Types of privacy requests

Transcend can trigger a number of different privacy requests in your system, and automatically fulfill these requests via API. We'll describe them in detail here, as well as how you can build the respective routes into your API.

Transcend prefers a global access endpoint such that, when called, your API will return all data associated with a given user's key identifier (most commonly email). This endpoint will be used to automatically fulfill data subject access requests (DSARs).

There are many ways to implement this global access request. Some example partners that did a good job with this include:

  • Optimizely allows users to make an access request via their API. Their API returns information about where the data export location will be. Note that it allows granularity in both the type of request (e.g. GDPR vs. CCPA) and the type of user (website visitor or Optimizely user).

If the personal data that your company processes is well-structured, like in the case of Twilio, it is fine that your API just exposes simple ways of interacting with the various tables and structured data relating to users. In Twilio's case, they expose routes to check on call logs that reference particular phone numbers, and from the API response given by this call log access Transcend can dig up recordings and related data about customer interactions.

Transcend prefers a global deletion endpoint such that, when called, your API will purge all data associated with a given user's key identifier (except for data your company claims exemptions on). This erasure route can be configured as asynchronous.

There are many ways to implement erasure request endpoints as well. Segment has a protocol that we find very friendly. They have an endpoint for initiating an erasure request and then have a separate endpoint for checking up on the status of that request. They allow for data to be erased or erased and suppressed (preventing further tracking).

There are a few different types of opt-out requests covered under existing data privacy regulations. They are as follows:

  1. Do not contact - opts users out of email, text, and mail communications.
  2. Do not track - opts users out of further web analytics tracking.
  3. Do not sell my personal information - opts users out of the anonymized and non-anonymized sale of their data.
  4. Do not process - relates directly to Article 9 of the GDPR and only applies to businesses processing certain types of data.

There are many ways of implementing opt-out requests. Delighted is a good example to look to for the simple but common case of opting a user out of contact lists.