Skip to main content

BlueConic Data Security and Privacy Overview

This article outlines BlueConic features that help you adhere to privacy legislation around the world.

Updated today

All data stored in the BlueConic CDP belongs to the customer. BlueConic processes that data on behalf of the customer, ensuring that each customer manages and collects data responsibly.

The information below does not serve as legal advice for your own data security, privacy, or consent purposes.

Before you begin

  • Identify your needs: Determine which privacy legislation zones apply to your customers and what level of security you require for your specific use cases.

  • Involve stakeholders: Loop in relevant teams, such as legal, marketing, and IT, to ensure alignment on data privacy and security practices.

Determine Privacy and Consent Requirements

BlueConic supports privacy legislation worldwide, such as the GDPR in Europe, to help you comply with region-specific regulations. You can comply with as many regions at a time as needed.

Supported Legislation Zones

  • Argentina (DPL)

  • Australia (Privacy Act)

  • Brazil (LGPD)

  • Canada (PIPEDA)

  • Europe (GDPR)

  • Israel (PPL)

  • Japan (APPI)

  • Mexico - LFPDPPP

  • New Zealand (Privacy Act 2020)

  • People's Republic of China (PIPL)

  • Peru (DPL)

  • Switzerland (DPA)

  • United Kingdom (UK GDPR)

  • US - California (CCPA/CPRA)

  • US - Colorado Privacy Act (CoPA/SB190)

  • US - Connecticut Data Privacy Act (CDPA/CTCPDA)

  • US - Delaware Personal Data Privacy Act (DPDPA)

  • US - Florida Digital Bill of Rights (FDBR)

  • US - Iowa Consumer Data Protection Act (ICDPA)

  • US - Montana Consumer Data Privacy Act (MTCDPA)

  • US - Nebraska Data Privacy Act (NEDPA)

  • US - Nevada (SB220)

  • US - New Hampshire Privacy Act (NHPA)

  • US - New Jersey Data Privacy Act (NJDPA)

  • US - New York (NYPA)

  • US - Oregon Consumer Privacy Act (OCPA)

  • US - Texas Data Privacy and Security Act (TDPSA)

  • US - Utah Consumer Privacy Act (UCPA)

  • US - Virginia’s Consumer Data Protection Act (VCDPA/SB1392)

  • US - Tennessee Information Protection Act (TIPA)

  • US - Indiana Consumer Data Protection Act (INCDPA)

  • US - Kentucky Consumer Data Protection Act (KCDPA)

  • US - Minnesota Consumer Data Privacy Act (MCDPA)

  • US - Maryland Online Data Privacy Act (MODPA)

  • US - Rhode Island Data Transparency & Privacy Protection Act (RIDTPPA)

  • Rest of the World (including the disabled legislations zones)

If you require compliance for any legislation zones not currently listed on the Privacy page, reach out to BlueConic Support with the details of those zones.

Manage privacy and consent for multiple legislation zones

Identify relevant zones

  1. Identify relevant zones: Determine which legislation zones apply to your customers. You can choose one or more zones, or select the "Rest of the World" (or "Whole World") option to apply a single approach for all customers.

Configure privacy settings

  1. Configure privacy settings: Go to the Privacy page (Settings > Privacy) and enable the relevant legislation zones.

Create consent objectives

  1. Create consent objectives: Define consent objectives for specific features and data processing activities. Assign the relevant legislation zones to each objective. Objectives are configurable and can hold one or more objects (e.g., connections, lifecycles, AI notebooks).

Set opt-in/opt-out preferences

  1. Set opt-in/opt-out preferences: For each legislation zone, choose whether to use an opt-in or opt-out approach for consent:

    ​- Opt-in: For visitors within an opt-in zone, an objective will be executed ONLY if the visitor consents to that objective (not if they refuse consent or do not make a selection).

    - Opt-out: For visitors within an opt-out zone, an objective will be executed UNLESS the visitor explicitly refuses consent to that objective.

​Consumer data rights

BlueConic helps you manage your customers’ and visitors’ data privacy rights and control over the personal data that you collect about them. This includes:

  • Data portability: BlueConic provides a data portability module that allows you to display all profile data contained within an individual’s profile to that specific person. (Note: GDPR requires that companies make it possible for individuals to request a copy of their profile; the company must then provide all contained data and information in a portable format.)

  • Right to rectification: With BlueConic, you can create forms on your website where consumers can request that certain pieces of their profile and associated pieces of data be corrected or changed. In the backend, BlueConic also provides a profile viewer so marketers and other authorized employees can go into an individual’s profile and easily make those requested changes.

  • Right to erasure: If a consumer wants all data collected on them to be deleted, BlueConic allows you to easily delete their profile and the associated cookie on the front end.

Data storage and hosting

  • Your data is securely stored in your chosen geographic location.

  • BlueConic utilizes Amazon Web Services (AWS) data centers, allowing you to select a region for data storage (e.g., Dublin, Virginia, Singapore).

  • Data remains within the chosen region, ensuring compliance with data residency requirements (e.g., data stored in Dublin does not leave Europe).

PII data sensitivity and control

BlueConic provides various data visibility settings for customer data stored in unified profiles. To manage PII data sensitivity:

  • When adding a new profile property, check the "Is unique identifier" box to make it a unique identifier with automatic PII data sensitivity.

  • If the "Is unique identifier" box is unchecked, set the property's data sensitivity to either PII or Non-PII.

    [GIF here]

You can always change the data sensitivity from Non-PII to PII. You can only change it from PII to Non-PII if the property has no value on any profile. The "Create new profile when identifier changes" setting, which appears when the property is designated as a unique identifier, helps prevent potential profile hijacking.


Role-based access control

Access to customer data and PII within the platform is controlled by each user’s specific role in BlueConic, such as Content Manager, Data Scientist, Online Marketer, and so on. To determine which roles have access to PII within BlueConic:

  • View the Roles page. (BlueConic settings > Access management > Roles)

  • Enable or disable PII per user role.

    [GIF here instead]

BlueConic also offers domain-based permissions (i.e., edit rights for individual users for specific domains in your system), which is outlined in more detail below.


Profile data privacy and protection

BlueConic offers role-based permissions and access to customer data, including unified profiles. Users with appropriate permissions can view and manage individual privacy settings through the Profile privacy management tab. This tab includes:

  • Legislation zone

  • Permission level (Level 0 [do not track], Level 1 [anonymous], or Level 2 [personal])

  • Objectives they have consented to

  • Objectives they have refused

  • Privacy event logs (e.g., Consented Objective: Optimize website experience, 6/12/2022, 3:31 p.m.)

Only users with profile-editing permission can make changes to the Profile privacy tab, such as changing the legislation zone and manually adding or removing consented or refused objectives.


Precautions for profile cleanup and merging

There are safeguards for profile cleanup (purging) and merging to help you manage your customer database while protecting against unintended data loss.

Profile Cleanup

  • Only users with access to the General page (BlueConic settings > General) can manage cleanup rules.

  • A checkbox prevents accidental purging of identifiable profiles.

  • A warning is displayed if a rule affects more than 1% of total profiles.

Profile Merging

  • BlueConic limits the number of lookups to check for merging (24).

  • A single profile can be merged a maximum of 1,000 times.

  • Profile property values used in merge rules must be at least four characters long.

  • Merging occurs only if there are 20 or fewer matching profiles.

Data retention

BlueConic allows you to set custom retention periods for different types of data, including profile data, based on your company's needs and compliance requirements. For profile properties, this is enabled through clean-up rules, which delete data from active databases and backups. Contact your Customer Success Manager for details.

Timeline event priority and retention

BlueConic provides settings for Timeline events to ensure clean event data and avoid unintended loss. Each Timeline event type has a priority level (low or high) used during purging, with high-priority events less likely to be purged. You can also set custom retention periods for each Timeline event type.

Profile hijacking prevention

When adding or editing a profile property as a unique identifier, select the "Create new profile when identifier changes" checkbox to prevent profile hijacking. This ensures that a new profile is created whenever the unique identifier value changes.

Platform access and security

BlueConic has several policies in place to protect customer data. For example, if a customer requests tenant removal, BlueConic will remove all data within one month and send the customer a copy if needed. Data can be removed earlier by request. All access-related functionality is available under Access management in the BlueConic settings menu. This includes features like user profile access, role-based permissions, and the following


Single sign-On (SSO)

BlueConic offers single sign-on (SSO) capabilities, allowing you to control access to your BlueConic environment through your own site. Once SSO is enabled, all users must log in through your SSO provider to access your tenant.

Two-step authentication

If you don't use SSO, BlueConic provides a secure two-step authentication process. This requires a valid username and password, followed by a unique verification code.

Tenant access restrictions

BlueConic offers additional security measures, such as:

  • Restricting access to the BlueConic management UI and API to a specific range of IP addresses.

  • Allowing or disallowing BlueConic Support access to your tenant.

Domain-based access control

Domain-based permissions determine which items in the platform an individual user has write access to. These permissions can be different for each user. Items protected by domain-based edit rights include segments, dialogues, dialogue variants or optimizers, and channels.

Security event monitoring

You can connect BlueConic to a security information and event management (SIEM) system to monitor and detect security events. Using the Audit Event API, a SIEM system can query BlueConic events.

Next steps

  • Clearly explain to your customers how you collect, process, and use their data.

  • Familiarize yourself with BlueConic's security measures detailed in the Security section of the Knowledge Base.

  • Learn more about BlueConic's privacy features and how to manage objectives by reviewing the Privacy & Objectives section in the Knowledge Base.

Related Articles
Privacy Settings
Privacy Management Overview
Manage Privacy Controls for Legislation Zones
Consent management Overview
Storing consent in BlueConic
Did this answer your question?