GDPR and CCPA compliance overview
How the Zeta Marketing Platform (ZMP) mobile SDKs support GDPR and CCPA compliance from a business perspective.
This page covers the mechanisms available for honoring user privacy rights when using the Zeta mobile SDKs. It is not legal advice. Consult your legal team for compliance guidance specific to your business.
On this page
- Opt-in and opt-out
- Data minimization
- Right to access (data export)
- Right to deletion
- Right to opt out of sale
- Recommended practices
Opt-in and opt-out
The SDK provides a tracking opt-in/opt-out mechanism that controls whether data is collected and sent to ZMP.
How it works
- Tracking enabled. When the SDK is initialized with tracking enabled, it collects and sends data normally.
- Opt-out. When opt-out is activated, the SDK immediately:
- Stops sending any events, user properties, or device information to ZMP.
- Clears all data cached in the local database on the device.
- Stops polling for in-app messages.
Opt-out is activated programmatically by your development team, typically in response to a user action (tapping a "Do not track" toggle in your app's settings, or responding to a consent prompt).
Notification permission vs tracking opt-out
These are separate concepts:
| Mechanism | What it controls | Managed by |
|---|---|---|
| Notification permission (OS-level) | Whether the device can receive push notifications | The user, through device settings |
| Tracking opt-out (SDK-level) | Whether the SDK sends any data to ZMP | Your app, through the SDK API |
A user can grant push notification permission but opt out of tracking. In that case, the device can receive push notifications, but the SDK does not send engagement data back to ZMP. Conversely, a user can deny push permission but allow tracking. In that case, the SDK sends events and user properties to ZMP, but push notifications cannot be delivered.
Data minimization
You control what data the SDK collects by choosing what your development team integrates:
- Only send necessary data. Do not pass user properties or custom events that are not needed for your campaigns or segmentation.
- Avoid unnecessary identifiers. If you do not need IDFA, do not provide it to the SDK. If you do not need location, do not call the location update method.
- Use opt-in granularity. Consider implementing granular consent in your app (separate toggles for analytics, push, and personalization) and configuring SDK behavior accordingly.
Right to access (data export)
GDPR Article 15 and CCPA Section 1798.100 give users the right to request a copy of their personal data.
To fulfill a data access request, you can use any of the following paths:
- Account team: Contact your Zeta account team with the user's identifier (uid, emailId, or BSIN). Zeta provides the requested data through your account team.
- OneTrust API: If your organization uses OneTrust, Zeta supports integration for submitting data subject requests programmatically.
- Email: Submit the request to [email protected] with the user's identifier.
- Self-service Rights Request page: Users can submit their own requests directly through Zeta's self-service Rights Request page.
Right to deletion
GDPR Article 17 and CCPA Section 1798.105 give users the right to request deletion of their personal data.
To honor a deletion request:
- Clear the SDK session. Your development team calls the SDK's clear method to remove the user's identity from the device.
- Activate opt-out. Your development team activates opt-out to stop further data collection and clear the local cache.
- Request server-side deletion. Contact your Zeta account team, email [email protected], or use the self-service Rights Request page to request deletion of the user's profile from ZMP. Provide the user's
uid,emailId, or BSIN.
Right to opt out of sale
CCPA Section 1798.120 gives users the right to opt out of the sale of their personal information.
If your CCPA assessment determines that your use of ZMP requires honoring this right for your users, use the SDK's opt-out mechanism to stop data collection for those users who exercise this right.
Recommended practices
- Implement a consent flow. Before initializing the SDK with opt-in, show users a consent prompt that explains what data your app collects and why. If the user declines, initialize the SDK with opt-out.
- Provide a settings toggle. Give users a persistent way to change their tracking preference in your app's settings. When the toggle changes, call the SDK's opt-in or opt-out method.
- Keep records. Log when each user opted in or out, and when deletion requests were submitted and fulfilled. This supports your compliance documentation.
- Coordinate with your Zeta account team. For data subject requests (export, deletion) that require server-side action, your Zeta account team is the contact point.
Note: This page describes the SDK's privacy capabilities from a business perspective. For technical implementation details, see the Data & Privacy pages in the Developer Guides:
See also
- iOS privacy nutrition label -- Apple App Store privacy requirements.
- Google Play data safety -- Google Play Data Safety form.
- iOS data collection -- what the iOS SDK collects.
- Android data collection -- what the Android SDK collects.
- FAQ -- common questions about opt-in, opt-out, and data collection.