Purpose:
The purpose of this article is to provide information to Outreach Users regarding California Consumer Privacy Act (CCPA) compliance.
Notes:
- This article discusses the frequently asked questions regarding the CCPA and the regulation’s impact on businesses using the Outreach product. Though Outreach provides support to comply with CCPA requests that your organization receives, it is recommended a thorough review of the CCPA be conducted and you address any legal questions with your company’s corporate lawyer as applicable.
California Consumer Privacy Act (CCPA) FAQs:
Q: What is CCPA?
A: The California Consumer Privacy Act is a consumer rights law that went into effect January 1, 2020. The new gives California residents consumer privacy rights such as what information of theirs is being used, how their information is sold and shared, and the right to have their information removed from an organization's systems.
The following table illustrates the rights that are most relevant to how organizations will be impacted by the CCPA in conjunction with use of Outreach’s product, what to expect from their consumers, and how Outreach, as a “service provider,” or “data processor” will comply with requests.
| Consumer Rights | Description | What Outreach Does |
|---|---|---|
| Request to Delete | Consumers may request that a business delete their personal information from their systems. | Outreach provides a self service function for Outreach Admins to complete compliance delete requests. |
| Request to Know | Consumers may request a report detailing the personal information a business collects on them. | Outreach accepts an organization's export requests (i.e. Request to Access) via a support ticketing process in Zendesk and returns a full report upon completion of the request. |
| Request to Opt-Out | Consumers may opt out of the sale of their personal information. | Outreach does not sell personal information; however, organizations should consider reaching out to any applications integrated with Outreach to inquire about their privacy policies and agreements in place. |
Q: What does CCPA mean for my business?
A: If your business collects personal information on California residents, these individuals can begin exercising their rights on January 1, 2020
Q: Does Outreach sell consumer data?
A: While Outreach doesn't sell consumer data, CCPA may consider the scenario wherein organizations connecting third party integrations to Outreach, where a subsequent "exchange" of data may be considered a "sale." Consult with your company's corporate lawyer to determine if this scenario meets yours and CCPA's definition of the sale of data.
Organizations should also reach out to third party application integrations to inquire about their privacy policies and legal agreement as they relate to data sharing and use and make any CCPA requests to them directly.
Q: Can I submit a Do Not Sell Request?
A: Outreach does not sell personal consumer information; however organizations should reach out to any applications integrated with Outreach.
Q: What Outreach data is in scope for CCPA?
A: All personal information held in your instance of Outreach.
Q: Can consumers make direct requests to Outreach?
A: No. Outreach is a “service provider”; therefore, organizations using the Outreach platform will receive requests from individuals and need to filter their requests to Outreach as applicable.
In instances where Outreach is a data controller and Outreach has a relationship with an individual individual may make a privacy request directly to Outreach.
Q: Who can Submit an Access Request to Outreach?
A: Outreach users with Admin permissions are able to Submit an Access Request. This is not self serve at this time.
Q: Who can Submit a Delete Request to in the Outreach product?
A: Outreach users with Admin permissions are able to Submit a Delete Request in the Admin tools in the Outreach product, which is a self serve feature.
Q: How can I Submit an Access/Delete Request?
Submit an Access/Delete Request (CCPA)
Note: Only users with Admin privileges in your Outreach instance should Submit an Access/Delete Request of consumer data.
- Access the Outreach Support Portal.
- Click Submit a Request.
- Select General Question from the Form dropdown menu.
- Select Other from the Feature Topic dropdown menu.
- Specify the request type in the Subject field.
Example Subject Line: Full Prospect Export. - Input the Prospect’s email address in the Description field.
Note: If the request is for multiple prospects, list them in the description field.
Example Description: The UFoP is requesting the deletion of the following prospect’s data:
Tasha.yar@ufop.com; geordi.laforge@ufop.com; and Wesley.crusher@ufop.com. - Click Submit.
Note: Outreach will reply with a receipt of confirmation. The process will take up to 30 calendar days, and Outreach will update the support ticket as Resolved when the request is completed.
Q: How can I Submit a Delete Request?
A: Please follow the guidance in this article
Q: How long does it take for a Delete/Access Request to be finalized?
A: Outreach may take up to 30 calendar days to complete a Delete/Access Request. Outreach will update the support ticket as Resolved when the request is completed.
Q: Why does a Delete Request take 30 calendar days?
A: When a Delete Request is submitted, Outreach will comprehensively delete a consumer’s personal information from all of it’s business systems which is a more complex process than the in-app or API deletion features.
Note: Outreach requests organizations to submit their verified delete requests ASAP in order to complete the request in a timely manner.
Q: Why do I need to use the Admin Compliance Delete instead of using Outreach's existing delete functionality?
A: Outreach's in-app and API delete functions will delete most but not all personal data in Outreach. Use of the Compliance Delete feature ensures that Outreach comprehensively scrubs personal information related to an individual from all of Outreach's systems.
Example: Data from Data Science and Voice recordings are not part of the existing in-app delete function, but will be accounted for in the compliance delete process.
Q: In what way is personal information deleted?
A: Data is either completely and fully deleted, de-identified, or aggregated.
Q: How will I know when my request is complete?
A: For an Export Request, Outreach will update the support ticket as Resolved and provide the requester with a confirmation message indicating completion as applicable. For a Delete Request, you will be able to view the status as noted in this document.
Q: What if a previously deleted Prospect re-subscribes to my organization and is re-added to Outreach?
A: The prospect will start fresh with a new history of activity, communications and new profile and personal data.
Additional Resources:
California Consumer Privacy Act
© 2019 Outreach.io