Perform CCPA and GDPR Right to Erasure with APIs
Removing records across the Acoustic Campaign database with the gdprerasure REST API
Acoustic Campaign provides APIs for data controllers to fetch a contact's data as part of Right of Access processing and submit erasure requests as part of Right to Erasure processing through a batched asynchronous job API. The responses from the asynchronous job are available for download for up to 3 days, after the job at which time the GDPR job responses are deleted as they can have personal data.
Before you begin
GDPR Lookup Keys must be specified within Acoustic Campaign. It is recommended to collate the requests so that minimum calls are made to Acoustic Campaign so that overall performance is not impacted for your organization.
Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation and the California Consumer Privacy Act. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. Acoustic does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.
Database GDPR Lookup Key setup
Within your database, you are able to select up to 5 fields from the
GDPR LookUp Fields screen that you will use for GDPR lookups. To configure this setup, take these steps:
-
Click Settings on the Database details screen.
-
Select up to 5 fields you want to use as GDPR LookUp Fields by clicking the GDPR LookUp Fields tab.
Note:
Lookup keys are a feature of Flexible Key databases and Email is used for the GDPR Lookup on Restricted databases.
Items of Importance
It is possible that a message is received after an opted-in data subject submits a Right to Erasure request to Acoustic. This occurs because the message was already scheduled for delivery prior to the Right to Erasure request being submitted.
Relational Table setup for Right to Erasure API call
For the Acoustic Campaign Automation Right to Erasure API to process the erasure of information from a Relational Table where the Relational Table has contact-specific personal data, you need to select the radio button next to Delete records in the Relational Table settings.
Job Submission API Request
Use the following API requests to call the GDPR Right to Erasure API.
Database – POST /databases/{databaseId}/gdpr_erasure
- Provide a database ID in the API request path to identify the database which the data subject will
be removed from. To remove a data subject from more than one database, a unique call must be made for each database ID. - The body of the POST must contain a CSV with one or more column names and the identifiers to be looked up for each column name. The content type will be ‘text/csv’. See the example below:
-
“MobileNumber”,“15063434670”
-
“MobileNumber”,“15066754325”
-
“Email”,”[email protected]”
-
“MobileNumber”,“18884266840”
-
“Email”,”[email protected]”,
-
“Email”,”[email protected]”
Note:
Suppression lists are supported for erasure requests. Removing an email address from the suppression list creates some risk that the data subject will receive an email if another process, such as ImportList, adds the data subject back to a database.
Processing
Acoustic Campaign Automation /gdpr_erasure API will respond synchronously with a 202 – Accepted along with a response header named location which will have the URI for job status. (e.g. http://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/{jobId}/status)
The GET method for /gdpr_jobs/{jobId}/status returns a high level status that indicates whether processing is:
- WAITING
- IN PROGRESS
- COMPLETE
- ERROR
When processing completes with a status of SUCCESS, the Acoustic Campaign status API response will also include a response header named ‘location’ having the URI for job results. (e.g. http://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/{jobId}/response)
Erasure Processing when Database Id Provided
For each record, find any matching contacts (even if already soft deleted) in the specified database and perform the following:
- Delete each contact record
- For a Double Opt-In database, find any matching email addresses in the pre-opt-in database and remove them
- Delete any Universal Behaviors for the contact
- Notify the following sub-systems of the Right to Erasure request when relevant:
- mGage (SMS)
- Mobile Customer Engagement (Push Notifications)
- Universal Behavior Exchange (UBX)
- Save audit record of the request
GDPR Right To Erasure job submission against a Marketing Database
Request Method
POST
Request URI
/databases/{databaseId}/gdpr_erasure
Sample URL
https://api-campaign-us-5.goacoustic.com/rest/databases/10091/gdpr\_erasure
Request Headers
- Authorization: Bearer AcousticCampaign_ACCESS_TOKEN
- Content-Type: text/csv;charset=UTF-8
Note:
Addition of Content-Type header
charset=UTF-8
is required when you use gdprIdentifiers with multibyte field name, if it is not included the request will fail.Example: "gdprIdentifiers": [ { "name": "内部会員"...
Request Body – one identifier name-value pair on each line
GDPR Lookup Key Column Name, GDPR Identifier Value
Sample Request Body
EMAIL,[email protected]
EMAIL,[email protected]
EMAIL,[email protected]
EMAIL,[email protected]
Successful Response
- Status code: 202
- Response Header includes Location to poll for job status
Sample value
Location:
https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/33/status
Response Body
{
“location”:
“https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/33/status”,
“id”: 33
}
GDPR Get Job Status and Job Response
Request Method
GET
Request URI
/gdpr_jobs/{jobId}/status
Sample URL
https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/32/status
Request Headers
Authorization: Bearer AcousticCampaign_ACCESS_TOKEN
Successful Response
- Status code: 303
- Response Header includes Location to fetch job result/response
Sample value
Location:
https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/32/response
Note:
Possible values for status: SUBMITTED, IN_PROGRESS, SUCCESS, FAILED
- When the job completes, the API returns the contact information processed by the job.
- Once the GDPR job is archived, clients get the job status 'SUCCESS' instead of the contact information processed by Job.
Sample response
Sample response 1:
{
“databaseId”: 10091,
“timestamp”: “2018-03-22T05:04:54.123Z”,
“contacts”: [
{
“contactFound”: true,
“contactDeleted”: true,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “[email protected]”
}
]
},
{
“contactFound”: true,
“contactDeleted”: true,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “[email protected]”
}
]
},
{
“contactFound”: false,
“contactDeleted”: false,
“gdprIdentifiers”: [
{
“name”: “EMAIL”,
“value”: “[email protected]”
}
]
}
]
}
Sample response 2:
“location”:
“http://localhost:8081/rest/gdpr\_jobs/32/status”,
{
"meta": {
"attributes": {},
"generalErrors": [],
"fieldErrors": {},
"links": [],
"nextPageUrl": null
},
"data": {
"status": "SUCCESS"
}
}
Updated 10 months ago