Articles in this section

See more

Privacy Compliance at Outreach

Avatar
Heather Wood
Updated
Follow

Overview

Please Note

This article discusses frequently asked questions regarding the CCPAGDPR, and other relevant privacy laws, and their potential impact on businesses. Though Outreach provides support to comply with privacy compliance requests that your organization receives, it is recommended you work with your company’s corporate lawyer to do a thorough review of all relevant privacy laws for your business and determine what operations requirements you might have. Outreach can then work with you to enable those requirements in our product.

Outreach is committed to providing privacy rights to all individuals. To demonstrate this Outreach have aligned our privacy program to the laws applicable for the jurisdictions Outreach operate in, and provide those rights across the board. To demonstrate our commitment, Outreach has also obtained our ISO 27701 certification. While Outreach operates in a few jurisdictions, Outreach decided to focus on the European Union’s (EU) General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as these are the two most talked about Privacy laws at present.

GDPR and CCPA have many similarities. For starters, they both outline and enforce regulations regarding the personal data of individual consumers. Both require organizations to provide individuals access to their own personal data, as well as the right to have it deleted. And both are regional laws with global implications. The GDPR and CCPA also have several key differences. Read on for more information on the CCPA and GDPR are different.

Legal Disclaimer: Outreach applied our best understanding of the CCPA and GDPR when building this article. However, we are not equipped to provide comprehensive legal advice. To minimize risks, Outreach urges you to read the actual text of all privacy laws applicable to your business and seek the advice of your corporate attorney.

The CCPA vs. The GDPR

The most notable difference between the CCPA and GDPR is that the CCPA concerns residents in the US state of California, while the GDPR concerns citizens of the European Union (EU).

Here are 9 more key differences between the GDPR and CCPA:

GDPR CCPA
  • Covers any entity that processes the personal data of protected consumers/residents
  • Allows covered entities to establish equivalent mechanisms
  • More narrow definitions of Personal Information, and called Personal Data under GDPR
  • Outlines conditions for access and deletion requests
  • Looser restrictions for commercial sharing of personal data
  • Includes the right to correct errors in processed personal data
  • Include the right to stop automated decision making (i.e., the right to require a human to make decisions that have legal implications/effect)
  • Penalty limit set at 4% of global annual revenues or 20 mil euros, whichever is greater
  • No minimum or maximum for damages.
  • Applies only to businesses
  • Prescribes disclosures, communication channels, and other measures
  • Broader definition of Personal Information
  • Different conditions for access and deletion requests
  • More rigid restrictions for commercial sharing/"selling" of personal data
  • Does not expressly include the right to correct errors in processed personal data
  • Does not expressly include the right to stop automated decision making
  • While there is a limit on the fine of per person, per incident, there is no overall limit on regulator penalties
  • Sets minimum and maximum damage amounts ($100 to $750 per consumer per incident) for private actions against violators

 

Outreach & Privacy Requirements

The ways that Outreach are GDPR and CCPA-compliant include, but not limited to:

  • Outreach require an active banner on our website so that customers can control the "sale" of their data
  • Data is only “personal information” as long as it can be "reasonably linked" to an individual, and Outreach already had to review our data for GDPR to understand what is required to reasonably link a person in our backend
  • Outreach require our data processors to not further process personal information except as required to fulfill the processing activities
  • Outreach will respond to data access or deletion requests within a 30 calendar day period
  • Outreach have a “cookie banner” on our site as a notice before or at the point of collection of data
  • Outreach review our Privacy Policy and update if needed on an annual basis
  • Outreach do not discriminate against an individual that has exercised their rights under CCPA/GDPR

Additionally, Outreach signs Data Processing Agreements (DPA) with customers who need them. Where necessary, Outreach includes standard model clauses for transfer to third-party countries (the current bar set by the EU Commission). These clauses ensure our customers can transfer data to countries outside of the EEA for use in our system. Further, Outreach has DPAs in place with all sub-processors where legally required. If you need a DPA established with Outreach, please submit a support ticket in Zendesk. 

Submitting a CCPA Access Request

Note: Only users with Admin privileges in your Outreach instance should Submit an Access Request of consumer data.

  1. Access the Outreach Support Portal.
  2. Click Submit a Request
  3. Select General Question from the Form dropdown menu.
  4. Select Other from the Feature Topic dropdown menu.
  5. Specify the request type in the Subject field.
     Example Subject Line: Full Prospect Export.
  6. Input the Prospect’s email address in the Description field.
     Note: If the request is for multiple prospects, list them in the description field.
     Example Description: The UFoP is requesting the deletion of the following prospect’s data:
     Tasha.yar@ufop.com; geordi.laforge@ufop.com; and Wesley.crusher@ufop.com.
  7. Click Submit.

Note: Outreach will reply with a receipt of confirmation. The process will take up to 30 calendar days, and Outreach will update the support ticket as Resolved when the request is completed. 

Other Frequently Asked Questions

Q: How can I submit a Delete Request?

A: Please follow the guidance in this article.

Q: How long does it take for a Delete/Access Request to be finalized?

A: Outreach may take up to 30 calendar days to complete a Delete/Access Request. Outreach will update the support ticket as Resolved when the request is completed.

Q: Why does a Delete Request take 30 calendar days?

A: When a Delete Request is submitted, Outreach will comprehensively delete a consumer’s personal information from all of it’s business systems which is a more complex process than the in-app or API deletion features. 

Note: Outreach requests organizations to submit their verified delete requests ASAP in order to complete the request in a timely manner. 

Q: Why do I need to use the Admin Compliance Delete instead of using Outreach's existing delete functionality?

A: Outreach's in-app and API delete functions will delete most but not all personal data in Outreach. Use of the Compliance Delete feature ensures that  Outreach comprehensively scrubs personal information related to an individual from all of Outreach's systems. 

Example: Data from Data Science and Voice recordings are not part of the existing in-app delete function, but will be accounted for in the compliance delete process.  

Q: In what way is personal information deleted?

A: Data is either completely and fully deleted, de-identified, or aggregated.

Q: How will I know when my request is complete?

A: For an Export Request, Outreach will update the support ticket as Resolved and provide the requester with a confirmation message indicating completion as applicable. For a Delete Request, you will be able to view the status as noted in this document. 

Q: What if a previously deleted Prospect re-subscribes to my organization and is re-added to Outreach?

A: The prospect will start fresh with a new history of activity, communications and new profile and personal data.

Q: In what format are data portability requests delivered?

A: Data portability requests are delivered in JSON.

Additional Resources

Related articles