How to fulfill CCPA compliance requests without manual data removal

By Nick Hawkins

Operations professionals: Learn how to meet stringent California Consumer Privacy Act (CCPA) compliance requirements with an automated process for data removal.

CCPA is a new piece of California legislation set to take effect at the start of 2020. Similar to GDPR, it establishes far-reaching regulations to give consumers more control over their data. One key element of CCPA compliance is honoring requests by California residents to view and remove their personal data. Unfortunately, in many cases, removing data is easier said than done. Often, customer and prospect data can exist in different forms, siloed across various applications across your tech stack.

In this post, we’ll teach you how to design a single process for managing CCPA requests that removes consumer data from all your systems without manual effort. To do this, we’ll use a General Automation Platform (GAP), a low-code solution that lets you easily integrate your tech stack by dragging and dropping while automating mission-critical business processes involving multiple cloud applications.

Watch on-demand demo: Automating data removal with GAPs

Walkthrough: Automating your CCPA compliance requirements

While you can apply similar processes to any number of platforms that store customer data (if there’s a data source, a GAP can connect to it), we’ll specifically focus on removing customer data from your CRM (we use Salesforce). We’ve separated that process into three stages:

  1. Receiving deletion request and staging removal - First, we’ll collect contact information from the deletion request using a webhook. Then, after doing a quick check to ensure the validity of the email, we’ll trigger processes across our stack to remove any related data.
  2. Removing leads and contacts from CRM - In our CRM, we’ll check for any matching leads. If we find a matching lead, we scrub our database of the record. We’ll repeat the same process for identifying contacts to ensure we’ve removed all relevant data.
  3. Sending confirmation - Once we’ve checked for all applicable records, we format and send a confirmation message using our internal communications tool, Slack.

Stage 1: Receiving deletion request and staging removal

Many modern MarTech stacks rely on a combination of best-in-breed systems to tap into data to create a highly personalized buyer’s journey. This presents a challenge in ensuring data governance at scale, since any individual’s data might exist in multiple systems. The revenue team at workforce management leader Deputy encountered a similar challenge when manually deleting customer data across multiple platforms in response to GDPR requests.

With general automation, the Deputy team was able to consolidate and automate data removal, all from a single form. Let’s see what that looks like:

CCPA Automation 0

Form trigger - To start off our workflow, we use a form trigger, which captures the requester’s email to be removed from our records. Once they submit, we’ll send a confirmation email directly to the requester.

Send confirmation - Our confirmation email serves to make sure that we can verify the requester’s ownership of that address, an essential element of CCPA deletion requests. The email contains a confirmation link, which will confirm the recipient and allow us to commence with data removal.

CCPA Automation 1 Routing email submissions to data hubs

Webhook trigger - Now, we use a webhook, which activates when our requestor has clicked on the link to confirm that they have access to the email they are seeking to remove from our records.

Valid email? - Next, our workflow uses a Boolean (true/false) helper to confirm the email address is valid. Our confirmation prevents errors later in the workflow stemming from incorrect data. If the email is indeed valid, we proceed with data removal.

Scrub data from X data source - Here, we can route our request to any number of systems, including customer data platforms (like Segment) and web chat services (like Intercom), to remove customer data. Using automation, we can not only save considerable resources, but we can also ensure that deletion is comprehensive and free of manual errors.

Stage 2: Removing leads and contacts from CRM

To remove customer data from our CRM, we’ll need to check for both associated leads and contacts. Here’s what the process looks like for contact removal:

CCPA Automation 2 Finding and removing any matching contacts

Find contacts - First, we search the existing records in our CRM to find any matching leads. If we find a contact, we pass its details into our workflow.

Contact found? - Next, we use a Boolean helper to route our workflow to one of two outcomes:

  • If we find a matching contact, then we perform an additional check to see if the requester is the main point of contact for an open contract or account. If so, we’ll send an alert to our sales team to let them know that we need to reach out and find a new point of contact. If not, we delete the record in our CRM, and append a confirmation to the final message.
  • If we don’t find a matching contact, then append ‘no matching records found’ to the final message.

We’ll repeat the same logic to find, delete, and confirm any matching leads in our CRM to ensure full CCPA compliance.

Stage 3: Sending confirmation

After we’ve removed the records from our CRM, we’ll need to deliver a final confirmation message to our end user, which informs them of the status of the deletion request.

CCPA Automation 4 Formatting and sending confirmation message

Append to message - Here, we combine the results from our check for leads with our check for contacts using a data storage helper.

Deliver confirmation - Finally, we deliver our confirmation to our internal user, which looks something like this:

CCPA Automation X Record deletion confirmation

What’s next: Automate & integrate your entire compliance strategy

Now, you’ve learned how to automatically fulfill data removal requests within your organization using a single, comprehensive process that requires no manual work. But removal requests aren’t the only asks your team will need to honor to achieve CCPA compliance. You will also need to provide customers a copy of their personal data upon request.

Luckily, the flexibility of a GAP can account for these conditions, and instead route those requests through a process that extracts and delivers personal data to your customers. While we won’t cover that logic in this post, you can uncover more ways to automate fundamental business processes by signing up for our next weekly group demo.