Skip Navigation
Expand
Data Privacy Frequently Asked Questions
Answer ID 9433   |   Last Review Date 07/31/2023

What data privacy features should I know about in Oracle B2C Service?

Environment:

Oracle B2C Service, All pods

Issue:

The use of the internet has created various ways for our personal data to be sent, received, processed and collected. Recent data breaches have many worried about identity theft and data privacy.  Subsequently, authoritative bodies are feeling the pressure to define regulations that identify what and how data should be protected and processed.

Resolution:

Disclaimer: The information on this page may not be construed or used as legal advice about the content, interpretation or application of any law, regulation or regulatory guideline.  Customers and prospective customers must seek their own legal counsel to understand the applicability of any law or regulation on their processing of personal data, including through the use of any vendor’s products or services.

From an Oracle B2C Service perspective, a one-size-fits-all solution is not practical based on the various ways our customers use our product.  Instead, we have a Feature Guidance document that focuses on privacy and security related controls to protect personal data.  This document is available HERE.

Additionally, we have compiled the following responses to frequently asked questions.

  • Is Oracle B2C Service "GDPR Compliant"?
    • There is no official certification process for the General Data Protection Regulation (GDPR). How a customer manages the personal data they collect is their responsibility. 
    • GDPR endorses the use of approved codes of conduct and certification mechanisms to demonstrate that you comply.  Signing up to a code of conduct or certification scheme is not obligatory. Nevertheless, having an approved code of conduct or certification scheme that covers your processing activity is a way of demonstrating that you comply. 
    • Oracle has obtained EU/EEA-wide authorization from the European data protection authorities for its Binding Corporate Rules for Processors (BCR-p); also known as Privacy Code for Processing Personal Information of Customer Individuals or “Processor Code”.  The document can be found with the Data Processing Agreement at:  Cloud Services Contracts.
  • Is Oracle B2C Service "CCPA Compliant"?
    • Similar to GDPR, the California Consumer Protection Act (CCPA) does not have an official certification process.  The customer has obligations to California citizens and needs to determine whether it can meet those while using any Oracle SaaS product.
    • The “CCPA 8 Rights” closely align with the Privacy Controls described in the Feature Guidance documents and can be used to assist in building your solution with Service Cloud.
       
  • Who is the Data Privacy Officer (DPO) for Oracle?
    • Found on Services Privacy Policy webpage, mailing address:
                Oracle Corporation
                Global Data Protection Officer
                Willis Tower
                233 South Wacker Drive
                45th Floor
                Chicago, IL 60606
                USA
           Or for inside the EU/EEA, written inquiries may be addressed to:
                Robert Niedermeier
                Hauptstrafze 4
                D-85579 Neubiberg /Munchen
                Germany
                Email: mail@legislator.de
    • Contact the Data Protection Officer though Oracle's inquiry form.
       
  • Where and how is personal data stored?
    • Europe institutions purchasing Oracle B2C Service will be provisioned in EEA datacenters. Backup copies of the data will remain within the chosen region, stored in the secondary datacenter. Support and Operations access may occur globally.
    • All data stored for use with Oracle B2C Service is encrypted at rest.
       
  • What are the cascading effects when deleting contacts?
    • When deleting a single contact through the user interface, several other objects are affected immediately.
      • If the contact is the only contact on any incident, the incidents are also deleted.
      • If there is more than one contact on the incident, the reference to the contact being deleted will be removed from the incident(s) and any related threads/messages.  Next time any incident is viewed/updated that had a primary contact reference removed, it will require a new primary contact to be added before saving.
      • The following objects will also be deleted when a contact is deleted:  contact sessions, notes (not incident threads/messages), OpenID accounts, and anything directly attached to the contact record (e.g., files).
      • The reference to the specific contact being deleted will be removed from: archived incidents (table not the stored xml file), assets, chats, clickstream details, purchased products, question/survey sessions, visitor events, and agent transactions that affected the contact record.
    • When using the Bulk Delete API to delete more than one contact at a time, only the contact records are synchronously deleted. All other changes noted below happen asynchronously.
      • Incidents are not deleted.  Instead, the reference to the contact being deleted will be removed from the incident(s) and any related threads/messages. Next time any incident is viewed/updated that had a primary contact reference removed, it will require a new primary contact to be added before saving.
      • The following objects will also be deleted when a contact is deleted:  contact sessions, notes (not incident threads/messages), OpenID accounts, and anything directly attached to the contact record (e.g., files).
      • The reference to the specific contact being deleted will be removed from: archived incidents (table not the stored xml file), assets, chats, clickstream details, purchased products, question/survey sessions, visitor events, and agent transactions that affected the contact record.
It is the responsibility of each customer to remove their customer's data when required. If you need assistance with this process, you can request an Oracle Consultation
 
  • How can I remove outdated contact data and still retain incidents and related statistics?
    • Determine how to best identify the contacts that are considered old for your company.  You can create a report or use APIs.
    • One option: Anonymize the data in contact records; therefore retaining the contact record but no original data.  For example, change the name from {First, Last} to {Anonymous}.

 

  • Can I remove data from within incident threads?
  • What is the purpose for storing End user's/Contact's IP Addresses in Service Cloud?
    • These IP addresses are collected as part of session management.  Session management is crucial to product architecture and session accounting.
      • The Session-Data Security section in the User Guide as well as Customer session information and Sessions, visits and hits explained have more details on this topic.
      • Upon deleting a contact, their related session data is removed or anonymized.
      • It is not possible to eliminate session data from being collected in B2C Service. There is no API access to these tables. However, customers have the ability to configure how long this data persists in their environment. Purge settings and how they affect our site provides a good overview on many of the purge capabilities. Additional details on the purge configuration settings are described in the Agedatabase settings section of the User Guide. Other resources for purging data include the Data Lifecycle Manager.
    • Transaction records may be related to sessions and contacts for auditing and diagnostic purposes. Transaction records remain, but are disassociated from contact identity when the contact is removed.
    • Chat sessions are captured separately from product usage sessions.  These too are removed upon a contact deletion.  Details on setting the purge configurations for Chat can be found in Oracle Service Chat Data Purge.
    •  
      IP address fields exist as follows:
       Table  Purge Configuration  Table Purpose
       chats  CHAT_PURGE_DAYS  Contact chat session details
       contact_sessions  60 days by default. Request changes through Technical Support  Contact login/logout session details
       cs_session_summary   PURGE_CS_SESSION_SUMMARY   Session billing information
       papi_meters  Not applicable  Public API activity details and billing; original record is deleted automatically when data is aggregated at 14 days old
       
       
  • What are my options when it comes to protecting Chat data?
    • When it comes to data protection within the chat solution, several options currently exist:
      • Off the Record: This feature can help prevent the collection of personal data in chat records. 
      • Live Help Page: Modify the Live Help Page so the end-user is not required to provide a First Name, Last Name or other personally identifiable information. Configuration details for the Live Help Page can be found in Answer 5168: Documentation for Oracle B2C Service Products within the Online Help User Guide for your CX version.
      • Anonymous Chats: Allow end-users to chat with your company anonymously. Configuration details for the ChatServerConnect widget can be found in Answer 5168: Documentation for Oracle B2C Service Products within the Online Help User Guide for your CX version.
      • Delete a Contact: Remove an end-user’s personal data from the system by deleting the contact record. More information on data privacy can be found within this answer, under the topic “What are the cascading effects when deleting contacts?”
      • Chat Data Purge Settings: Remove chat data from the system by adjusting chat purge configuration settings to match your company's needs. Details on Chat Data Purge settings can be found in Answer 2579: Oracle RightNow Chat Cloud Service Data Purge.
         
  • What cookies are used with Service Cloud?
  • What risk do I run using a deprecated version of Customer Portal?
    • All versions of Customer Portal older than 3.9 have been deprecated. Being deprecated means no new functionality will be back-ported, nor are any fixes provided. Information about updating Customer Portal can be found in Answer ID 9629: Customer Portal versions associated with Oracle B2C Service.

      To capture views of contact data from your Customer Portal into the audit table after turning Contact Read Logging on, you need to be using Customer Portal version 3.3 or later.  More information about Contact Read Logging can be found in Answer 5421: What is Read Logging? .