Skip navigation
All Places > Champion Program > Blog > 2018 > March
2018

chrome-break.jpgChrome 66 is coming, and it is part angel, part devil. On the personal/privacy side, Chrome's latest release will enable an in-demand feature like preventing video autoplay. But for marketers, aside from the video autoplay, there could be some very serious consequences. Given that Chrome is the dominant browser at ~60% of the market share, the Chrome 66 update could be catastrophic to your web traffic.

 

 

 

Web-browswer-market-share-2018-02.png

 

To veer off of our usual Marketo focus on this blog, I wanted to raise the visibility of a technical issue that has the potential to severely impact our marketing operations.

Google’s Chrome products, including the Chrome browser and Chrome OS, have been calling out vulnerabilities in Symantec’s security certificate infrastructure for a number of months now. In July 2017, a post on the Google Security pointed the finger squarely at Symantec:

 

Symantec’s PKI business, which operates a series of Certificate Authorities under various brand names, including Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL, had issued numerous certificates that did not comply with the industry-developed CA/Browser Forum Baseline Requirements.

 

Based on Symantec’s own blog post, their position seems to be that they’re too big to fail:

 

As the largest issuer of EV and OV certificates in the industry according to Netcraft, Symantec handles significantly larger volumes of validation workloads across more geographies than most other CA’s. To our knowledge, no other single CA operates at the scale nor offers the broad set of capabilities that Symantec offers today.

 

Normally, this type of security turf war doesn’t make it onto the radar, but this one is set to send out some pretty significant ripples. Let's not forget the size of the combatants: Google is the largest provider of web browsing, and Symantec is the largest issuer of wildcard SSL certificates, so any actions by either one will catch the majority of us in the middle.

 

Google Chrome 66 is going to depreciate any Symantec SSL certificate issued before January 1, 2016.

 

Chrome 66, was made available to the Chrome Beta channel on March 15, 2018 and will be released to Chrome Stable users around April 17, 2018.

 

The net result - two potentially devastating consequences for your marketing efforts.

 

The first impact is to your website and landing page delivery. If your public-facing marketing infrastructure is covered by an older Symantec SSL certificate, your visitors will be blocked from your site and will receive the following message.

 

ssl-warning-symantec.png

 

Ok, so that’s bad enough, but the issue goes much deeper.

 

Secondly, and much more insidiously, you could see a loss of functionality that affects your customer experience if you are using any web services or webhooks that are also secured by a Symantec certificate. This means that if you have dynamic updates or direct integrations from your website that enhance the customer experience, these updates and integrations may fail or use their fallback mode.

 

What can you do?

As a marketer, the first thing you need to do is check your systems and platforms that you've been using across the board (for example, here is Marketo’s response.)

 

For more information on how to handle this issue (and keep ensuring a great customer experience and protecting your brand reputation), check out DemandLab's post on how to check if you're affected and what options you have.

We’re in the final stretch with the GDPR compliance deadline looming ahead. “Are you Ready for GDPR?” is still the question of the day, and the topic of an upcoming webinar that I’ll be presenting in partnership with Marketo and Uberflip. I’ll be teaming up with Marketo’s Sr. Director of EMEA Marketing Peter Bell and Uberflip’s Director of Revenue Marketing Tara Robertson to help marketers understand what’s required for compliance, discuss the topic of “consent” and explore the implications of GDPR on your operations and the systems you use every day. This free presentation runs live on April 4 at 11:00 am EDT and we’d love for you to join us. Additionally, get a sneak preview of what we’ll be covering on Uberflip’s blog where Tara and I have a conversation about consent, data collection and the always popular question: is there any workaround to GDPR? Check it out, and, don’t forget to sign up for the webinar!


For those of you who need a little GDPR comic relief, check out the latest Perkuto blog post—we’ve scoured Twitter to find creative tweets from around the world about the angst of preparing for GDPR. If nothing else, it will make you smile.

Just when you thought GDPR was confusing enough, enter the topic of “legitimate interest.” Many of you have asked about it, wondering if you can bypass obtaining express consent opting for legitimate interest instead.

 

I can almost hear the glimmer of hope in your voice as you ask...could legitimate interest be my saving grace for updating permission requirements? Has GDPR provided organizations like mine with an escape clause? Approach with caution here. If you’re considering skipping express consent and claiming the GDPR provision for legitimate interest, you first must understand what legitimate interest entails and when you can use it. 

 

From Article 6(1) of GDPR, legitimate interest can be used to process records if:

 

  1. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  2. Processing is necessary for compliance with a legal obligation
  3. Processing is necessary to protect the vital interests of a data subject or another person
  4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  5. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)

 

Clear as mud, right? Many marketers think they’ve found a loophole to collecting explicit consent with option A, the first clause. So is it? No—but it is a common misconception about GDPR and one that can get you into a whole lot of trouble.

 

Legitimate Interest Pie

 

Let’s look at a hypothetical situation when legitimate interest can be used. Say you are shopping online—maybe ordering a pizza. Rather than create an account, you opt to check out as a guest and only provide the necessary information to get your pepperoni pie delivered to your doorstep, or in this case, your name and delivery address plus payment information. Does the pizza place have legitimate cause to process your data? Yes, absolutely. Can they continue to communicate with you and send you pizza promotions for future orders? No, because they don’t have your consent. Legitimate interest in this example only applies to processing your order; it is not permission to use your information for any other purpose.

 

I also hear marketers attempting to justify legitimate interest with clause E, claiming they have a legitimate interest in marketing their products. So let’s get another opinion. The UK Information Commissioner’s Office (ICO) asserts that: “[Legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”

 

In other words, I expect Joe’s Pizza  to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card. But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy. The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…” In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie,” - which as we all know can add up to a lot of dough!

 

Legitimate Checklist (because who doesn’t love a good checklist?)


Still thinking about taking the legitimate interest route? The ICO offers a checklist before you consider opting to claim legitimate interest. And as you know, we like checklists, so we thought it appropriate to share this one—you’ll find the checklist and the rest of this article on Perkuto’s blog.

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:

 

GDPR Documentation for your Database

 

We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)

 

For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.

 

And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.

 

Bundling Consent: What to Do and What to Avoid

 

When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!

 

GDPR vs. CASL

 

As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.

 

However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.

 

See how the two legislations compare on the Perkuto blog.