CCPA: How to Handle Delete Requests and User Subject Rights Requests

(CCPA is effective as of January 1, 2020)

What is required under CCPA?

CCPA (California Consumer Privacy Act) provides consumers with the right to opt out of sale, the right to request access to their data and the right to request deletion. Users frequently request access to data or request data deletion after a transaction occurred, and the request applies to their historical data, so these requests occur outside of the signals framework used for opting out of sale. Publishers may send requests for data access or data deletion to Rakuten Advertising, and requests with the necessary information provided will be honored within the required deadline of 45 days.

What PI does Rakuten Advertising capture?

Rakuten Advertising does not capture any user’s personal information (PI) from publishers at any point in our process. Rakuten Advertising also does not capture directly identifiable information such as user name, email address, mailing address or phone number. 

When a click on an affiliate link occurs, or when a programmatic ad serves an impression, we create our own user ID, the RMUID, which is associated with that user, and which is considered PI under CCPA.

Publishers or advertisers may pass Rakuten the following information that may be considered PI under CCPA when linked to an RMUID:

  • RMUID (RM-generated)

  • U1 – unique click ID (from publisher)

  • Order ID (from Advertiser)

How do I submit a User Subject Rights or Delete Request to Rakuten Advertising?

Delete requests must contain the user’s U1 (click ID) or RMUID. Without one of these identifiers, we will be unable to locate and delete records associated with that user. We ask that our publishers please not transmit any other user personal information (such as name, address, e-mail address or phone number) to Rakuten Advertising in order to protect user privacy. 

Please send subject rights request and delete requests to:

Once we have received a delete request, our team will review our databases to verify whether we have personal data associated with the deleted users. If we are able to sufficiently verify that we have those users’ personal data, then we will delete the identifiers so that any information remaining is fully anonymized.


Was this article helpful?
1 out of 1 found this helpful



Please sign in to leave a comment.