Skip to main content
Optimizely Academy
eLearning
Events
Certification
Partner training
All Topics
  • Need help?

Compliance

  • By Optimizely Education
  • Published: Oct 15, 2025
  • Rating
    Average rating: 0 No reviews

Outline

Welcome

In this module, you will review the compliance features Optimizely Data Platform (ODP) provides for customer data privacy and security regarding Personal Identifiable Information (PII) as required by laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and General Personal Data Protection Law (LGPD).

After completing this module, you should be able to:

  • Define Sub-Processors of Data

  • Understand what is consent and adjust App Consent Settings for ODP applications

  • Manually perform deletion and opt-out compliance requests

  • Configure Data Retention period

What is it? / Why use it?

Any website or app that handles PII must comply with applicable laws regarding privacy and data security. ODP is designed with a strong focus on compliance with global standards to protect information assets and ensure data privacy, security, and governance.

The Compliance section of ODP's account settings gives you the tools to engage with customers in a way that respects their privacy and data, while offering you the tools to manage that data in compliance with the GDPR, CCPA, and LGPD.

Keep in mind that any default settings provided here are a starting point. You should always adjust ODP's settings in accordance with the nature of your business and applicable laws in your region. When in doubt, reach out to your business's legal team or other legal counsel.

Sub-Processors of Data

Your legal team may need to reference our list of Sub-Processors, or our list of Technical and Organizational Measures, to ensure specific types of organizational compliance. These lists are publicly accessible from our homepage, but these links are provided in the Sub-Processors of Data screen for your convenience. To access, go to Settings >  Sub-Processors of Data.

Consent determines a customer's ability to receive marketing communications. Consent varies worldwide, so check the regulations for the regions you contact. The following definitions of implicit and explicit consent should help you understand and comply with those regulations to create successful campaigns:

  • Implicit consent – A customer has provided their information for a business purpose but has not explicitly signed up for marketing communications. With implicit consent, you assume the customer's consent to receive marketing communications (as long as they have not opted out).
  • Explicit consent – A customer has confirmed they want to receive marketing communications, such as by selecting a checkbox or clicking a button to sign up.

Consent configuration options for individual marketing channels:

  • Opted In (implicit consent) – ODP treats all messaging identifiers for the corresponding channel as opted-in unless the customer has explicitly opted out.
  • Opted Out (explicit consent) – ODP treats all messaging identifiers for the corresponding channel as opted-out unless the customer has explicitly opted in.

Compliance Requests

Compliance Requests refer to the mechanisms for handling customer requests related to their personal data rights, primarily driven by regulations like GDPR, CCPA, and LGPD. These regulations grant customers more control over their personal information.

  • *Deletion Requests - * Customers can request to have all their PII deleted or anonymized. Upon submission, ODP deletes all customer information within 30 days. During this period, the customer cannot be rediscovered, identifiers cannot be moved to other profiles, and new identifiers cannot be added to the profile. Events tied solely to the deleted profile's identifiers are ignored.
  • Opt-out Requests - Customers can request that their personal information not be sold to a third party (relevant for CCPA). Within 30 minutes, an opt-out identifier is attached to the customer's profile, removing them from marketing activities (like emails and segment syncing) to ensure compliance

Data Retention

Optimizely Data Platform offers data retention capabilities to help you comply with data policies and regulations like GDPR by automatically deleting customer data after a specified period.

Configuring a data retention period can help you retain relevant customer information to increase accuracy, enhance data quality, and create transparency.

If you enable and set a data retention period in ODP, data that falls outside your chosen retention period is automatically and deleted within 30 days without the possibility of recovery. The data that ODP deletes differs for inactive and active customers.

  • Inactive customers – If a customer has no activity during the retention period, their entire customer profile and all associated data (identifiers, event data, list memberships, metadata) are permanently deleted. If they interact with your business again, a new profile is created
  • Active customers – For active customers, ODP deletes event and order data older than the retention period (excluding consent data). All associated data from the most recent retention period, including orders and events, is retained. This deletion of older data can affect some associated metrics like average order value or customer lifetime value.

For more reference, see the official documentation: Data retention period

Here is an interactive guide on Compliance: