First of all, we remind you that AdOpt does not prioritize the collection of personal identifiable data, it only manages visitors' consents. --- In addition, it is important to note that
AdOpt > AdOpt Customer - in order to proceed to the next steps with the proper legal obligations.
AdOpt > AdOpt Client Visitor, to let your visitor know that the responsible parties have been notified, and serves as a "receipt guaranteeing that your request has been processed.
(At the end of this article, examples of these two emails)
** Short summary:**
The process of consultation and deletion of data is one of the most important points of the Privacy Regulations (GDPR, CCPA, LGPD…)! For, they materialize the right acquired by the citizens - thanks to these regulations, to decide what can or cannot be done with their data, and to pursue their rights as citizens.
So, this email has a purpose:
Operational: For, it serves as notification for all DPOs/Data Officers and AdOpt Clients, who use our services to manage the consents of their websites. From it numerous processes are born in their routines, and through it they also control the requests from any digital gateways covered by AdOpt.
Transparency / Communication: After all, when a citizen identifies himself and receives confirmation that his request has been processed, we confirm our commitment (both at AdOpt and from our clients) to responsibility and transparency respecting the visitor's data.
You may wonder: If a visitor asks me to delete the data linked to cookies - those I fire on my website, what do I do? How far does my responsibility go, vs. those of my suppliers?*
And yet, if the law asks me to keep records in writing, as "evidence of consent" (Art. 8, paragraf.5 - LGPD, e.g.) how do I delete a record of consent?
To answer these questions, let's understand the step-by-step facts of when an opt-out request is received the following events happen:
a - AdOpt updates the CookieID that made the request, with a "mark/tag" classifying this cookie as inactive/opt out. Thus, within the AdOpt system this "CookieID'' will be unusable, and only serve for registration purposes - proof of consent.
b - Two (2) emails are fired notifying the visitor (if identified) and the website/company manager.
b .1 - The company receives this email and can analyze if there are other integrations that use this information to then follow up on the request in other integrated systems (SaaS, call backs, and APIs)
b .1.1 - If you do not have any data associated with the cookie, you do not need to do anything. For, in AdOpt will be only the information (anonymous) for purposes of proof of consent, whose copy you have already received in the email. And is listed in your consent log.
b.2 - If the owner has also informed his e-mail, you should use this data to exclude him from all other systems, using it as an access key, for your data mapping.
b. 2.1 - In case you have in your own procedures the receipt / proof that the exclusions have been made, use the visitor's email to share this information.
b. 3 - The Visitor is notified, by a screen pop-up (in the opt-out page) and a link in the footer of the email received, that takes him to an educational, and public, environment teaching how to manually delete Cookies from his Browser.
c. AdOpt keeps this record in its database, indicating you that the CookieID #xyz.example.1234 made a request at that moment (date/time). For, in case you need it for use in legal bases, and privacy audits, it will be easily accessible.
##3 - Step-by-Step Suggestion for your process as a Data Protection Officer
With the given email you can perform an internal scan, and search for any information you may have about the visitor and delete it. Or, if you have a software that manages personal data, the software can be integrated into AdOpt so that when there is a request, it processes the request.
E.g. firstname.lastname@example.org made an Opt-Out request.
3.1 - AdOpt has already classified his AdOpt cookie as inactive/opt-out, so in AdOpt, you don't need to do anything else.
3.2 - With the email in hand, access your data mapping, with it you can know where the data will be stored/shared (your CRM, email marketing tool, logistics system, etc.).
3.3 - Delete all the data that can be deleted (If your business has any legal basis that supports and protects the use/storage of data, justify it to the requester, informing that you cannot delete such data).
3.4 - You can prepare an institutional email to visitor@email, with this detailed list of what you may have about him: the email and any other information you may have in his file... within the other tools. Confirming that everything has been deleted, as an "Opt-Out receipt".
3.5 - Attach to the email the details of the request sent by AdOpt with the Date/time that occurred. You can simply forward AdOpt's email, it is ready to go.
3.6 - Send the response email to the visitor
*these are just suggestions that may or may not apply to each business model with its peculiarities. Consult your DPO, or specialist, for a better understanding of the processes.
There are some hypotheses, technical ones: (in this case use the email, if informed, to proceed with the deletion routines).
The following are examples of e-mails sent by AdOpt to the AdOpt Customer:
To the visitor
© AdOpt since 2020 • Made by people who love🍪