Privacy Compliance (CCPA, GDPR, etc)
Note: This article discusses frequently asked questions regarding the CCPA, GDPR, and other relevant privacy laws and its potential impact on businesses. Though Outreach provides support to comply with privacy compliance requests that your organization receives, it is recommended you work with your company’s corporate lawyer to do a thorough review of all relevant privacy laws for your business and determine what operations requirements you might have. Outreach can then work with you to enable those requirements in our product.
Outreach is committed to providing privacy rights to all individuals. To demonstrate this Outreach have aligned our privacy program to the laws applicable for the jurisdictions Outreach operate in, and provide those rights across the board. To demonstrate our commitment, Outreach has also obtained our ISO 27701 certification. While Outreach operates in a few jurisdictions, Outreach decided to focus on the European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as these are the two most talked about Privacy laws at present.
GDPR and CCPA have many similarities. For starters, they both outline and enforce regulations regarding the personal data of individual consumers. Both require organizations to provide individuals access to their own personal data, as well as the right to have it deleted. And both are regional laws with global implications. The GDPR and CCPA also have several key differences. Read on for more information on the CCPA and GDPR are different.
Legal Disclaimer: Outreach applied our best understanding of the CCPA AND GDPR when building this article. However, we are not legal professionals. To minimize risks, Outreach urges you to read the actual text of all privacy laws applicable to your business and seek the advice of your corporate attorney.
The CCPA vs. The GDPR
The most notable difference between the CCPA and GDPR is that the CCPA concerns residents in the state of California, while the GDPR concerns citizens of the EU.
Here are 9 more key differences between the GDPR and CCPA:
Outreach & Privacy Requirements
The ways that Outreach are GDPR and CCPA-compliant include, but not limited to:
- Outreach require an active banner on our website so that customers can control the "sale" of their data
- Data is only “personal information” as long as it can be "reasonably linked" to an individual, and Outreach already had to review our data for GDPR to understand what is required to reasonably link a person in our backend
- Outreach require our data processors to not further process personal information except as required to fulfill the processing activities
- Outreach will respond to data access or deletion requests within a 30 calendar day period
- Outreach have a “cookie banner” on our site as a notice before or at the point of collection of data
- Outreach do not discriminate against an individual that has exercised their rights under CCPA/GDPR
Additionally, Outreach signs Data Processing Agreements (DPA) with customers who need them. Where necessary, Outreach includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Outreach has DPAs in place with all sub-processors where legally required. If you need a DPA established with Outreach, please submit a support ticket in Zendesk.
Q: How can I Submit an Access Request?
A: Submit an Access Request (CCPA)
Note: Only users with Admin privileges in your Outreach instance should Submit an Access Request of consumer data.
- Access the Outreach Support Portal.
- Click Submit a Request.
- Select General Question from the Form dropdown menu.
- Select Other from the Feature Topic dropdown menu.
- Specify the request type in the Subject field.
Example Subject Line: Full Prospect Export.
- Input the Prospect’s email address in the Description field.
Note: If the request is for multiple prospects, list them in the description field.
Example Description: The UFoP is requesting the deletion of the following prospect’s data:
Tasha.firstname.lastname@example.org; email@example.com; and Wesley.firstname.lastname@example.org.
- Click Submit.
Note: Outreach will reply with a receipt of confirmation. The process will take up to 30 calendar days, and Outreach will update the support ticket as Resolved when the request is completed.
Q: How can I Submit an Delete Request?
A: Please follow the guidance in this article
Q: How long does it take for a Delete/Access Request to be finalized?
A: Outreach may take up to 30 calendar days to complete a Delete/Access Request. Outreach will update the support ticket as Resolved when the request is completed.
Q: Why does a Delete Request take 30 calendar days?
A: When a Delete Request is submitted, Outreach will comprehensively delete a consumer’s personal information from all of it’s business systems which is a more complex process than the in-app or API deletion features.
Note: Outreach requests organizations to submit their verified delete requests ASAP in order to complete the request in a timely manner.
Q: Why do I need to use the Admin Compliance Delete instead of using Outreach's existing delete functionality?
A: Outreach's in-app and API delete functions will delete most but not all personal data in Outreach. Use of the Compliance Delete feature ensures that Outreach comprehensively scrubs personal information related to an individual from all of Outreach's systems.
Example: Data from Data Science and Voice recordings are not part of the existing in-app delete function, but will be accounted for in the compliance delete process.
Q: In what way is personal information deleted?
A: Data is either completely and fully deleted, de-identified, or aggregated. Q: How will I know when my request is complete?
A: For an Export Request, Outreach will update the support ticket as Resolved and provide the requester with a confirmation message indicating completion as applicable. For a Delete Request, you will be able to view the status as noted in this document.
Q: What if a previously deleted Prospect re-subscribes to my organization and is re-added to Outreach?
A: The prospect will start fresh with a new history of activity, communications and new profile and personal data.
Q: In what format are data portability requests delivered?
A: Data portability requests are delivered in JSON.
If you would like more information about:
- Outreach Privacy Compliance Deletes
- CCPA - please review this article https://support.outreach.io/hc/en-us/articles/360040533054-California-Consumer-Privacy-Act-CCPA-FAQs
- GDPR - Please review this article https://support.outreach.io/hc/en-us/articles/360003506553-GDPR-Compliance
- Opt-Out and Unsubscribe FAQs - https://support.outreach.io/hc/en-us/articles/360041469193-Opt-Out-and-Unsubscribe-FAQs
- Call Recording Laws and Regulations - https://support.outreach.io/hc/en-us/articles/220339488-Call-Recording-Laws-and-Regulations-US-and-International
- Blog about the differences between CCPA and GDPR - https://www.outreach.io/blog/difference-between-the-ccpa-gdpr
- Blog regarding GDPR readiness - https://www.outreach.io/blog/are-you-ready-for-gdpr
- Trust site, GDPR webpage - https://www.outreach.io/trust/gdpr-compliance
- GDPR product configuration document - https://www.outreach.io/assets/resources/Outreach-Meeting-GDPR-Plusses.pdf