We know that data governance and compliance isn’t the most exciting part of your marketing strategy. However, setting clear rules and protocols for how you handle customer data is critical in today’s GDPR and CCPA marketing landscape. To help you comply with these regulations—and other industry standards—we’ll share strategies to manage sensitive data and retention policies, and other practical tips for savvy marketers using Braze.
Understanding GDPR and CCPA: Key Compliance Guidelines
Before we dive into the details, let’s quickly review the highlights of these two major data privacy laws.
GDPR
The General Data Protection Regulation (GDPR) is a European law that governs how personal data is collected, processed, and stored.
Consent First: You need clear, explicit consent to collect or use an individual’s data.
Transparency: Users can ask what data you have on them and even request that you delete it.
Security: You’re on the hook for protecting customer data from breaches.
CCPA
The California Consumer Privacy Act (CCPA) only applies to personal data collected from California residents, regardless of where the business is based.
Right to Know: Users can ask for a summary of the data you’ve collected or shared.
Opt-Out Option: Individuals can say, “No thanks” to having their data sold.
Right to Delete: Similar to GDPR, they can request that you erase their data.
No Payback Penalties: You can’t deny services or benefits to users who exercise these rights.
Practical Steps: Managing Data with Braze
Managing data in Braze doesn’t have to be overwhelming. With the right features and processes, you can stay compliant while delivering personalized experiences. Let’s break down the key steps for streamlining data governance with Braze.
Get Consent Right
Braze makes it easy to track and manage user consent preferences. By utilizing these Braze features, you can stay compliant.
Standard Attributes: Depending on the communication channel, you can utilize standard attributes like email_subscribe, push_subscribe, subscription_state, to provide/define the consent preference information on whether a user has opted-in or not. Not only are these attributes the source of truth for consent status, these attributes dictate whether or not Braze users are engaged at the system level.
Braze SDK Real-Time Updates: The benefit of the SDK is the ability to capitalize on inputs in real-time. If a user changes their mind about consent at any point, you can update their status right away through Braze’s SDK.
Sync Your Data: If you’re using a CRM or consent management platform, make sure it syncs with Braze so everything’s consistent to ensure timely compliance with all relevant regulations.
Double Opt-in: The easiest way ensure the validity of email consent is with a double opt-in mechanism. Upon sign-up, send a confirmation email asking the user to confirm their intentions which helps legitimize their subscription status. Within their Braze profile their status is updated from “Subscribed” to “Opt-in.”
Only Collect What You Need
One of GDPR’s big rules is “data minimization” which means, don’t collect any unnecessary data. To drive compliance when populating your user profiles in Braze:
Avoid storing sensitive details (e.g., financial data or social security numbers).
Stick to only the data you need for your campaigns, like email addresses, device IDs, or purchase behavior.
Handle PII the Right Way
PII (Personally Identifiable Information) is any data that could identify an individual, like their name, email, or phone number. Here’s how to handle PII securely in Braze:
Limit Access - Braze enables you to set up role-based permissions, so only the right people on your team can access sensitive data. If they can’t view PII, remove that privilege from their workspace or their role!
And here's how you can grant that access:
Encrypt Everything: Braze already secures data with top-tier encryption (SOC 2 and ISO 27001 compliant), but it’s good practice to also encrypt user data on your end before sending it to Braze.
Tag Sensitive Data: Use Braze’s data tagging system to label sensitive fields. This keeps things organized and helps you track what’s being stored.
Skip Storing Ultra-Sensitive Info: Braze isn’t designed to handle things like health or financial data, so keep these attributes out of your Braze marketing platform and leverage them via external sources only.
Data Retention and Deletion: Stay Clean and Compliant
Ensuring data retention and deletion practices are in line with legal requirements is critical for compliance. Here’s how to manage retention, deletion, and record-keeping.
Set Up a Data Retention Plan
By default, Braze keeps inactive user data for 36 months, but you can adjust this to fit your organization’s policies. If Braze’s default timeframe doesn’t meet your company’s security policy, you can have this modified by submitting a support request with Braze via the Support > Get Help menu in the dashboard.
Delete User Data
Need to handle a GDPR or CCPA “right to delete” request? Since you cannot delete users in Braze directly within the user interface, the Braze’s User Deletion API has you covered and below is an example. You can even process bulk deletion requests programmatically using the same endpoint.
Then, equally as important, keep a record of all the user deletion API requests and responses to those requests so you’ve got proof. Below is an example when using Postman:
Messaging Without Breaking the Rules
Staying compliant while delivering personalized messaging is crucial for maintaining trust and avoiding legal issues. Here are best practices to keep your campaigns compliant:
Be Careful with Personalization: Dynamic content is awesome, but ensure you’re not accidentally sharing PII, like a user’s full account number, in push notifications or SMS.
Give Clear Opt-Out Options: For email campaigns, always include an unsubscribe link. Braze makes this simple with the {{unsubscribe_url}} placeholder.
Honor Do-Not-Track Signals: Braze’s SDK can pick up signals from browsers or mobile devices, so if a user opts out of tracking, their preferences will be respected automatically.
Stay on Top of Compliance Processes: Compliance is an ongoing process. Ensure you and your teams are monitoring changing laws and evolving best practices. Establish a system that will:
Review the data you’re sending to Braze regularly to make sure it’s necessary and compliant.
Test your API endpoints for exporting and deleting user data to ensure they work smoothly.
Keep up with new regulations like Virginia’s Consumer Data Protection Act (VCDPA) or any other regional laws that might pop up.
Handling GDPR, CCPA, and other compliance requirements can feel like a lot, but Braze makes it less intimidating. By leveraging its tools for consent management, data minimization, and secure data flows, you can stay compliant without sacrificing the quality of your customer engagement.
Remember, compliance isn’t just about avoiding fines, it’s about building trust with your users. When they know you respect their data, they’re more likely to stick around and engage with your brand.
If you made it this far, we’ll assume you like to geek out about data and we would recommend the our article on the interesting ways your data can flow into Braze.