In your capacity as a Data Controller, you are responsible for reaching out to your users to provide clear and transparent notice regarding the processing of user personal data and the use of cookies, and how your users can clear cookies and local storage data in their browsers to prevent any further data collection. You are responsible for complying with user privacy rights under data privacy regulations, including in relation to:
- The right of access
- The right to be forgotten (deletion)
- Consent withdrawal
Nevertheless, as your Data Processor, Dynamic Yield offers a suite of solutions to help you manage these user privacy rights, and meet your obligations under data privacy regulations. More specifically, when an access or deletion request is submitted for one or more users, Dynamic Yield scans its entire database and retrieves or deletes (as appropriate) personal data (as defined in Data Privacy Overview: Personal data that we process on your behalf) that can be tied to users or their devices.
Right of access
The Dynamic Yield user-export API enables you to request the retrieval of all personal data associated with any user who has requested a copy of their data. As a data processor, Dynamic Yield ensures access requests are fully and thoroughly handled to help you meet your obligations under applicable data privacy regulations.
From the time we receive a request, the process can take up to one week, depending on the number of users for whom information is requested in the API call and the users' volume of activity on your website during the past year. The data is exported in CSV format and bundled into a password-protected zip file that’s stored for 96 hours in a secure S3 bucket, accessible only to you.
To make a data export request
In Experience OS
- Go to Settings › Privacy Center.
- In the The Right of Access block, click Export User Data.
- In the Export User Data panel, click Generate Credentials to ensure you have access to your dedicated S3 bucket, to which all user data will be exported.
- Make sure to copy the access information and save it in a secure location. This information can only be obtained one more time. After that, if you need to access the credentials again, you'll have to contact your Dynamic Yield account team for help.
- Copy your API key from the Export User Data via API block.
Make your API call
- Use the appropriate endpoint based on which data center you use:
- US: https://data-privacy.dynamicyield.com/export-users
- EU: https://data-privacy-eu.dynamicyield.com/export-users
- In the request body, include the following parameters:
- cuids: You can pass up to 20 CUIDs (customer unique identifiers, typically a user's plaintext email address or any other type of CUID value you use to identify users in your section).
- cuid_type: For plaintext email addresses, pass "email" as the cuid_type. For all other types, indicate the cuid type that's reported to Dynamic Yield upon user identification onsite. Note that you can pass the plaintext email address even if the addresses passed onsite are in their hashed version.
curl --location --request POST 'https://data-privacy.dynamicyield.com/export-users' \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
"cuids": [
“john@beatles.com”,
“paul@beatles.com”
],
"cuid_type": "email"
}'
Notes:
- Only one cuid_type can be passed in each request.
- If preferable, access can be requested for DYIDs as well (cuid_type = "dyid")
The API response returns the following information:
- request_status: A list of objects, each containing the cuid passed in the export request, their mapping IDs, status, and a message that details the user's export request status.
- request_id: Can be used to check the request status at the endpoint related to the data center you use (as listed in the next procedure).
{
"request_status": [
{
"cuid": "p@gmail.com",
"cuid_mapping_id" : "1",
"status": "accepted",
"message": "User queued for export"
},
{
"cuid": "e@gmail.com",
"cuid_mapping_id" : "2",
"status": "not_found",
"message": "User not found"
}
],
"request_id": "123"
}
Note: Upon receiving the response, it's imperative to document the mapping IDs (cuid_mapping_id) of all CUIDs, as the exported les will only carry the mapping ID. Dynamic Yield can't store the plaintext email value, so a mapping ID is necessary.
As soon as the files are bundled, zipped, and generated in your S3 bucket, they are available for 96 hours. Due to the limited availability window, we recommend checking the export status often to obtain the files as soon as they become available.
Check the export status:
Use the request ID to check the status of the export at any point as follows, using the relevant endpoint:
- US: http://data-privacy.dynamicyield.com/status
- EU: http://data-privacy-eu.dynamicyield.com/status
curl --location 'data-privacy.dynamicyield.com/status' \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data '{
"request_id": "123"
}'
When the export process is complete, the status API returns the S3 path where each of the files is located, listed by their mapping ID, as follows:
{
"request_status": "done",
"request_details": [
{
"cuid_mapping_id": "1",
"result_path": "s3:/dy-user-data-export/2023-10-12/1/data.csv"
},
{
"cuid_mapping_id": "2",
"result_path": "s3:/dy-user-data-export/2023-10-11/2/data.csv"
},
{
"cuid_mapping_id": "3",
"result_path": "s3:/dy-user-data-export/2023-10-12/3/data.csv"
}
]
}
Right to be forgotten (deletion)
The Dynamic Yield user-data deletion API enables you to request the deletion of all personal data associated with any user who has requested to have their personal data deleted. As a Data Processor, Dynamic Yield ensures that deletion requests are fully and thoroughly handled to help you meet your obligations under applicable data privacy regulations.
The deletion process can take up to 4 days to complete from the time a request is received.
Important: CRM data you upload to a User Data feed is within your responsibility to delete. Dynamic Yield can't ensure that CRM data is not reintroduced into the system by your actions.
To make a deletion request
In Experience OS
- Go to Settings › Privacy Center.
- In the The Right to Be Forgotten block, click Delete User Data.
- In the Delete User Data panel, copy the API key to use in your API call.
Make your API call
- Use the appropriate endpoint based on your data center:
- US: https://data-privacy.dynamicyield.com/delete-users
- EU: https://data-privacy-eu.dynamicyield.com/delete-users
- In the request body, include the following parameters:
- cuids: You can pass up to 20 CUIDs (customer unique identifiers, typically a user's plaintext email address or any other type of CUID value you use to identify users in your section).
- cuid_type: For plaintext email addresses, pass "email" as the cuid_type. For all other types indicate the cuid_type that's reported to Dynamic Yield upon user identification onsite. Note that you can pass the plaintext email address even if the addresses passed onsite are in their hashed version.
curl --location --request POST 'https://data-privacy.dynamicyield.com/delete-users' \
--header 'api-key: ' \
--header 'Content-Type: application/json' \
--data-raw '{
"cuids": [
“john@beatles.com”,
“paul@beatles.com”
],
"cuid_type": "email"
}'
Notes:
- Only one cuid_type can be passed in each request.
- If preferable, data deletion can be requested for DYIDs as well (cuid_type = "dyid")
The API response returns the following information:
- request_status: A list of objects, each including the CUIDs passed in the request, their current status, and a message that explains their status.
-
request_id: Can be used to check the status of the request at the appropriate endpoint related to the data center you use by using the following API call:
- US: http://data-privacy.dynamicyield.com/status
- EU: http://data-privacy-eu.dynamicyield.com/status
{
"request_status": [
{
"cuid": "john@beatles.com",
"status": "accepted",
"message": "User queued for deletion"
},
{
"cuid": "paul@beatles.com",
"status": "accepted",
"message": "User queued for deletion"
}
],
"request_id": "123"
}
The following response is returned upon completion of the full deletion process:
{
"request_status": "done"
}
Additional possible values are:
- "accepted" If the process hasn't begun.
- "in_progress" if the process is still ongoing.
Consent withdrawal
In cases where you have not implemented the Active Cookie Consent mode, if a user removes their consent to content personalization through the placement of cookies by Dynamic Yield on your behalf, you are responsible for honoring this request and communicating it to us. In most cases, your website will automatically prevent the placing of further cookies for users who have opted out, similar to what happens when consent has not been obtained in the first place (see Active Cookie Consent Mode for User Data Privacy Management: What happens when Users have not provided consent? for more information).
In cases where you have implemented the Active Cookie Consent mode, if a user changes their consent preference and removes their consent to content personalization through the placement of cookies by Dynamic Yield on your behalf, Dynamic Yield is immediately notified of the user’s consent withdrawal in real time, and your website will automatically prevent the placing of further cookies for users who have opted out. This is similar to what happens when consent has not been obtained in the first place (see Active Cookie Consent Mode for User Data Privacy Management: Enabling Active Cookie Consent Mode for more information).