privacy Center is live on your site, a data subject can put in any of the following requests:

  • Data Subject Erasure Request - "Delete Your Data": Sometimes referred to as a "Right to Delete", this references the subject's request to have their data deleted from your systems.
  • Data Subject Access Request - "Download My Data": Sometimes referred to as a "Right to Know", this is when a subject requests access to or a download of, a copy of their personal information from your systems.
  • Consent - "Do Not Sell My Personal Information": A subject requests to opt out of the sale of data under CCPA

Under CCPA regulation, a business must perform identity verification in order to verify the identity of the consumer making a request to the business (e.g. confirming the user is indeed who they say they are). If a business cannot identify the user making the request, the business may deny the request and inform the subject that it cannot verify its identity. Ethyca takes care of this process for you!

Now let's walkthrough how your subjects manage their rights through your Ethyca Privacy Center:

Step 1. A user goes to your Privacy Center and puts in a "Download My Data", "Delete Your Data", or chooses to manage their "Consent".

Step 2: After the user has selected the action they would like to take, a pop-up asks for an email address to verify their identity.

28802880

Step 3: The user then receives an email with a two-factor authentication code.

28802880

Step 4: The customer returns to the Privacy Center and enters the code they received via email.

28802880

Step 5: Once their identity has been confirmed, the user will receive an email confirming their request.

28802880

Once this cycle is complete, you will have successfully 1) Confirmed a Subject's Request 2) Verified their Identity. Now you are ready to prepare for the retrieval and removal of your customer's data outside of Ethyca.

Subject Access Requests: Best Practices

Let's start with a Subject Access Request. When returning information to a user, in an access request, you should return a categorized list of the personal information held across your systems. It is important to note you only need to return a single copy of a field, even if it exists in multiple systems. This means you may fully deduplicate the dataset (e.g. if a subject's email address lives across Shopify and Klaviyo - you only need to return it once!). Once you have collected the subject's data across all relevant systems (e.g. Shopify, Klaviyo, Stripe), we recommend providing this to the user as a CSV or Excel document.

When responding to a data subject's request, it is important to keep in mind there are timeline requirements that vary by region:

  • You have 30 days under GDPR
  • You have 45 days under CCPA

Ethyca's Control Panel defaults to 45 days, so you will want to make sure you are setting an internal SLA across your business to follow and make sure requests don't go overdue!

When you are ready to return data to the data subject, we recommend the following steps:

Step 1) Respond to the user with the following template:
Subject: Your Data Subject Request is Ready

Thank you for putting in a request to access your data via the
<ORGANIZATION NAME> Privacy Center. You can access all data associated
with your email address in the CSV provided. If you’d like to contact a 
member of our support team, please let us know at <PRIVACY EMAIL CONTACT>.

Step 2) Approve the request in the Control Panel
Once you have sent the data subject an email with their personal data, you can log the request as complete in Ethyca by selecting "Yes" under Approve/Status. At the next prompt, simply select "Approve and Skip Email" and the request will be logged as complete and no final email communication will be sent to the subject from Ethyca confirming the request has been fulfilled.

32003200

Right to Forget: Best Practices

When erasing a user's data, it is important to note you do not need to delete all of the data that you hold on a user. Rather you must delete anything that is considered personally identifiable information. As such, you may retain certain fields of behavioral, financial or order data if it's necessary for your business to continue operations (e.g. a legitimate business interest) provided it does not reveal the user.

In order to comply with the erasure request you should consider one way masking of data. One way masking means referencing data that is obfuscated and may never be retrieved and is considered adequate under the terms of both the GDPR and CCPA, provided it is irreversible.

It is important to be aware of the following when handling an erasure:

  • You must delete/mask delivery addresses from the order data as this would be considered personal data
  • You can retain order information if you have a valid business reason to do so (e.g. to validate warranties or calculate tax filings)
  • All personal data should be removed or updated/masked in the record across systems, whether that's within Shopify, your logistics partners or marketing products
  • Not all systems allow you to easily update records and ensure you have adequately removed PII, so in some cases we recommend fully deleting the record. This is something that our Pro platform automatically manages of course!

When responding to a data subject's request, it is important to keep in mind that there are timeline requirements that vary by region:

  • You have 30 days under GDPR
  • You have 45 days under CCPA

Ethyca's Control Panel defaults to 45 days, so you will want to make sure you are setting an internal SLA across your business to follow and make sure requests don't go overdue!

Once you have erased data across all your known systems, we recommend completing the following steps:

Step 1) Respond to the user with the following template:

Subject: Personal information deleted

<ORGANIZATION NAME> recently received a request to delete all data related 
to this email address from our systems.

This email is confirmation that your request has been completed and we have 
deleted your personal information.

If you’d like to contact a member of our support team, please let us 
know at <PRIVACY EMAIL CONTACT>.

Step 2) Approve the request in the Control Panel

Once you have sent the data subject an email confirming their personal information has been erased, you can log the request as complete in Ethyca by selecting "Yes" under Approve/Status. At the next prompt, simply select "Approve and Skip Email" and the request will be logged as complete and no final email communication will be sent to the subject from Ethyca confirming the request has been fulfilled.

32003200

Keeping a Record of Your Requests

In line with CCPA regulation, a business shall maintain records of consumer requests and how it responded to the requests for at least 24 months. Similarly, GDPR requires audit trails and logging to demonstrate that personal data is being managed and handled properly.

As long as you Approve requests in Ethyca by following the "Approve and Skip Email" workflow, we take care of this for you!

For more information on record keeping and reporting in Ethyca, view our support article here.

Glossary of Terms

Below is a glossary of common privacy terminology:

TermDefinition
SubjectA user/customer of your system, under GDPR and sometimes under CCPA referred to as a “Subject”.
SystemA software system or technology product that may contain personal information.
PIIPersonally Identifiable Information
DSR“Data Subject Requests” are requests from subjects to either access and download a copy of their data or erase their data from your system.
ErasureDeletion of subject data or personal information from across all business systems.
SuppressionEnsuring that a subject is “suppressed” from business systems, means that there data is no longer used in business processes and that they will not be re-included at a later date. This is particularly important if the user has requested to be erased - suppression relates to mechanisms where data may be automatically collected or received from 3rd party data providers (e.g. Data Co-Ops) that may contain an erased users data.

Support

Please contact [email protected] if you have any questions regarding your account.