The EU General Data Protection Regulation (GDPR) is European legislation meant to consolidate data privacy regulations across Europe. The date to begin enforcement for GDPR compliance is May 25, 2018.
Your Role as a Data Controller
The data controller determines the purposes and means of collecting personal data and is the owner of the data. All personal data collected is subject to GDPR and requires consent from the data subjects. The consent must be a clear affirmative act. In addition, the data controller must be able to demonstrate that the data subject has given consent to the processing operation.
Our Role as a Data Processor
When you send data into the products–EventStream, AudienceStream, or DataAccess–we act as a data processor. As a data processor, we have the responsibility to provide you (the data controller) the means to fulfill data subject access requests and to provide responsible data collection practices. Read below to learn more the Visitor API.
Our Role as a Tag Manager
Our client-side solution to tag management (iQ) ensures that we do not collect or process personal data being sent directly to third-party vendors via the browser or device. However, iQ Tag Management offers a feature to help you, as the data controller, with data governance and consent management. Read below to learn more about the Consent Management feature.
As a data controller, you are responsible for ensuring that consent is properly acquired from your users and to give them the option to withdraw that consent at any time. iQ offers Consent Management to help you comply with these requirements.
Consent Management uses the following two (2) components to help you manage consent:
Consent Request Manager Configure the prompt that is presented on your website to request consent from users. Users can grant consent or withdraw consent via the prompt.
Consent Preferences Manager Configure the categories of tracking offered to users that give consent.
Consent Management offers the following features:
Customizable Content: Message, Logo, Call to Action Button, etc.
Global Settings (for multiple profiles)
Automated Load Rule Creation to Target Users in the EU
Configure the Tags to Omit (non-tracking tags)
Logging Consent Changes
This is an upcoming feature and more details will be announced as they become available. Until then, enjoy this quick preview of the consent management feature:
Visitor Lookup in AudienceStream
Update (May 10th, 2018) The Visitor Lookup tool is now available in AudienceStream. Use this new feature to lookup individual visitor records and delete the if needed. Also, see the details of the API running behind the scenes, which is available to customers to build their our GDPR compliance features.
Update (March 26th, 2018) A preview release of the Visitor API is now available: Tealium API > Visitor Lookup API This release includes active endpoints that can be developed against, however they will only return placeholder data. Stay tuned for a future release that will fully enable the API to service visitor lookup requests for your account.
As a data controller, you must comply with data subjects' rights to access, rectify, and delete data. The Visitor API will be available as a screen within AudienceStream as well as an API to be integrated programmatically. Access to the API is secured by access keys that must be granted to active users of the account.
Does Tealium provide logging or evidence of consent, so that I don’t have to?
Yes, if enabled, EventDB and EventStore can accommodate this logging.
Can Tealium request consent from my website visitors for me?
While Tealium does not inherit the burden of consent responsibility, Tealium iQ will offer a convenient set of consent management features that assist with collecting consent.
Does a request to delete data assume consent withdrawal?
No, erasure and consent are independent. If you submit an erasure request, all data for that user is deleted. If that user visits your site again, without withdrawing consent, then data collection will continue.
Is Tealium a data processor or a data controller?
Tealium is a data processor with respect to your web properties and your users.
Tealium is a data controller only with respect to our own web properties and services such as tealium.com and my.tealiumiq.com.
Do my website visitors go to Tealium to submit data inquiries?
No, your customers will submit their data inquiries directly to you and you will use the API or the Universal Data Hub (UDH) user interface to fulfill those inquiries, as detailed above in this document.
Will Tealium handle data inquiries for all the tag vendors I manage in iQ?
No, Tealium cannot certify or monitor the data inquires of third-party vendors. Tealium iQ Tag Management software only honors the consent response and tracking preferences of the data subject as configured in the consent management feature.
Will Tealium handle data inquires for all the connector vendors I manage in EventStream/AudienceStream?
Tealium is dedicated to passing along the data inquiry to vendors that provide an API for GDPR Data Subject Access Requests. Check the Connector Marketplace for vendors that support this functionality.
If a user consents to be tracked by a website from one device but declines consent on another device, will he or she be tracked?
Consent is granted on a device, browser, or app basis. A user will be tracked on any device, browser, or app where consent has been given and not tracked on those devices where it has not be given (or has been withdrawn).
The new Consent Management tools are a replacement for the functionality offered by the Privacy Manager extension. After the Consent Management tools are fully released the Privacy Manager extension will be removed from the Extension Marketplace, though existing instances of the extension will continue to function.