Customer trust is something to

Treasure

Privacy Compliance with Treasure Data

Treasure Data has always protected the data we store for our customers to establish a foundation for data privacy. And, in light of privacy regulations, such as the General Data Protection Regulation (GDPR), and the California Privacy Protection Act (CCPA) we want to present our best knowledge of the laws and how our enterprise Customer Data Platform (CDP) assists in your ongoing compliance. Below are our interpretations of the regulations for your marketing organization and our related product capabilities.

Find out more about your customers’ rights

See Rights of “Residents”

Our view on privacy compliance – it’s about trust. Period.

Customer trust is the ultimate outcome of value. When customers come to love your products and services, they reward you with not only more of their wallet, but more of their time. They advocate for your brand, shun your competitors, engage directly with you and expect that you continue to deliver even better products and services. These are the customers you want to cultivate and keep, and that demands transparency and respect for their data. When you think of privacy regulation, don’t just focus on the intricacies of compliance. Imagine the possibilities of earning a customer’s trust. Think about the regulations as a chance to turn that trust into your long-term advantage and stay competitive.

How Treasure Data can help

As you continue your privacy program, we’ll be communicating our product capabilities, processes for privacy – compliant solutions, and marketing best practices here. We’ve been ensuring our own compliance with specific regulations since their adoptions and building on our strong foundation of data security.

See our privacy statementView our terms of service

Treasure Data takes data privacy seriously and we’re taking our privacy-by-design development philosophy further to assist our customers (“controllers”) with adherence to people’s rights under the laws. While compliance is a shared responsibility between businesses and their vendors, ultimately the right solution is one that combines both technology, process and people – there is no “one-stop” product that covers everything. That’s why we want to help you build your privacy compliance solution your way.

In the following table we’ve compiled our key capabilities to help with compliance alongside a condensed version of the seven general principles of the GDPR and a list of applicable CCPA “rules” in comparison.

Disclaimer: Interpretation of the GDPR, the CCPA and other privacy regulations is up to your organization. While we’ve done our homework, most regulations are not exact in defining the methods for compliance. With language that makes them difficult to interpret, we advise you to consult your privacy experts and legal counsel. You’ll want to include them in your CDP requirements planning.

GDPR Principle & CCPA Rule Explanation How Treasure Data can help

EU citizens’ personal data should be processed in a “fair and transparent manner”.

California residents can opt out of data processing. (ie sale of data)

Each EU citizen has explicit data rights.

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing under the GDPR.

The CCPA grants CA consumers the right to prohibit companies from selling their data where selling includes “disclosing, disseminating, making available, transferring,” and more.

Treasure Data’s enterprise CDP is typically used as a central repository for customer and prospect data. Our customers collect this data from different sources enabling their marketers to analyze it for segmentation and activation (i.e. advertising and mail campaigns).

With our current integrations to most marketing and CRM systems, we can help:

  • Extract all personal data from their source and keep them in raw format

  • Document the sources for all your data

  • Easily export personal data for further analysis or access

  • Audit and report on personal data that is sent to external systems

You need a lawful and legitimate reason to collect an EU citizen’s data. You must make that reason clear to data subjects and get explicit and affirmative consent.

California consumers can opt-in freely to share their data and no restriction is put on the processes businesses use to collect it. However they do have the right to opt-out and request deletion.

Some reasons are automatically considered “legitimate” under the GDPR, such as the fulfillment of a contract or legal obligation, but if you can prove explicit consent you will have a lawful reason to keep and use an EU citizen’s personal data until they exercise their right to be forgotten or erased.

For the GDPR: Consent must be given by a “positive” opt-in and be explicit with all information about personal data use and processing (i.e. promotional offers) provided clearly at the time of consent.

For the CCPA: Consent can be incentivized. The law puts no financial restrictions on the opt-in process, so discounts can be offered for a consumer’s information.

Treasure Data CDP can integrate with other third -party consent management systems for the consent preferences of your customers and prospects. Our CDP provides the core capabilities to easily model those preferences for an accurate accounting of which records to process and for what purpose.

When customers and prospects opt-out of marketing programs, you can use Treasure Data to filter these people from “processing” and keep them out of your profiles and segments for activation.

We also have a specific feature that will allow you to block personal data collection through our mobile and javascript software development kits (SDKs).

Personal data on a EU citizen should be accurate and kept up to date. An EU citizen has the right to access and rectification.

California consumers have the right to know what information has been collected on them and what has been shared.

This means they can request to see their data (kept by you). Under the GDPR they can correct it when it’s incomplete or inaccurate. This is to ensure that their data is “fit for purpose” based on their original consent.

Treasure Data CDP allows you to update or delete customer attributes, so any inaccurate personal data can be corrected before and after customer profiles are built and segmented. Our pre-built integrations can push those updates and deletions to other systems (i.e. SaaS marketing solutions) for a consistent record of personal data across your company.

As our software partners begin to support regulation-specific features, we will be evaluating and adopting their endpoints in our standard integrations to maintain consistency of all the personal data records you keep.

EU citizens’ personal data must be kept for no longer than the time needed for the legitimate business purposes you disclosed at the time of consent.

The CCPA does not mandate storage limits rights, however California consumers under the age of 16 cannot have their data sold under the law.

Under the GDPR, personal data collected should only be used for its intended purpose. This means personal data should only be kept as long as it is being used. You should have ways to archive or delete an EU citizen’s data when you are finished with it or when they ask you to forget them.

For the CCPA, you should also be concerned with retention of data for protected minors and understand their specific age at the time of data collection.

While CDPs typically store and manage personally identifiable data on customers and prospects, Treasure Data also manages anonymous data from web visits and Data Management Platforms (DMPs). When data is no longer needed for the purposes for which you have consent and needs to be archived, you can choose to anonymize that data within our platform or to delete records completely.

Treasure Data CDP is a cost-effective way to keep and protect customer data for the long-term, so proof of compliance can be provided with ease at any time. Our underlying data platform also supports automated data retention and purging based on the age of data.

Keep any EU citizen’s personal data secure and protected from data breaches, unlawful use, accidental loss or destruction.

California consumers have the right to sue businesses for “unauthorized access..disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”

This is probably self-explanatory, however its intent expands beyond the security of your database. It is also meant to provide protection of personal data processed by a third-party organization and handled by your own employees.

Treasure Data has a strong security foundation. We built Treasure Data CDP for trust.

As well, our strong access control provides secure administration, including :

  • Policy-based permissioning

  • Id federation (SSO)

  • Advanced audit logging

With 50% of our global CDP customer base storing personally identifiable information (PII) on our platform we’ve invested heavily in industry standards that also include:

  • ISO/IEC27001 certification

  • SOC 2 Type 2 audit

GDPR Principle: EU citizens’ personal data should be processed in a “fair and transparent manner”.

CCPA Rule: California residents can opt out of data processing (ie sale of data)

Explanation: Each EU citizen has explicit data rights.

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing under the GDPR.

The CCPA grants CA consumers the right to prohibit companies from selling their data where selling includes “disclosing, disseminating, making available, transferring,” and more

How Treasure Data can help: Treasure Data enterprise CDP is typically used as a central repository for customer and prospect data. Our customers collect this data from different sources enabling their marketers to analyze it for segmentation and activation (i.e. advertising and mail campaigns).

With our current integrations to most marketing and CRM systems, we can help:

  • Extract all personal data from their source and keep them in raw format
  • Document the sources for all your data
  • Easily export personal data for further analysis or access
  • Report on export jobs that send personal data to external systems

GDPR Principle: You need a lawful and legitimate reason to collect an EU citizen’s data, you must make that reason clear to data subjects and get explicit and affirmative consent.

Explanation: Some reasons are automatically considered “legitimate” under the law, such as the fulfillment of a contract or legal obligation, but if you can prove explicit consent you will have a lawful reason to keep and use an EU citizen’s personal data until they exercise their right to be forgotten or erased.

Note: Consent must given by a “positive” opt-in and be explicit with all information about personal data use and processing (i.e. promotional offers) provided clearly at the time of consent.

If your processes for personal data collection and management respect these rights, you will have provided for “fair and transparent” processing of their data.

How Treasure Data can help: Our CDP can integrate with other third-party consent management systems for the consent preferences of your EU customers and prospects. Treasure Data provides the core capabilities to easily model those preferences for an accurate accounting of which records to process and for what purpose.

When EU customers and prospects opt-out of marketing programs, you can use Treasure Data to filter these people from “processing” and keep them out of your profiles and segments for activation.

Before May 25th, we will have a specific feature that will allow you to block personal data collection through our mobile and javascript SDKs.

We are also working with leading consent and preference management vendors to integrate their solutions with Treasure Data. This effort is ongoing.

GDPR Principle: Personal data on a EU citizen should be accurate and kept up to date.

Explanation: An EU citizen has the right to access and rectification. This means they can request to see their data (kept by you) and correct it when it’s incomplete or inaccurate.This is to ensure that their data is “fit for purpose” based on their original consent. To comply, these requests need to be fulfilled within a month.

How Treasure Data can help: Treasure Data allows you to update or delete customer attributes, so any inaccurate personal data can be corrected before and after customer profiles are built and segmented. Our pre-built integrations can push those updates and deletions to other systems (i.e. SaaS marketing solutions) for a consistent record of personal data across your company. As our software partners begin to support GDPR-specific features, we will be evaluating and adopting their endpoints in our standard integrations to maintain consistency of all the personal data records you keep. This development is currently ongoing.

GDPR Principle: EU citizens’ personal data must be kept for no longer than the time needed for the legitimate business purposes you disclosed at the time of consent.

Explanation: The personal data collected should only be used for its intended purpose, so personal data should only be kept for the time it takes you to use it. This means that you should have ways to archive or delete an EU citizen’s data when you are finished with it or when they ask you to forget them. (See What is a “data subject” under the GDPR and what’s my responsibility).

How Treasure Data can help: While CDPs typically, store and manage personally identifiable data on customers and prospects, Treasure Data also manages anonymous data from web visits and Data Management Platforms (DMPs). When data is no longer needed for the purposes for which you have consent, needs to be archived, you can choose to anonymize that data within our platform or to delete records completely. Treasure Data is a cost-effective way to keep and protect customer data for the long-term, so proof of compliance can be provided with ease at any time. Our underlying data platform also supports automated data retention and purging based on age.

GDPR Principle: Keep any EU citizen’s personal data secure and protected from data breaches, unlawful use, accidental loss or destruction.

Explanation: This is probably self-explanatory, however its intent expands beyond the security of your database. It is also meant to provide protection of personal data processed by a third- party organization and handled by your own employees.

How Treasure Data can help: Treasure Data has a strong security foundation. We built Treasure Data for trust. We’re compliant with EU-U.S. and Swiss-U.S. Privacy Shield Frameworks and protect personal information transferred from the EU and Switzerland to the U.S.

With 50% of our global CDP customer base storing personally identifiable information on our platform we’ve invested heavily in industry standards that also include:

  • ISO/IEC27001 certification
  • SOC 2 Type 2 audit
Treasure Data runs Treasure Data

Beyond our readiness as a processor, Treasure Data will continually work to ensure compliance with the GDPR and the CCPA as a controller and service provider respectively. Our marketing department uses Treasure Data CDP for personalization, attribution and up-to-date daily reporting, which means we have to understand and comply with these regulations just as our customers do. We’ve gained a proficiency in privacy compliance and are working towards a marketing center of excellence in data privacy. Our goal is to turn our privacy compliance insights into your guidance. We’ll be updating the site frequently with information on these regulations and new legislation to come.

Check out the blog

We published A Marketer’s Guide to the GDPR. Rather than filling it with technical chatter or cleverly disguised sales pitches, we wrote it with down-to-earth advice and practical tips for consent, database segmentation, inbound lead management and opt-outs. It’s a great asset to share and provides insights to privacy compliance that will not lend a hand with GDPR compliance, but also give you a head start with adherence to other privacy regulations.

Download it now!

While privacy regulations are currently in effect, the process for compliance will be ongoing and we’re here to lend a hand.

Stay tuned for more! And in the meantime, discover what Treasure Data’s CDP can do for you.

Learn More

The GDPR Overview

The General Data Protection Regulation (GDPR) is enforceable as of May 25th, 2018. The law was adopted by the European Union in April of 2016 and provisions a set of privacy rights for all EU citizens. It applies broadly to all EU citizens in 28 member countries and protects their rights to be informed about and control the use of their personal data. They have rights to correct and delete any personal information that is collected, processed and used by any individual, company and government agency–no matter where it’s gathered and no matter where the information resides. For marketers, this presents a challenge, but one that can turn into an opportunity with sound legal advice, strong compliance processes and help from your customer data platform (CDP).

What is a “data subject” under the GDPR and what’s my responsibility?

Any EU citizen that has provided their personally identifiable information (PII) to you is a “data subject.” PII under the GDPR is broad and includes any identifiers that could reveal (now or in the future) an EU citizen’s identity. And, if you are collecting this PII data from them and keeping it, you are a “controller” under the law. Unlike previous EU directives on data privacy, the GDPR imposes liability on “controllers” and their “processors” for privacy rights violations. If a complaint is filed by a data subject with any Supervisory Authority, the regulating body of the GDPR, fines can be significant–as high as €20M or 4% of annual revenues, whichever is greater. Not to mention the civil suits that could be filed for higher awards and the costs associated to data breaches, let alone the impact to business continuity. So, “controllers” need to assure “data subjects” rights.

IMPORTANT: The following list is our interpretation of the UK’s Information Commissioner’s Office (ICO) summary of the GDPR’s data subject’s rights. It’s not a substitute for your own legal interpretation and judgement.

Under the law EU citizens have the right:

  • To be informed – They need to know what data is being collected and how it’s being used. This needs to be communicated to them at or before the time of collection.
  • To access – They need access to their data, and the means by which you acquired it (including any third-party data) provided on demand and free of charge.
  • To rectification – When a data subject finds inaccuracies in their data, they have a right to correct or complete the information. The responses to corrections need to be made within a month of the request.
  • To erase – If for any reason they want to have their data deleted, those requests also need to be carried out within a month. They also must be carried out across all records and systems where their information is kept.
  • To restrict processing – They can also request that their data is retained and not used for any purpose. The responses to corrections need to be made within a month of the request.
  • To data portability – They also have the right to move their data wherever and whenever, so they can request to have their records moved from one service (i.e. IT environment) to another.
  • To object – While you may have a legitimate reason to use a person’s personal data (i.e. fulfill a contractual obligation), the GDPR provides them the right to restrict any and all use of it.
  • To refuse automated processing decisions, including profiling – In the case that their data is being processed automatically, without human intervention, the GDPR allows them to have information about the processing and request that people be involved.

The law also will provision for data protection and privacy processes that will need to be followed for compliance. While it touches on a number of areas where companies have responsibilities under the GDPR and suggests questions for consideration, it only scratches the surface. Your company will certainly require legal counsel to guide your compliance with the GDPR and advise on the decisions such as the one to employ an objective external privacy “advocate” as a data protection officer (DPO).