7 Replies Latest reply on May 21, 2018 7:20 AM by Vineela Maram

    GDPR Example and questions

    Patrick Cash

      Hi Nation!

       

      Like most marketers, we are trying to ensure we are in compliance with GDPR. I keep reading that GDPR compliance needs to come in the form of an unchecked checkbox on forms to show 'explicit consent'. However, I have yet to see this in practice. Below is an example landing page from Salesforce. As you can see, when you select an EU country (France for example), they offer a checkbox to opt into email marketing, but the GDPR disclaimer simply states that by completing the form and submitting, you are giving consent to have your information stored:

       

      By registering, you confirm that you agree to the storing and processing of your personal data by Salesforce as described in the Privacy Statement.

       

      Salesforce Example: https://www.salesforce.com/form/events/webinars/form-rss/1662434?d=cta-header-7

       

      Questions:

      1. Is anyone else going with this approach (you submit, you give consent)?
      2. If not, how is your company approaching gathering this consent? Could you provide an example of a landing page you have rolled out that captures this consent?
      3. If you have two checkboxes, one for GDPR consent and one for email marketing consent, what do you do if the submitter wants email marketing messages, but doesn't agree to consent of storing and processing data? Yes, this is illogical, but I have seen people drive the wrong way on one-way streets; it will happen eventually.

       

      Thanks in advance!

        • Re: GDPR Example and questions
          Grégoire Michel

          Hi Patrick,

           

          In the form you linked to, if you submit, you give consent for the storage of your data. You still need to check the box to give consent to receiving emails.

           

          This is an interesting application of the 2 consents that needs to be given for the GDPR:

          • Consent to have your data stored
          • Consent to have your data processed (for instance for automated emails).

           

          The second consent it pretty straightforward but the first one its difficult to comply with: if you do not consent to the storage of your data and you fill out the form, there is a contradiction since, behind the form, there is a (probably Pardot) database... Salesforce has solved this with this secondary mention, separated from the first one.

           

          Most of the companies I see link the 2 consents to the first checkbox and have a hard time anonymizing data.

           

          Thanks for the example though. Very interesting.

           

          -Greg

          3 of 3 people found this helpful
          • Re: GDPR Example and questions
            Sheila Baker (247)

            Hi Patrick,

            I've seen multiple versions of similar forms to what Salesforce is doing although their language is more upfront then some of the others in terms of consent to have your data stored. Most of my clients (B2B) have determined that processing this way is compliant with GDPR. Glad to see that Salesforce agrees.

            Regards,

            Sheila

            • Re: GDPR Example and questions
              Vineela Maram

              Hi Patrick,

               

              After multiple discussions with our Legal team, please find below the approach that we are taking for GDPR:

               

              1. We have a new Privacy and cookie policy in place for all our web assets and every user who visits our website after May 25th will have to accept both these policies to navigate in our website else they will be redirected to a static page illustrating why they have to accept the policies.

              2. We will have a checkbox in all our forms(both web and Marketo forms( will also have a link to privacy and cookie policies)) which will be a required field globally that will have a verbiage catering to both expressed consent and data processing needs.  If they do not provide their consent they will not be able to submit any form so we will have new users who have provided consent in our db going forward.

              3. Initially we thought of doing an Opt-in campaign for GDPR but our Legal team has advised us not to do so and as we are B2B and we have acquired these contacts based on their legitimate interest we can continue sending communications to these till they opt-out using our unsubscription link or preference center.

               

              Thanks,

              vineela.

              1 of 1 people found this helpful
                • Re: GDPR Example and questions
                  Matjaž Jaušovec

                  HI Vineela,

                   

                  can you maybe elaborate more on the argumentation behind the link B2B-legitimate interest-no need for explicit consent?

                   

                  thanks;m

                    • Re: GDPR Example and questions
                      Grégoire Michel

                      Hi all,

                       

                      I would be quite cautious with the use of legitimate interest. What it means is not clearly defined by the GDPR and whether it's the legitimate interest of the person/visitor or the legitimate interest of the vendor is not even explicit.

                       

                      What I want to say is that only the first jurisprudence will tell us what it means.

                       

                      Also, with regards to the B2B, for the moment, no detailed application notice have been issued by the compliance agencies. The only thing we know is that when the issue one, it will be agreed between the 28 countries. Meaning it's likely it will comply with the past habits of the strictest ones (Germany) rather than the coolest ones (UK, France).

                       

                      -Greg

                      1 of 1 people found this helpful
                      • Re: GDPR Example and questions
                        Vineela Maram

                        Hi,

                         

                        Sorry for the delayed response. What i meant by legitimate interest in our scenario is as we do B2B business, our legal team mentioned that if we have acquired them previously, we would not need them to provide their explicit consent going forward. Recent update to our efforts to be in compliance to GDPR involves us to just have updated privacy and cookie policies on our website and have GTM on our Marketo LPs and have people accept those and if they did we will consider them as opt-in and capture date and time stamp for their form submission and as per the regulators, they would be interested in the process we are following and the date and time stamp for when we acquired them in the system and nothing else.

                         

                        I feel we will learn and know more as we go and am just waiting to see how it all plays out after 25th.

                         

                        Thanks,

                        vineela.

                        1 of 1 people found this helpful