5 ways to get CCPA-ready with Twilio Segment

This New Year’s Eve, businesses will be counting down to something more than just a new year. They will be counting down to the beginning of a new wave of consumer data privacy legislation in the Americas, starting with the California Consumer Privacy Act (CCPA) which goes into effect on January 1, 2020. 

How prepared your company is will dictate whether you will be celebrating or scrambling when the clock strikes twelve. 

Our focus at Segment is to help companies easily get their first-party data from where it lives to where it’s most useful for them, and subsequently to enable and deliver personalized experiences for their customers. But to provide an amazing customer experience, respecting consumer data privacy is key. 

That’s why we have built a variety of products to help companies prepare for the CCPA — from Consent Management to help with the CCPA’s “Right to Know” and the “Right to Opt-Out,”  to Deletion Request Management, to Data Subject Access Requests.

Here are the top five ways that Segment can help your company prepare for the CCPA.

1. Consent management solutions for “The Right to Know”

Under the CCPA, consumers have the right to know what data is being collected about them at, or before, the point of collection. At Segment, we’ve built a couple of different solutions that can be used to help with this requirement.

Segment’s Open Source Consent Manager

Segment has an Open Source Consent Manager that anyone can use, free of charge. Better yet — it’s something you can set up in a single day. 

The Open Source Consent Manager works by conditionally loading tools based on a user’s preferences. Segment makes sure that the user’s data will be sent to the tools the user consents to, and not sent to the tools the user does not. 

Take the screenshot below.

If a user selects no to opt-out from having data collected by Advertising tools, the tools listed in that category (in this case, Adwords and Facebook Pixel) would not be loaded, even if the user selects yes to opt-in for the other categories of data collection (in this case, Functional and Marketing & Analytics). 

If you’re already using Segment, your Segment Destinations will automatically pre-populate the tools column using the default Categories they fall under. But what’s great about the Open Source Consent Management solution is that the Categories, Purpose descriptions, and tool-mappings are completely customizable. Your own teams can ultimately decide how to handle and categorize user consent preferences based on your own use cases and needs.

Learn more about how to use our Open Source Consent Manager here.

Integrating Segment with alternative Consent Managers

If you’re not using Segment’s Open Source Consent Manager, you can connect any alternative Consent Manager your teams use (like OneTrust or TrustArc) to Segment instead. This will enable your Segment Destinations (e.g. Google Analytics, Fullstory, etc.) to be loaded appropriately based on a user’s consent preferences. 

To get started, you’ll need to map the alternative Consent Manager’s Consent Groups (usually integers from 0 through 4) to Segment Destinations and pass that mapping when you initialize analytics.js in your site header. 

You can learn more about how to integrate Segment with an alternative Consent Manager by following the instructions in this Github Gist or Video Guide. 

2. Solutions for “The Right to Opt-Out” 

The CCPA gives consumers the right to opt-out from the sale of their data at any time. With the CCPA’s broad definition of “sale,” the sale of data refers to the sharing of certain cookies. You can use Segment’s Open Source Consent Manager to get one step closer to giving your consumers the ability to opt-out from the sale of data. 

All you have to do is create a new Category for the tools that involve the sale of data — bearing in mind that whether or not a tool involves the sale of data ultimately depends on how you use the tool, and how your own company interprets what counts as selling data. 

We recommend using a perpetual link on your site so users can access the Consent Manager to update their consent preferences at any time — not just at the initial point of interaction with your website.

If you would like to keep a running list of opt-outs, you can use Segment to instrument, and fire track calls any time a user clicks to opt-out from the sale of data. From there, you can use Segment to send those track calls downstream to a Data Warehouse (or any other tool in the Segment Catalog) and query it to pull a list of opt-outs whenever you need it.

Learn more about how to use our Open Source Consent Manager and how to create custom categories such as Do Not Sell here.

3. Deletion request management for “The Right to be Deleted”

Segment has also partnered with a handful of our Destination Partners (such as Intercom, Amplitude, and Braze) so that when you issue a user deletion request in Segment, we not only delete that user’s data from within Segment, but we also forward that deletion request downstream to some of your downstream tools.  

The CCPA gives users the right to have their data deleted. With Segment, User Deletion and Suppression Requests can be handled through a UI or API, based on your preferences.

Learn more about how you can use Segment’s Deletion and Suppression Request Management features here.

4. Data subject access requests for “The Right to Access”

Under the CCPA, users have the right to access information collected about them. You can streamline access requests (also known as Data Subject Access Requests or DSAR for short) using Segment.

With Segment, you can easily enable a raw data integration like S3 or a Data Warehouse to organize data about a given user, so that you can easily share it in a structured format if requested by one of your consumers. 

Because of Segment’s powerful identity resolution engine and our Personas Profile API, you can more easily rectify user data knowing that user profiles and traits are automatically updated in Segment and in downstream tools whenever new information is received.

You can learn more about our raw data integrations here or our identity resolution engines here.

5. Data discovery and data mapping 

The foundation of any best-in-class data privacy posture begins with a strong Data Inventory. It means you can easily keep track of what data you are collecting, where you are collecting it from, as well as where you’re sending or storing that data.

That’s why we built the Privacy Portal for our customers to handle Data Discovery and Data Mapping on the fly — at no additional cost. 

The Privacy Portal helps you automatically detect Personal Information, monitor it, and even block it from your downstream tools.

Learn more about how you can start using the Privacy Portal here. 

The CCPA may be just around the corner, but Segment has you covered with a number of solutions that can help as we countdown to the new year. 

If you have any questions about how Segment can help your company with getting ready for the CCPA, feel free to reach out to our team here.

Disclaimer: The information provided in this blog post does not, and is not intended to, constitute legal advice. You should contact your own attorney to obtain advice with respect to the CCPA.

Special thank you to Audrey Kittock, Alan Kyle, Andy Schumeister, Geoffrey Keating, and Jonny Marsh for help reviewing and editing this post.