Developers
Help CenterCommunityStatus

Perform CCPA and GDPR Right to Erasure with APIs

Removing records across the Acoustic Campaign database with the gdprerasure REST API

Suggest Edits

Acoustic Campaign provides APIs for data controllers to fetch a contact's data as part of Right of Access processing and submit erasure requests as part of Right to Erasure processing through a batched asynchronous job API. The responses from the asynchronous job are available for download for up to 3 days, after the job at which time the GDPR job responses are deleted as they can have personal data.

Before you begin

GDPR Lookup Keys must be specified within Acoustic Campaign. It is recommended to collate the requests so that minimum calls are made to Acoustic Campaign so that overall performance is not impacted for your organization.

Clients are responsible for ensuring their own compliance with various laws and regulations, including the European Union General Data Protection Regulation and the California Consumer Privacy Act. Clients are solely responsible for obtaining advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulations that may affect the clients’ business and any actions the clients may need to take to comply with such laws and regulations. The products, services, and other capabilities described herein are not suitable for all client situations and may have restricted availability. Acoustic does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

Database GDPR Lookup Key setup

Within your database, you are able to select up to 5 fields from the
GDPR LookUp Fields screen that you will use for GDPR lookups. To configure this setup, take these steps:

  1. Click Settings on the Database details screen.

  2. Select up to 5 fields you want to use as GDPR LookUp Fields by clicking the GDPR LookUp Fields tab.

📘

Note:

Lookup keys are a feature of Flexible Key databases and Email is used for the GDPR Lookup on Restricted databases.

Items of Importance

It is possible that a message is received after an opted-in data subject submits a Right to Erasure request to Acoustic. This occurs because the message was already scheduled for delivery prior to the Right to Erasure request being submitted.

Relational Table setup for Right to Erasure API call

For the Acoustic Campaign Automation Right to Erasure API to process the erasure of information from a Relational Table where the Relational Table has contact-specific personal data, you need to select the radio button next to Delete records in the Relational Table settings.

Job Submission API Request

Use the following API requests to call the GDPR Right to Erasure API.

Database – POST /databases/{databaseId}/gdpr_erasure

  1. Provide a database ID in the API request path to identify the database which the data subject will
    be removed from. To remove a data subject from more than one database, a unique call must be made for each database ID.
  2. The body of the POST must contain a CSV with one or more column names and the identifiers to be looked up for each column name. The content type will be ‘text/csv’. See the example below:

📘

Note:

Suppression lists are supported for erasure requests. Removing an email address from the suppression list creates some risk that the data subject will receive an email if another process, such as ImportList, adds the data subject back to a database.

Processing

Acoustic Campaign Automation /gdpr_erasure API will respond synchronously with a 202 – Accepted along with a response header named location which will have the URI for job status. (e.g. http://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/{jobId}/status)

The GET method for /gdpr_jobs/{jobId}/status returns a high level status that indicates whether processing is:

  • WAITING
  • IN PROGRESS
  • COMPLETE
  • ERROR

When processing completes with a status of SUCCESS, the Acoustic Campaign status API response will also include a response header named ‘location’ having the URI for job results. (e.g. http://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/{jobId}/response)

Erasure Processing when Database Id Provided

For each record, find any matching contacts (even if already soft deleted) in the specified database and perform the following:

  • Delete each contact record
  • For a Double Opt-In database, find any matching email addresses in the pre-opt-in database and remove them
  • Delete any Universal Behaviors for the contact
  • Notify the following sub-systems of the Right to Erasure request when relevant:
    • mGage (SMS)
    • Mobile Customer Engagement (Push Notifications)
    • Universal Behavior Exchange (UBX)
  • Save audit record of the request  

GDPR Right To Erasure job submission against a Marketing Database

Request Method
POST

Request URI

/databases/{databaseId}/gdpr_erasure

Sample URL

https://api-campaign-us-5.goacoustic.com/rest/databases/10091/gdpr\_erasure

Request Headers

  • Authorization: Bearer AcousticCampaign_ACCESS_TOKEN
  • Content-Type: text/csv;charset=UTF-8

📘

Note:

Addition of Content-Type header charset=UTF-8 is required when you use gdprIdentifiers with multibyte field name, if it is not included the request will fail.

Example: "gdprIdentifiers": [ { "name": "内部会員"...

Request Body – one identifier name-value pair on each line

 GDPR Lookup Key Column Name, GDPR Identifier Value

Sample Request Body

EMAIL,[email protected]
EMAIL,[email protected]
EMAIL,[email protected]
EMAIL,[email protected]

Successful Response

  • Status code: 202
  • Response Header includes Location to poll for job status

Sample value
Location:

 https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/33/status

Response Body

{
            “location”:
    “https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/33/status”,

            “id”: 33
     }

GDPR Get Job Status and Job Response

Request Method
GET

Request URI

 /gdpr_jobs/{jobId}/status

Sample URL

 https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/32/status

Request Headers
Authorization: Bearer AcousticCampaign_ACCESS_TOKEN

Successful Response

  • Status code: 303
  • Response Header includes Location to fetch job result/response

Sample value
Location:
https://api-campaign-us-5.goacoustic.com/rest/gdpr\_jobs/32/response

📘

Note:

Possible values for status: SUBMITTED, IN_PROGRESS, SUCCESS, FAILED

  1. When the job completes, the API returns the contact information processed by the job.
  2. Once the GDPR job is archived, clients get the job status 'SUCCESS' instead of the contact information processed by Job.

Sample response

Sample response 1:

{
        “databaseId”: 10091,
        “timestamp”: “2018-03-22T05:04:54.123Z”,
        “contacts”: [
            {
                “contactFound”: true,
                “contactDeleted”: true,
                “gdprIdentifiers”: [
                    {
                        “name”: “EMAIL”,
                        “value”: “[email protected]”
                    }
                ]
            },
            {
                “contactFound”: true,
                “contactDeleted”: true,
                “gdprIdentifiers”: [
                    {
                        “name”: “EMAIL”,
                        “value”: “[email protected]”
                    }
                ]
            },
            {
                “contactFound”: false,
                “contactDeleted”: false,
                “gdprIdentifiers”: [
                    {
                        “name”: “EMAIL”,
                        “value”: “[email protected]”
                    }
                ]
            }
        ]
    }

Sample response 2: 

“location”:
“http://localhost:8081/rest/gdpr\_jobs/32/status”,

  {
  "meta": {
    "attributes": {},
    "generalErrors": [],
    "fieldErrors": {},
    "links": [],
    "nextPageUrl": null
  },
  "data": {
    "status": "SUCCESS"
  }
}

Updated about 2 months ago