Skip navigation
All Places > Champion Program > Blog > Author: Michelle Miles
1 2 Previous Next

Champion Program

19 Posts authored by: Michelle Miles Expert

It’s been one year since GDPR went into effect, what was the impact, what did we learn and what’s looming ahead?


In the first few months after GDPR went “live,” our headlines were filled with stories of complaints and violations. According to a report by DLA Piper, over 59,000 data breaches were reported in the first eight months of GDPR going into effect, ranging in severity from errant emails to the wrong recipient to major cyber hacks affecting millions. Large, prominent organizations were “easy” targets, often singled out by specific consumer advocacy groups. While many consumer groups want to hate the “villains,” as marketers, we can learn from their vulnerabilities:


  • Netflix, YouTube, Amazon, Apple, and Spotify have reported violations in Austria for failure to provide information regarding how user data is bought and sold.


  • The Irish Data Protection Commissioner is investigating Twitter regarding a breach notification received from the social networking site, examining if article 33 was violated. (And if you don’t have your GDPR articles memorized, you must provide notification to users within 72 hours of becoming aware of the breach.)


  • The Dutch Data Protection Agency (DPA) cautioned several organizations who denied visitors access to websites after the visitors refused cookies or declined to provide requested data. Of course, cookie consent and data collection must be specific and freely given; requiring permission to access a website is in violation of the visitor’s free choice.


And while we’re on the subject of the Dutch DPA, the Netherlands is also the first country to release a GDPR fining policy, introducing a scale for less severe violations. Factors that can influence where you fall on the scale include duration of the infringement, number of people involved, how quickly the offending organization reacts, and what type of personal data is involved.


But probably the most notorious GDPR event of the year was news of the first major fine issued to Google, a whopping $50 million by the French CNIL for failure to secure user consent to serve personalized ads.


What should we expect next?

Compliance: The Next Phase

Preparing for compliance was just the beginning; now, it’s about maintaining compliance. As marketers, we’re tasked with continuing to be mindful of data collection and storage practices, amidst ever-changing rules. I like the analogy given by Ruby Zefo, Chief Privacy Officer of Uber: “GDPR is a lot like raising a baby. We waited two years for the GDPR baby to be born, and now that it’s here, we can’t leave it in its high chair to fend for itself.  You still need to take care of it.”


How should you prepare for the next chapter in compliance and data privacy?


  1. Cookie practices. We’ve already seen Marketo take proactive measures related to this area, with the newly announced pre-fill form changes. Previously, Marketo landing pages relied on Munchkin cookies to identify known person records and would pre-fill data based on that cookie, regardless if the actual known person was the one viewing the page. (think shared computers here) As a security enhancement and to better align with GDPR requirements, form pre-fills will now only display when the known person clicks through from a link in a Marketo email, to confirm the identity of the data.

  2. US privacy legislation. We mostly hear about California’s bill, CCPA, but Hawaii, Massachusetts, New Jersey, Rhode Island, New York, Maryland and most recently, Washington state, all have proposed legislation as well. Requirements for companies include disclosing personal information collected and providing the individual opportunity to access, correct, and in some cases, delete their information. Additionally, some proposed state legislation obligates organizations to perform risk assessments regarding their data processing activities. For marketers, all this could translate to a state-level data nightmare— a significant plot twist in our novel. Ironically, the US Senate Judiciary Committee held a hearing on March 12— the actual anniversary date of the World Wide Web launching— to “examine GDPR and CCPA, focusing on opt-ins, consumer control, and the impact on competition and innovation.” Of course, much is still to be defined, including if Federal legislation will preempt state laws, such as CCPA, or set the baseline requirement and allow states to make tighter requirements as they deem appropriate? As our government works through the unknowns, one thing we do know: privacy legislation IS coming to the US and organizations can no longer ignore it.


  1. Privacy policies and subscription management centers. It’s time to revisit your privacy policy to ensure it’s current and accurately reflects how you collect, use and store user data. Additionally, make sure your subscription center allows users to easily manage their preferences, including an opt-out from sharing or selling their personal data, a CCPA requirement.


  1. Best data practices. If you haven’t audited your instance recently, now is a great time to clean-up your database and remove outdated, duplicate, incomplete and junk records, which only creates unnecessary compliance liabilities for your organization. To assist in the process, download our free 41-point audit checklist.

Marketing Happily Ever After

My best advice for those following the compliance story: don’t take a wait-and-see approach to protecting your data, enabling transparency of data usage or capturing user consent. We’re one-year in with GDPR and six-months out from CCPA going into effect. As evidenced from the many other state initiatives emerging, data regulation is here to stay and will only gain momentum in the months to come. Those who embrace the new realities will be the companies marketing happily ever after.

“Work it harder,

Make it better,

Do it faster,

Makes us stronger.”


--From “Harder, Better, Faster, Stronger” by Daft ****


If the Daft **** lyrics above could double as the mantra for your organization’s MOPS department, you aren’t alone. Today’s marketers are being asked to work harder to deliver better results more quickly than ever before. Why? Because the competitive pressure is intense, meaning that your company not only relies on the strength of your products or services but also on your ability to market them effectively and efficiently. Squeezing out every bit of productivity from your MOPS people and processes isn’t an option; it’s a necessity.


Our consultants have previously shared with you time-saving Marketo hacks--quick “lightbulb moment” tips aimed at helping ensure you’re getting the most out of Marketo. Today, we’re sharing advice on enhancing your MOPS productivity so your team can tackle work more quickly and marketing can deliver on its financial goals.

Tip 1: Get Smart about Smart List Subscriptions


Marketo smart list subscriptions aren’t just good for getting lead reports—they’re also great to use to keep updated about system-related issues that may have an impact on your productivity. You can also set up a subscription to alert you about any other situations you may need to address.


One of the most common use cases is to monitor duplicates. Duplicates can wreak havoc on your system, so being proactive and catching them early is important. Set up a smart list like the one above and turn on a subscription to run each day. This will allow you to get a quick snapshot of any duplicates that have been created, allowing you to take quick action to address the person or process that is creating them.


Other examples:

  • List of leads created and their lifecycle status
  • Lists of leads missing critical info
  • List of high value leads that unsubscribe or are marked invalid.


—Carey Picklesimer, Director of Consulting

Tip 2: Use the Awesome Features in Google Sheets

You want to build and send error-free emails consistently and efficiently. But are you setting yourself up for success every time? If your MOPS team doesn’t have a clear, documented QA process, you’re effectively taking a risk every time one of your marketers hits the send button. By creating a template QA grid for each email send and ensuring that your team fills it out and follows the process, you will improve communication within your team and reduce the chance for any errors.


Here are some specifics on using Google Sheets to make a top-quality QA grid.


Use Checkboxes to Note Finished Elements

Did you know that Google Sheets now has the functionality to add a checkbox? It's a perfect way for the email builder to mark when they are done building each element in the email—and there’s nothing more satisfying for us list-lovers than the feeling of checking off a box to indicate we’re finished.

Employ Data Validation

As a part of the QA check, you can add Data Validation to your Google Sheet to mark each element as Ready for QA, Pass, or Fail. You can add a Questions drop-down and a notes column for the QA person to document their comments.


Some questions that a QA person may ask would be, “should we set up an A/B test?”, or “are you sure that this image is correct?”. The QA person can add to the Notes on Fails column with comments such as, “this sentence is missing a period.” Then, after the email builder makes the fixes, they should note in the Notes on Fixes column that the fixes are done.

Conditional Formatting Shows At-A-Glance Status

Adding conditional formatting allows you to color code your Google Sheet so that you can quickly view the status of your build, at-a-glance. Red indicates QA tasks that have failed; green tasks have passed and yellow tasks are those that have questions.


It is useful to add tabs to your QA grid so that every asset within the program belongs in the same document. For example, you may want to have one tab for the program set up, one for email content, and one for the smart list check. Tweak this to meet your specific needs; the main thing is to keep it consistent.


—Hilary German, Consultant


Get Justin Norris’s third tip for improving your MOPS productivity by changing your approach to marketing operations by reading the rest of this post on the Perkuto blog.

Just when we finished preparing for GDPR, there’s a new player in the consumer privacy game. Call it the lesser-known “little brother” of GDPR— if the California Consumer Privacy Act (CCPA) isn’t yet on your radar, it needs to be soon.


Much like GDPR, CCPA seeks to protect the privacy of consumers by shielding personal information that relates to, describes, is associated with or can be linked to an individual.


Should you be concerned?


The short answer is yes; privacy legislation—even at the state level—should be taken seriously. Like it or not, data security, consumer privacy and compliance aren’t just the new buzzwords, they’re our modern-day marketing realities.


Let’s take a look at what the proposed CCPA legislation includes and where the potential “gotchas” lie.

CCPA - The Basics

For those of you driven by deadlines, get out your calendar and put a big “X” on January 1, 2020, the date CCPA officially goes into effect. Of course, you’ll also need to block out time in the preceding months to prepare your systems and processes for the changes.


Just who does this bill cover? Currently, CCPA is written to cover only California residents (all 40 million of them) but remember, California, the fifth largest economy in the world, was also the initiator of the first unsolicited commercial email law in the United States, which was later adopted as Federal legislation, or the CAN-SPAM Act. No doubt about it, California has a significant influence on the US. Thus, I anticipate that CCPA will also evolve into Federal regulation.


Translation: CCPA will have a bigger impact than its name currently suggests.

Organizations Impacted by CCPA

If you are a for-profit organization that does business in California and meets just one of the following CCPA thresholds, guess what? You are subject to compliance.


The criteria include:

  • Organizations with gross annual revenues of $25 million or more, OR
  • Organizations with more than 50,000 data records from households, persons or devices—if you have a highly-trafficked website and use cookies, your internal alarm should be sounding right about now! , OR
  • Organizations which derive 50% or more of annual income from selling consumer personal information—think beyond the obvious data broker scenario; if you earn half of your revenue from selling products or services which depend on consumer personal information (such as programmatic advertising), then your business could fall into this category, OR
  • Organizations that are owned or controlled by a business that does any of the above.

And remember—these are “or” statements— if you meet any of them, then CCPA applies to you. (Not-for-profit organization reading this post? CCPA doesn’t address your business status, but rather than assume you are exempt, I advise you to consult your legal counsel for clarification on the topic.)
Now that we’ve covered the “when” and “who,” let’s move on to the “what” CCPA protects.

Data Covered Under CCPA

CCPA is about the control, protection, and insight of personal data. In other words, the consumer must be aware—at the point of data collection—that information is being collected, informed as to how the data will be used and then given the option to opt-out from sharing or selling that personal data.
CCPA defines “personal information” as:

  • Name
  • Address
  • Personal identifiers
  • IP address
  • Email address
  • Social security number
  • Drivers license number
  • Passport number and similar identifiers


Additionally, there are restrictions on collecting data pertaining to class information, personal property, products and services purchased, purchasing history, browsing history, geodata, biometric data, profiling, employment, and education-related data. Basically, if data can be tied back to a person or identifies an individual, it’s considered “personal data” and is protected by CCPA.


Note that personal information does not include publicly-available information from state, federal or local governments, but the caution here is how you intend to use that data and if that purpose is compatible with the other criteria of CCPA.

CCPA Penalties

What’s most ambiguous about this bill (ironically!) are the fines. The penalties for non-compliance are subject to interpretation, both of the law itself and those enforcing it. Let me explain further.


If the California Attorney General’s office deems an organization is out of compliance, they’ll issue a notice and the organization will have 30 days to make corrections. After that, fines are enforceable and can vary greatly, depending if the violation is deemed intentional ($2,500/violation) or unintentional ($7,500/violation). What’s ambiguous is “per violation” and if that refers to “per incident” OR “per record involved”; there are many interpretations and debates on the topic. My advice: watch for updates to the legislation and get your legal team to review the actual language of the bill. (or better yet, don’t be out of compliance!)


Also included in CCPA is mention of civil damages, payable to the consumer. These fees can range from $100-$750/impacted consumer OR actual damages, whichever amount is greater. But wait—there’s more. CCPA also enables consumers to file lawsuits without showing proof of damages. The bottom line: between the financial penalties, time spent dealing with legal proceedings and potential harm to a brand’s reputation, not complying with the requirements of CCPA could be very costly.


In the upcoming weeks, I’ll go deeper into the legislation and the impact on your daily operations. In the meantime, I suggest rallying your legal team for round two of privacy legislation. While we will likely see further refinements to CCPA, the principles of it are here to stay.


This article was originally published on Perkuto’s blog. Read it as it originally appeared and/or subscribe to our blog to receive future posts.

It’s happened to all of us who use Marketo. We’ve gone through the training, we work in the platform and we feel like we have a pretty good grasp on the most effective way to handle campaigns. And then one day, a colleague comes along and says, “Hmmm, why are you doing it that way? You should just do it like this!”


And in that aha moment, we’re working smarter, not harder. That one little tip that seems so common sense to our coworker or colleague can completely transform the way we tackle a task in Marketo. Insights like these can save us valuable time and stress.


So what are some of the best Marketo hacks--the best ways to save time and use Marketo more effectively? Here are some suggestions to get you started, and, I welcome your contributions as well!


  1. If you have a webinar or event with multiple emails in support of them (such as several invite emails), use Email Send channel emails within the program. These can act as nested programs and allow you to have program level tokens (such as event details and description), as well as email program tokens, such as custom tokens that might change within each specific emails, such as tracking links.


  1. Include the form embed code within the form name. If the form embed code is 1590, name the form ‘CONTACT-FORM-1590.’


  1. Here’s a great tip from the Perkuto email editor guide about pasting content that will save a lot of time. When copying and pasting content into your email, simply use [SHIFT+CTRL+V] on a PC or [SHIFT+CMD+V] on a Mac to get perfect results.


  1. One of the most efficient ways to cut down on build time of a program that remains pretty consistent from month-to-month is creating a folder in your Marketing Activities and building a program template for each type of program you build on a frequent basis—whether that’s a newsletter, webinar, or live event. On top of that, and to really increase efficiency, you can add program level My Tokens that can include anything from an email address all the way to email body copy. Editing these at the program level in a My Token allows you to edit everything in one place and never really have to worry about going directly into the asset itself to edit.


  1. Use snippets and tokens in your emails. Snippets make great footers! And remember to always check the text version, too--that goes for both the emails and the snippet.


  1. Include tokens in your scoring campaigns.


  1. Having a master email template with a large range of modules that you can turn into multiple smaller templates saves you time and helps streamline templates.


  1. If you edit an email template or landing page template and you need to update existing emails or landing pages associated with the template, go into Design Studio, click on "emails" or "landing pages," sort the list from A-Z for templates, and find the template you edited. Click to select the email or landing page row, hold shift and click to highlight all the emails or landing pages associated to the template, and click approve to mass approve landing pages or emails.


  1. If you ever need to check the status of the Marketo-SFDC integration, this "backdoor" Marketo link can be a lifesaver! All you need to do is replace the character(s) after app-sj with characters unique to your instance, for example []


  1. Before building reports in Marketo or Bizible, it’s essential to be crystal clear on your goals, the questions you’re trying to answer or the problems you’re attempting to solve. What story do you want to tell? What decisions will be made as a result? Too often these fundamentals are poorly thought out ending in frustration and incremental time spent on generating new reports.

Is there a Marketo tip or hack that have saved you time (or saved your sanity?) By all means, please share in the comments! And if you’re interested in the Email Editor 2.0 Guide referenced in one of the tips, you may download a free copy on Perkuto’s website.

Just when you thought the topic of GDPR might settle down, it’s still hot news. A little more than a month after the enforcement date, big names are reported for compliance violations, major US publishers block European visitors, and data privacy measures get a little closer to home.

Forced Consent Complaints

It wasn’t much past midnight on GDPR’s official enforcement date when the first complaints were filed. Apparently, tech giants make for easy targets with a slew of complaints filed against Google and Facebook, claiming forced consent. In other words, both platforms require users to give “all or nothing” consent in order to use their respective software vs. parsing data consent areas and allowing users to provide individual consent for each use. Similar complaints have since been filed against Apple, Amazon and LinkedIn. Are the violations legitimate? All are still pending; no resolution or fines have been assessed.

Blocked Media Sites

Some major US publishers have taken a different route to GDPR compliance by blocking EU visitors entirely. The Los Angeles Times and the Chicago Tribune are two of the bigger media companies blocking EU visitors due to non-compliance of ad targeting practices. Other publishers, including USA Today, are displaying non-targeted ads while Meredith and The Washington Post have started asking permission to new site terms to view their sites, including an upsell ad-free option. Publishers—particularly The Los Angeles Times—need to get this figured out as the data privacy landscape is about to get even more complicated.

The Golden State Adopts GDPR-Like Legislation

Barely one month after GDPR went into effect, California Governor Jerry Brown signed The California Consumer Privacy Act, aimed at protecting the data privacy rights of California residents. Much like GDPR, California’s act seeks to give consumers more control over personal data usage, including the right to know how data will be used, what data is being collected and sold, and the right for complete data deletion. The bill, still in early stages, will likely be amended before the enforcement date of January 1, 2020. And if you think this is just hype or California making noise, keep in mind California was the initiator of anti-spam email statutes, later to be replaced by the federal legislation we now know as the CAN-SPAM Act. Privacy legislation is coming to United States—be prepared!

GDPR—Still on the Radar

In just the first month of enforcement, we’ve seen complaints filed, organizations suspending service to Europeans, and copy-cat legislation emerge. The bottom line in all of this is, best data practices need to be our baseline standard. GDPR’s enforcement date is just the beginning; taking proactive measures now will ensure you’re prepared for new legislation, without interruption to your business operations. Recommended reading:


How to Avoid a €20 Mistake with your Data: Tips for ensuring your database is clean, junk records removed, and country data normalized.


Requirements for Consent – What You Need to Know: Understand what GDPR requires for consent plus how it compares to CASL requirements.


And of course, leave your comments below and together, we’ll support each other through another round of compliance preparations.



As originally published on the Perkuto blog.

Years in the making, months of blogging and it’s finally here: GDPR becomes officially enforceable in a matter of hours. Are you ready?


If not, here are a few quick pointers and resources to assist in your efforts.



The topic of consent is easily the most discussed. Key points:


Explicit permission is required; implied consent no longer qualifies.  If you are claiming legitimate interest, consult your legal team first.


Documentation is just as necessary as capturing consent.  All EU records in your database should have:

  • Opt-in date and timestamp
  • Opt-in source
  • Opt-in IP address (if available)


Remember, you can’t “buy” consent.  In other words, you cannot make consent a requirement to downloading a promoted white paper.  You CAN include a consent option on your form as an unchecked checkbox.


Be sure to Link all your forms and communications to your privacy policy.  Let your privacy policy do the heavy lifting, meaning contain all the details about data usage, storage, and protection.


Transparency in Data Usage


Under GDPR, lead scoring is considered user profiling, which now requires user consent. The same thing with any other propensity to purchase calculations—if you are using this to schedule follow-up sales calls, you must have permission to use an individual’s data in this capacity.


Data enhancements must also be declared, and past data audited. If you are enriching your data from a third party source, you need to state the origin and purpose.  Also think about where in the cycle your enrichment occurs, to avoid paying for enhancement if you do not have permission to retain records in your database or if data is kept for a limited period. (Ex: event reminders)


Munchkin code / Cookies

GDPR changes how we can use cookies but does not entirely rule it out. Cookie usage must be declared; “by using this website you agree…” messages no longer comply.  Visitors must be given the option to accept or decline cookie tracking.  If they refuse, then you have no choice but to disable cookies.


Just a reminder too, you will most likely need to change your setting that loads munchkin code as this is a departure from the current Do Not Track legislation.


Adjustments you’ll need to make:

  • Turn on ‘Do Not Track’ Settings in Marketo Admin
  • Post a Cookie Policy
  • Evaluate API Cookie Management Platforms - this will become more important with upcoming EU ePrivacy Directive legislation, which has different requirements for various types of cookies.

For more information, see the Marketo Dev site for details on configuring Munchkin code settings.


Preference Center

You will need to build a preference center to process the requests from individuals exercising their GDPR rights.


These rights include:

  • Opt-in and unsubscribes
  • Data exports and transfers
  • Data breach notifications
  • Policy requests
  • Data erasure (AKA “the right to be forgotten”)



Marketing messages and analytics will change. Between consent for cookies (which may limit the behavioral data you have to score from) and the right to be forgotten, many of us are concerned that we won’t be able to track marketing performance and customer journeys for our websites accurately. In all honesty, your internal KPIs and goals will need adjustment. Make sure you know all of your April numbers and conversion rates so that you can see how to reset your goals to account for GDPR changes.


For other marketing ideas and tips, download our free GDPR Toolkit, loaded with helpful information and practical resources, including:

  • GDPR Marketing Communications LookBook- creative suggestions and visual examples for post-GDPR marketing.
  • A recording of my Marketo Summit presentation, Fearless Marketing in a GDPR World, which includes screenshots of how to set-up a preference center and data rights flow in Marketo.
  • GDPR FAQ eBook: Legal Questions. Straightforward Answers.
  • The Marketo Client’s Guide to GDPR Compliance
  • GDPR Data Processor Compliance Assessment


Get your free toolkit:


Stay informed


GDPR is just beginning, updates (and fines!) are sure to follow.  Learn from the missteps of other companies and adjust as grey areas are clarified—to stay informed on GDPR news, decisions and enforcement updates, subscribe to the ICO RSS feed:



GDPR is here; it’s not the end but only the beginning.  Are you ready?

The GDPR compliance deadline is looming…have you prepared for the different data rights scenarios in your database?


Screen Shot 1.png


It is likely that within your database, you’ll have varying levels of data processing rights. Common scenarios you’ll need to account for in your data rights center Marketo program:


  • Personal data to maintain and use - this encompasses both consent & legitimate interest.
  • Personal data to use for a limited time period, such as access to a webinar or event.
  • Personal data to maintain and use for limited purposes, such as only for transactional or account communications, and not for marketing messages or scoring.
  • Lapse in consent or legitimate interest. This could be time or action based.
  • Offline consent given, perhaps from direct mail, a live event, a phone conversation or a personal meeting.


There are many options and your data rights center needs to accommodate all the scenarios.


Building a Data Rights Center


Screen Shot 2.png


Just as you have a subscription center in Marketo, you’ll also want to build out a data rights center, detailing the rights you have to retain and process data, encompassing the scenarios previously mentioned.


To do this, there are a number of fields I find helpful and useful to retain:


  • Most recent activity date, most recent activity detail - important for supporting the “as long as necessary” data storage clause


  • GDPR data rights (Y/N) plus rights DateTimestamp - again supporting the “as long as necessary” clause


  • GDPR data rights source and notes - good for recordkeeping and using in smart list filters to limit processing, or define your audience for WTD nurtures, whitelisting, or data deletion.


If this sounds like a lot, it is. But remember, GDPR loves documentation!  If you’re ever subject to a compliance inquiry, you’ll be in a better position by having a complete data trail.


Data Rights Campaigns


Screen Shot 3.png


In the example above, these fields are populated if you have full data consent acquired with opt-in email consent. You would use something like this flow for populating fields with either consent or legitimate interest.


When setting up the smart list, remember, email consent CAN constitute data consent. And if you are claiming legitimate interest, be sure to consult with your legal team first. If going this route, you would set up a similar smart campaign for legitimate interest as defined with legal, such as legitimate interest via sales activity or an active contract.


In the data flow, populate each of the fields outlined. In this example, the data rights source is populated with the email opt-in source description. Then in the notes, categorize this as “opt in email consent.” It’s useful to have different fields for source and notes as the source could explain why you have legitimate interest or where consent came from. You can then populate your notes section with common phrases you can use in filters, such as “limited processing consent - no scoring” or “retain for 30 days only”. This helps adapt to the various data rights scenarios.

When establishing rights lapses: time stamps are important-- review consent date and most recent engagement. You might discover it’s time to send a whitelisting or wake the dead nurture to these records! If consent or legitimate interest does lapse, you’ll need campaigns to properly process the records, either deleting or marketing suspending them as appropriate.


Building a Preference Center to Manage Individual GDPR Rights


Screen Shot 4.png


Finally, you’ll also want to build a Preference Center to automate how you’ll process requests from consumers exercising their individual GDPR rights, including:


  • Opt-in and unsubscribes
  • Data exports and transfers
  • Data breach notification
  • Policy requests
  • Data erasure



Want more actionable tips plus other helpful GDPR resources? 


Download our Ultimate GDPR Toolkit, which contains:


  • The on-demand recording of my Marketo Summit breakout session, “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations.”
  • Our new GDPR LookBook, chock full of creative suggestions and visual examples for post-GDPR marketing
  • The Marketo Client’s Guide to GDPR Compliance Whitepaper
  • GDPR FAQ eBook: Legal Questions. Straightforward Answers.
  • GDPR Data Processor Compliance Assessment


Get your copy’s free!

What a difference a day makes. In just 24 hours, the course of business can radically change. Two examples come immediately to mind, one from recent headlines and the other, (of course!) the looming GDPR deadline.


March 16, 2018: A dark day for social media as news spread worldwide about Facebook’s illegal data harvesting practices. As a result of the scandal, the social media giant’s market value dropped by $80 billion and negatively impacted stock for other social media leaders, including YouTube, Google and Twitter. One day. An $80 billion difference.


May 25, 2018: The date many marketers have circled on their calendars—the day GDPR becomes enforceable. Lots of changes are coming our way, including how we collect, use and store data. And here again, the impact of 24 hours is significant. More precisely, from May 24 to May 25, your previous marketing practices could cost you €20 million or 4% of your global revenues, if you don’t make appropriate adjustments. Lead scoring and data enhancements—get ready for a very different landscape. Leveraging content to capture data? Better rethink that one, too. GDPR is unavoidable but you can proactively prepare.


What’s the most common question marketers are asking as they get ready for GDPR? Get the answer and a few helpful tips in this short video.


Carpe GDPR

Some disruptors are out of our control—GDPR is happening, whether we like it or not. But how you prepare for it can change your business outcome, which brings me to another significant day.


April 30, 2018: Join me for peer-to-peer GDPR learning opportunities at Marketo Summit. It starts at 11:30 with my breakout session “Fearless Marketing in a GDPR World: Tips to Thrive Amidst New Regulations” immediately followed by a GDPR meet-up in the Moscone South Hall during lunch. This will be an excellent opportunity to build your GDPR support network, share your frustrations, ask your questions and get clarity on GDPR’s confusing requirements. Pre-registration for the breakout session is encouraged as I’m told it will be standing room only. And if you’re not yet registered for Summit, we’ve got you covered. Register with our VIP code, Perkuto 300, to save $300 off a full conference pass.


Marketo Summit is just days away—seize the opportunity to prepare yourself for GDPR, learn more about Marketo and meet the Perkuto team. I hope to see you there!


You can find a GDPR Resource Center with all of my GDPR content on the Perkuto site here.

We’re in the final stretch with the GDPR compliance deadline looming ahead. “Are you Ready for GDPR?” is still the question of the day, and the topic of an upcoming webinar that I’ll be presenting in partnership with Marketo and Uberflip. I’ll be teaming up with Marketo’s Sr. Director of EMEA Marketing Peter Bell and Uberflip’s Director of Revenue Marketing Tara Robertson to help marketers understand what’s required for compliance, discuss the topic of “consent” and explore the implications of GDPR on your operations and the systems you use every day. This free presentation runs live on April 4 at 11:00 am EDT and we’d love for you to join us. Additionally, get a sneak preview of what we’ll be covering on Uberflip’s blog where Tara and I have a conversation about consent, data collection and the always popular question: is there any workaround to GDPR? Check it out, and, don’t forget to sign up for the webinar!

For those of you who need a little GDPR comic relief, check out the latest Perkuto blog post—we’ve scoured Twitter to find creative tweets from around the world about the angst of preparing for GDPR. If nothing else, it will make you smile.

Just when you thought GDPR was confusing enough, enter the topic of “legitimate interest.” Many of you have asked about it, wondering if you can bypass obtaining express consent opting for legitimate interest instead.


I can almost hear the glimmer of hope in your voice as you ask...could legitimate interest be my saving grace for updating permission requirements? Has GDPR provided organizations like mine with an escape clause? Approach with caution here. If you’re considering skipping express consent and claiming the GDPR provision for legitimate interest, you first must understand what legitimate interest entails and when you can use it. 


From Article 6(1) of GDPR, legitimate interest can be used to process records if:


  1. Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  2. Processing is necessary for compliance with a legal obligation
  3. Processing is necessary to protect the vital interests of a data subject or another person
  4. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  5. Processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject. (ex: if the data subject is a child)


Clear as mud, right? Many marketers think they’ve found a loophole to collecting explicit consent with option A, the first clause. So is it? No—but it is a common misconception about GDPR and one that can get you into a whole lot of trouble.


Legitimate Interest Pie


Let’s look at a hypothetical situation when legitimate interest can be used. Say you are shopping online—maybe ordering a pizza. Rather than create an account, you opt to check out as a guest and only provide the necessary information to get your pepperoni pie delivered to your doorstep, or in this case, your name and delivery address plus payment information. Does the pizza place have legitimate cause to process your data? Yes, absolutely. Can they continue to communicate with you and send you pizza promotions for future orders? No, because they don’t have your consent. Legitimate interest in this example only applies to processing your order; it is not permission to use your information for any other purpose.


I also hear marketers attempting to justify legitimate interest with clause E, claiming they have a legitimate interest in marketing their products. So let’s get another opinion. The UK Information Commissioner’s Office (ICO) asserts that: “[Legitimate interest] is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.”


In other words, I expect Joe’s Pizza  to deliver my pizza (hot, please) so therefore I also expect Joe’s Pizza to process my order and charge my credit card. But that’s where my expectation ends—so if Joe’s Pizza started sending me special promotions, sold my data to another company, or began tracking my pizza purchases for their rewards program, they would be using my data in ways that I would not reasonably expect, and that would have more than a minimal impact on my privacy. The ICO addresses this scenario, saying if the customer “would not reasonably expect the processing or if it would cause unjustified harm, their interests are likely to override your legitimate interests.” Did you catch that? “Their interests override…” In other words, if you use the customer’s data in an unexpected way or a way that goes beyond your initial reason for gaining access to it, the GDPR supervisory authorities will likely take a big slice of your financial “pie,” - which as we all know can add up to a lot of dough!


Legitimate Checklist (because who doesn’t love a good checklist?)

Still thinking about taking the legitimate interest route? The ICO offers a checklist before you consider opting to claim legitimate interest. And as you know, we like checklists, so we thought it appropriate to share this one—you’ll find the checklist and the rest of this article on Perkuto’s blog.

For those of you who missed our recent webinar, “Fearless Marketing Strategies for GDPR World,” you missed a good discussion. The most popular topic of the day was “consent.” We had many questions regarding GDPR compliance requirements—everything from permission to retain personal data, to what to do if you are unsure if consent exists or are missing the documentation to back it up, as well as how GDPR consent compares to CASL. All very valid questions!   As for the answers:


GDPR Documentation for your Database


We’ve covered the topic before, but it’s worth another mention—auditing your database for GDPR compliance may be painstaking and time-consuming but it is also highly recommended; appropriate documentation is just as necessary as capturing consent. To verify consent, all records in your database should have:

  • opt-in date and timestamp
  • opt-in source
  • opt-in IP address (if available)


For records that are questionable, better safe than in doubt is the rule of thumb. Run a whitelisting (verification) campaign now, so there’s no question regarding if, how or when consent was obtained. No one wants to be fined €20 million or stop European marketing operations due to records you thought were compliant but are not.


And just a reminder, track BOTH data consent and email consent as one does not guarantee the other. Having said that, email consent can constitute data consent, if appropriate privacy policies are acknowledged.


Bundling Consent: What to Do and What to Avoid


When using content (such as a white paper) to attract interest, per GDPR, opting-in to marketing communications cannot be assumed or bundled with another action. You may however, include it as a separate action on the same form if your opt-in checkbox is unchecked and not required to download the promoted content asset. And always ALWAYS link your forms to your privacy policy!




As we talk more and more about consent, we’re frequently asked another question: does CASL (Canadian Anti-Spam Law) compliance mean you are also GDPR compliant? Aren’t the two processes for capturing consent very similar? In a word, yes and no. (OK, two words) The opt-in process is similar, as both consent intake process should include an unchecked checkbox on a form and capturing date/timestamp, opt-in source and opt-in IP, and a link to your privacy policy. If you’re already using this methodology for CASL, you can extend it to your GDPR operations.


However, while both regulations are permission-based, that’s where the similarity ends. We like to think of GDPR as “CASL on steroids”—GDPR extends much further than CASL and with stiffer penalties. GDPR goes beyond permission to email, extending into cookies, data processing and other elements that are not governed under CASL.


See how the two legislations compare on the Perkuto blog.

From your comments, emails and phone calls, I think marketers are in need of a little GDPR TLC right about now. Trust me, I’m right there with you. Preparing for GDPR is not an insignificant undertaking, and when coupled with the responsibilities of your “day job” it can be an overwhelming load. In my ongoing effort to help and encourage my fellow marketers, I offer you a little Chicken Soup for the GDPR Soul.

GDPR Words of Wisdom

Eat a live frog first thing in the morning and nothing worse will happen to you the rest of the day. – Mark Twain, author

Perspective is everything, isn’t it? Surely, when Mark Twain made this statement, he was directing his comments to marketers feeling the stress of GDPR—get the task you’re dreading most done first. If you’re just starting out in your GDPR compliance journey, I recommend your first frog is a pre-preparation assessment of your database. This includes taking inventory of records that have (and don’t have) normalized country data attached to them, noting the quantity and compliance status of EU records in your database, and assessing the viability of questionable records. If you’re further along in your GDPR preparations, Twain also has advice for your situation: “If it’s your job to eat two frogs, eat the biggest one first.”  Little did we know, GDPR would be an all-you-can-eat frog buffet!

Go to bed smarter than when you woke up. – Charlie Munger, vice chairman, Berkshire Hathaway

Whether GDPR is keeping you up at night or you’re actually able to get some rest, the point of this quote is spot-on: gain as much wisdom as you can about GDPR. Read. Listen to podcasts. Attend a webinar. And speaking of webinars, be sure to register for our free presentation, “Fearless Marketing Strategies for a GDPR World.” We’ll be covering hot topics such as consent and what it means for your marketing communications, plus the impact of GDPR on common technologies like cookie usage and lead scoring. GDPR language is ambiguous and confusing; the worst thing you can do is stick your head in the sand and rely on what you think you know. Stay informed, seek out learning opportunities and ask questions along the way. Register for our webinar now.

No wise pilot, no matter how great his talent and experience, fails to use his checklist.Charlie Munger, vice chairman, Berkshire Hathaway

With stress often comes decreases in productivity and efficiency. Checklists help keep you focused, ensure you don’t forget details, and give you a sense of accomplishment as you mark items as complete. If you haven’t already, put together a GDPR readiness checklist or use ours. Note: the checklist below is a small part of a much larger GDPR checklist, which you can access—along with much more GDPR information—by downloading our free whitepaper, “A Marketo Client’s Guide to GDPR Compliance.

Database Audit Checklist


Are EU records present?

Examine current opt-in sources to determine compliance (or if an opt-in campaign before the GDPR deadline is necessary)

Evaluate information stored in the lead/contact objects vs. the account object and amount of information populated

Determine the degree of missing country information and if it’s normalized

Create marketable records segmentation and inactive smart lists to assess data quality

Determine the age of records; flag those outside of your defined period for record retention

Segment the database based on current compliance status of records

Determine if your database contains records of youth under the age of 16 and age 13 in the UK


Additional GDPR Resource and Support

The best thing a human being can do is to help another human being know more. – Charlie Munger, vice chairman, Berkshire Hathaway

There’s no doubt that Charlie Munger is a smart guy—after all, he’s Warren Buffett’s partner.  And when it comes to sharing knowledge, we couldn’t agree with him more. Perkuto exists to help CMOs succeed—with that in mind, we’ve put together a comprehensive package of resources to support you in your GDPR preparations:


When it comes to GDPR, our motto is “Prepare thoroughly. Market fearlessly.Let us know how we can help you.


Read the full post on the Perkuto Blog.

At some point in our careers, we've all had a data mishap. A colleague recently shared a direct mail promotion he received from a high-end jeweler. The headline read, "KEVIN, this Valentine's day, give LESLEY the gift she really wants," along with an image of a beautiful diamond necklace. The only problem—Kevin and Lesley are brother and sister. (And yes, they were horrified at the jeweler's suggestion.) Was the jeweler trying to promote sibling love? Doubtful. More likely: Major. Data. Fail.


Obviously, this example is variable data gone wrongeither mismatched data points, misinterpreted data relationships or just plain bad data. But whatever the reason, with GDPR just around the corner, it's crucial that your data is in order. Understanding who's in your database, as well as the age and viability of each record, is a foundational piece of GDPR prep. Think of it this way: retaining junk data is a liability for you. Why risk costly fines due to keeping questionable records?


What's Lurking in your Data Pool?


Over time, junk records creep into your files and weigh down your performance metrics, create potential marketing disasters and set you up for GDPR problems. Time to scrub the pool! The best way to identify junk data and gain more insight into the composition of your database is by creating a marketable records segmentation. Any groups regularly suppressed should be pulled into this segmentation. What should you be looking for?


Inactive Records: Since GDPR stipulates not retaining data longer than necessary, flag outdated recordsor in the absence of a defined expiration datethose that have not opened or clicked on an email or have not visited a webpage in the last 12 months. We’ll try to reactivate these names—more on that topic in a minute.


Disqualified Records: Be on the lookout for trash and disqualified records especially, usually corresponding to a lifecycle stage of trash or disqualified and including names rejected by sales.


Role Accounts: These are email addresses for a specific role that don't have a human associated with them. Under GDPR, such records are not considered "personal data" but since they don't benefit sales, remove them. To do so, include a filter for email that starts with and contains descriptors such as news@ administrator@ unsubscribe@ customerservice@ webmaster@ info@


Junk Domains/Data: Just as the name suggests, these bogus domains include data strings such as "ABC," "XYZ," swear words and email addresses without an @ symbol. Dump the junk!

Undesirable Personas: Examples include students, retirees, and maybe the media. If not a viable lead, they are not worth the potential risk of retaining.


Country Data: Run a query to determine if all records have normalized country information. Flag those that do not or are missing country data altogether.


Opt-In Sources: Is consent GDPR compliant? Do you have proper record-keeping to back that up? Create a separate segmentation based on current compliance status and deploy a whitelisting campaign for records compliant with current EU Directive legislation that may fall short of GDPR standards. Remember, this may include records that have consent, but the consent is dated.


Preserving Potentially Viable Records


OK! You've done some cleaning on your database; now it's time to look at the questionable and non-compliant records to retain as many as possible before GDPR goes into effect. Campaigns you'll want to run sooner rather than later include:


Read the full post on the Perkuto Blog.

Preparing for GDPR: It's Not Marketing's Job...or Is It?


GDPR:” you’ve heard the term repeatedly and know you ought to deal with it. But you’re also wondering, does the responsibility for GDPR readiness really belong marketing?  Isn’t this more of an IT thing?  Besides, you’ve got other, more pressing tasks…good grief!


Good GDPR grief that is, and all the mental agony that comes along with it. If you’re like most marketers, you’re probably experiencing what we call, “The Five Stages of GDPR Grief” when it comes to navigating GDPR preparedness.

Any of this sound familiar?


The Five Stages of GDPR Grief


Stage 1: Denial.

You don’t believe you need to worry about GDPR. After all, you survived CASL, CAN-SPAM, and the US Do Not Call regulation. GDPR…no big deal, right?


Stage 2: Anger.

GDPR keeps creeping into your news feed; the topic just won’t go away. You’re annoyed—even angry—at the thought that it might actually be your job to figure out GDPR requirements and steer your team through compliance preparations. Not exactly what you envisioned for your career in marketing.


Stage 3: Bargaining.

You begin rationalizing that you are too busy, that your main priority is driving revenue and supporting business growth. GDPR sounds like a major “squirrel” (distraction), so you begin bargaining with others in your company to take on the task. Case of beer in hand, you approach your colleagues, “Hey…so how’s my FAVORITE IT team…”


Stage 4: Depression.

You realize you’re stuck with the task and begin reading through dry, incomprehensible pages of legalese filled with seemingly conflicting advice. To say you’re bored to tears is an understatement. Is it 5:00 yet?


Stage 5: Acceptance.

You’ve come to grips that GDPR preparation is your responsibility; you’ve accepted that marketing with different rules is the new reality for 2018. Realizing there are many adjustments and changes you must make to your processes, you begin seeking out resources to help your team. But now what?


The Path to GDPR Compliance

We get it. We understand you’re busy and have many responsibilities in your “day job,” none of which include becoming a GDPR expert. That’s why we’ve created a free downloadable resource, “The Marketo Client’s Guide to GDPR Compliance.”


Written by the Perkuto team, this guide will help you understand GDPR from start to finish. You’ll learn about data transparency, storage and security requirements of this massive legislation plus some of the lesser-known nuances that impact your marketing strategies. We’ll help make sense of the requirements for compliance and outline the consequences for not meeting them. We’ll show you the steps you need to take to prepare for GDPR and (shameless plug) provide an alternative should you decide to let GDPR experts handle it instead.


From Intimidated to Fearless

Feel like you already have a good grasp on GDPR basics? Take your knowledge to the next level by attending our complimentary webinar on March 1, Fearless Marketing Strategies for a GDPR World.

In this interactive presentation, I’ll discuss the impact of GDPR on the marketing technology we use every day, including cookie usage, subscription management and lead scoring practices. Learn what campaigns you should be running now, how your communications must change once GDPR goes into effect, and ask questions specific to your situation at the end of the presentation.  Registration is free, but early registration is recommended as space is limited. Registration also guarantees you will receive a link to the presentation recording and slides, even if you’re unable to attend the live webinar.


In Good Company

When it comes to GDPR, we feel your pain, really. Remember, we’re marketers too! And from one marketer to another, we’re ready to turn your wounds into wisdom— download the Perkuto complimentary GDPR Compliance Guide and then register for the Perkuto free Fearless Marketing webinar.


Download White Paper

Watch Webinar


As Published on the Perkuto Blog

Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security.  In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic.


As much as GDPR covers, it also raises an equal number of questions.  Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.


GDPR – Who?

Q: Does GDPR apply only to EU citizens?


A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.


Definition of Personal Data

Q: What is considered “personal” data?  Is B2B information exempt?


A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data.  All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.


Limits for Storing Data

Q: How do we define the duration of storing data? What constitutes “as long as necessary?”


A: That depends on the purpose of the data.  Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.)  If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL.  It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.


Bundled Consent

Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?


A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox,  just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.


Cookie Law

Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?


A: Yes, ...


Read the full post on the Perkuto Blog.

Filter Blog

By date: By tag: