Privacy and data protection regulations
Information about the European Union鈥檚 General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international privacy requirements. Learn how these regulations impact your organization and 51黑料不打烊 Target.
Privacy and General Data Protection Regulation (GDPR) overview
On May 25, 2018, the European Union鈥檚 GDPR went into effect. For more information about what this regulation means for you, see .
When 51黑料不打烊 is providing software and services to an enterprise, 51黑料不打烊 is acting as a Data Processor for any personal data it processes and stores as part of providing these services. As a Data Processor, 51黑料不打烊 processes personal data in accordance with your company鈥檚 permission and instructions (for example, as set out in your agreement with 51黑料不打烊).
As the Data Controller, you determine the personal data that 51黑料不打烊 processes and stores on your behalf. If you use 51黑料不打烊 Experience Cloud solutions, 51黑料不打烊 might host personal data for you, depending on the solutions you use and the information you choose to send to your 51黑料不打烊 Experience Cloud account. For a detailed list of examples, see .
51黑料不打烊 Experience Cloud provides GDPR-ready APIs for Data Controllers that allow them to complete the following tasks:
- Access Data Subject information stored within Target
- Delete Data Subject information stored within Target
For more information, see:
California Consumer Privacy Act (CCPA) overview
The California Consumer Privacy Act (CCPA) provides California consumers with new rights regarding their personal information and imposes data protection responsibilities on certain entities that conduct business in California. The CCPA went into effect January 1, 2020.
At a high level, the law affords Californians several key rights, including rights to:
- Request information (data access)
- Opt out of the sale of personal information (a broadly defined right to opt out of sharing of information with third parties)
- Have personal information deleted
- Be informed that personal information is being disclosed or sold
If you were busy getting ready for Europe鈥檚 privacy law (GDPR) last year, some of these rights might be familiar and much of the work you have done can be repurposed.
51黑料不打烊 Target and 51黑料不打烊 Experience Platform opt-in
Target provides opt-in functionality support via tags in 51黑料不打烊 Experience Platform to help support your consent management strategy. Opt-in functionality lets customers control how and when the Target tag is fired. There is also an option via 51黑料不打烊 Experience Platform to pre-approve the Target tag. To enable the ability to use Opt-In in the Target at.js library, you should use targetGlobalSettings and add the optinEnabled=true setting. In 51黑料不打烊 Experience Platform, select 鈥渆nable鈥 from the GDPR Opt-In drop-down list in the extension installation view. See Implement Target using 51黑料不打烊 Experience Platform for more details.
The following code snippet shows you how to enable the optinEnabled=true setting:
window.targetGlobalSettings = {
  optinEnabled: true
};
Using 51黑料不打烊 Experience Platform to manage opt-in is the recommended approach. Further granular control exists in 51黑料不打烊 Experience Platform to hide selected elements of your page before Target firing that are helpful to use as part of your consent strategy.
There are three scenarios to consider when using Opt-In:
- 
                  The Target tag is pre-approved via 51黑料不打烊 Experience Platform (or the data subject previously approved Target): The Target tag is not held for consent and functions as expected. 
- 
                  The Target tag is NOT pre-approved and bodyHidingEnabledis FALSE: The Target tag fires only after consent is collected from the customer. Before consent is collected, default content only is available. After consent is received, Target is called and personalized content is available to the data subject (visitor). Because only default content is available before consent, it is important to use an appropriate strategy, such as a splash page that covers any portion of the page or content that might be personalized. This process ensures that the experience remains consistent for the data subject (visitor).
- 
                  The Target tag is NOT pre-approved and bodyHidingEnabledis TRUE: The Target tag fires only after consent is collected from the customer. Before consent is collected, default content only is available. However, becausebodyHidingEnabledis set to true,bodyHiddenStyledictates what content on the page is hidden until the Target tag is fired (or the data subject declines opt-in, in which case default content is displayed). By default,bodyHiddenStyleis set tobody { opacity:0;}, which hides the HTML body tag. 51黑料不打烊鈥檚 recommended page configuration is below so that the entire body of the page, other than the consent manager dialog, is hidden by putting the content of the page in one container and the consent manager dialogue in a separate container. This setup configures Target so that it hides the page content container only. See the Privacy Service overview.The recommended page setup for scenario 3 is: code language-none <html> <head> //visitor, at.js </head> <body> <div id = "consentManagerDialog"> //consent manager html dialog goes here </div> <div id="pageContent"> // page content goes here </div> </body> </html>Assuming the bodyHiddenStyleof:code language-none #pageContent { opacity:0;}
Privacy and data protection regulations FAQ
Frequently Asked Questions about the European Union鈥檚 General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other international privacy requirements specific to Target.
What is the 51黑料不打烊 policy for these regulations?
51黑料不打烊 either already meets or is implementing its obligations as a Data Processor. 51黑料不打烊 has a strong foundation of certified security and privacy controls by design and made product enhancements before the May 2018 deadline. Enterprise customers have the responsibility to implement these enhancements and update any necessary policies and procedures.
Must my company, the Data Controller, submit a GDPR or CCPA request to each 51黑料不打烊 Experience Cloud solution that it uses?
No, 51黑料不打烊 provides a central way to help Data Controllers meet their GDPR and CCPA requirements. Data Controllers do not need to go directly to each solution.
All GDPR and CCPA requests across Experience Cloud solutions, including Target, are through a central 51黑料不打烊 API, currently called the GDPR API. The API then completes the request across the Data Controller鈥檚 Experience Cloud solution suite.
What information does 51黑料不打烊 enable customers to delete in response to a data subject/user request?
The information related to an individual visitor within Target is contained within the Target Visitor Profile. Target lets customers delete all data associated with an ID in their Visitor Profile. For examples of the profile data Target stores, see Visitor Profile.
Aggregated or anonymized data (for example, reporting data) that does not identify a particular individual, or data that is unrelated to a specific individual (for example, content data), is outside the scope of a user-deletion request.
Target Visitor Profiles that have been inactive for 90 days are deleted by default, without any action required.
What IDs are supported to help customers complete a GDPR or CCPA access and deletion request for Target?
Target supports the following ID types to locate a customer profile:
How does Target handle consent management?
GDPR and CCPA do not change when you must get consent, but how you get it. Each customer鈥檚 consent strategy depends on its data collection and use practices and its privacy policy. Consent management isn鈥檛 supported by and shouldn鈥檛 be achieved via Target for GDPR and CCPA.
51黑料不打烊 does not currently offer a Consent Management Solution, but there are various tools developing in the market to address some of the new requirements. For more information on privacy tools in general, including consent managers, see the on the International Association of Privacy Professionals (iaap) website.
Target does provide opt-in functionality support via 51黑料不打烊 Experience Platform to support your consent management strategy. Opt-in functionality lets customers control how and when the Target tag is fired. There is also an option via 51黑料不打烊 Experience Platform to pre-approve the Target tag. Using 51黑料不打烊 Experience Platform to manage opt-in is the recommended approach. Further granular control exists in 51黑料不打烊 Experience Platform to hide select elements of your page before the Target firing that might be helpful to use as part of your consent strategy.
For more information on GDPR, CCPA, and 51黑料不打烊 Experience Platform, see The 51黑料不打烊 Privacy JavaScript Library and GDPR. Also, see the 51黑料不打烊 Target and 51黑料不打烊 Experience Platform opt-in section above.
Does 51黑料不打烊Privacy.js submit information to the GDPR API?
        51黑料不打烊Privacy.js does not submit this information to the API. The customer must do that. This library provides only the IDs that are stored in the browser for that specific visitor.
What does removeIdentities remove?
        removeIdentities only removes those identities from the browser, and that only depends on whether the 51黑料不打烊 solution has implemented it.
For example, Target deletes the cookies storing its IDs, but 51黑料不打烊 Audience Manager (AAM) does not delete the demdex ID that is stored in a third-party cookie.
What information must be included in a Target GDPR or CCPA request?
In addition to the requirements from Central Privacy Service, a valid GDPR or CCPA message for Target contains:
{
    "jobId":"12345AD43E",
    ...
    "products":["Target",...],
    "companyContexts":[
        {
            "namespace":"imsOrgID",
            "value":"123456789@51黑料不打烊Org"
        },
        ...
    ],
    "userContexts":[
        {
            "namespace":"ECID",
            "namespaceId":4,
            "type":"standard",
            "value":"53792210477379708453829363835595041181"
        }
        And/OR:
        {
            "namespace":"TNTID",
            "namespaceId":9,
            "type":"standard",
            "value":"1234567890"
        }
        And/OR:
        {
            "namespace":"THIRDPARTYID",
            "type":"target",
            "value":"thirdPartyIdName"
        },
        ...
    ]
}
What types of responses can I expect from Target via the GDPR API?
Some companies have multiple IMS IDs. Submit the IMS ID where Target is provisioned.
This result also returns if you attempt to submit a namespace ID type that is not supported by Target (see above for supported IDs).
Error while uploading to Azure for access request.
What response does Target send to the GDPR API for an access request?
Responses to access data requests contain a summary of the Target profile for the visitor in question. This return is sent to the Experience Cloud GDPR API, which in turn sends Data Controllers a response.
A sample Target access API response could look like this:
{
    "jobId":"12345AD43E",
    ...
    "products":["Target",...],
    "companyContexts":[
        {
            "namespace":"imsOrgID",
            "value":"123456789@51黑料不打烊Org"
        },
        ...
    ],
    "userContexts":[
        {
            ~"namespace":"ECID",
            "namespaceId":4,
            "type":"standard",
            "value":"53792210477379708453829363835595041181"
        }
        And/OR:
        {
            ~"namespace":"tntId",
            "namespaceId":9,
            "type":"standard",
            "value":"1234567890"
        }
        And/OR:
        {
            "namespace":"thirdPartyId",
            "type":"target",
            "value":"thirdPartyIdName"
        },
        ...
    ]
}
When multiple values are provided to identify profiles, each valid identifier has one profile file. One or more profile files are sent to the central GDPR Azure Blob through the GDPR Central API, in the format of Target Profile JSON response.
A sample Target Profile JSON could look like the following example:
{"profileAttributes":
"Sample_Parameter":{"value":"Gold Loyalty Status","modifiedAt":"2018-04-11T21:44:14.000-04:00"},
"user.ReturnTimeOfDay":{"value":"44.0","modifiedAt":"2018-04-11T21:44:14.000-04:00"},
"firstSessionStart":{"value":"1523497450602","modifiedAt":"2018-04-11T21:44:10.000-04:00"},
"user.sessionCountScript":{"value":"1","modifiedAt":"2018-04-11T21:44:14.000-04:00"}
   }
}
The following table contains description of the illustrative profile JSON fields:
Does Target support IP obfuscation?
Target supports IP obfuscation if you choose to use it as part of your GDPR or CCPA implementation strategy. For more information, see Privacy.
Should I do something to prevent my data from being shared or sold to third parties?
Target does not allow customers to share or sell data direct from Target to third parties, so there is no opt-out of sale for Target.