The European Union (EU) General Data Protection Regulation (GDPR) is a regulatory framework that was designed to harmonize data privacy across Europe, to protect personal data, and empower individuals there in making choices about what and how data identifying and about them is used by businesses. The GDPR has reshaped the way organizations across the region and beyond approach data privacy. This post provides insights into the data collection and storage approach used in Acoustic Personalization in relation to GDPR compliance.
How Personalization handles data collection
Personalization analyzes actions (behavior events) that a client’s end user performs in a channel (website, email, mobile applications) to create a representation of that user or a user profile. The summary of events for each individual user profile is stored with reference to a random user ID (known as the x1ID), which is replaced with a hash value. Personalization does not store any Personally Identifiable Information (PII) data in the product database. Visitor behavior is stored in the Local Storage under the key, acousticPZN.
The behavior events associated with each user profile are used to determine membership of that visitor into audiences defined by the marketer. Personalization applies algorithms to aggregate the visitor's behavior events and attributes into a format that can be used to determine audience membership, deliver content that is relevant to their audience, generate reports, and perform additional analysis.
End users can delete the data associated with their x1ID persisting in their web browser’s local storage, by clearing the browser’s cache.
Right to erasure in Acoustic Personalization
By eliminating the connection between the random user ID (x1ID) and other known identifiers, Personalization effectively de-identifies the data, making it anonymous and thus rendering it outside the scope of personal data as defined by GDPR. The hashing algorithm applied to the x1ID is a one-way process that cannot be reversed. In other words, there is no way to “re-identify” the data. Under GDPR, effective anonymization is equivalent to erasure. Because Personalization effectively anonymizes PII, it is not necessary to execute erasure requests. Other products with access to PII in the Acoustic Marketing Cloud can execute erasure requests as needed.
Right to erasure and access with Acoustic Exchange
Personalization gets data from Acoustic Exchange, which allows the use of data drawn from different tools, environments and organizations to connect customer identities across customer journeys. Since Acoustic Personalization leverages Exchange for identity management, you may also be interested in Exchange's adherence to GDPR policies and tools for managing your compliance. Whether you accept the right to erasure or right of access requests from individuals via a web portal, call center, or any other process, you can use the Acoustic Exchange GDPR APIs to process those requests in batch. Learn more
Clients are solely responsible for ensuring their own compliance with various laws and regulations, including the GDPR. Likewise, clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect their businesses and any actions the clients may need to take or refrain from taking to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for, and may not be available in, all client use cases. Acoustic does not provide legal, accounting or auditing advice, or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.