GDPR Questions. Straightforward Answers.

Michelle_Miles3
Level 9 - Champion Alumni
Level 9 - Champion Alumni

Vast.” The dictionary definition is “very great in size, amount, degree, intensity, or especially in extent or range.” (Merriam-Webster) It’s a word you’ll hear often in GDPR discussions, and it is an accurate description. In fact, there are 99 articles in the GDPR, each stipulating new parameters and expectations for data transparency, accountability, storage, and security.  In our prior posts, we’ve highlighted many of these areas, discussing changes to your backend operations, marketing strategies, external partners and provided a graphic overview with our GDPR infographic​.

As much as GDPR covers, it also raises an equal number of questions.  Many of GDPR’s articles use ambiguous language leaving marketers scratching their heads, and lawyers busy providing clarification. For this reason, we’ve compiled a list of some of the more frequently asked questions and a few of the lesser-known answers, as discussed with our legal team.

GDPR – Who?

Q: Does GDPR apply only to EU citizens?

A: No. GDPR applies to EU residents, regardless of citizenship. An American living in the EU for three months qualifies for GDPR protection. If your business (B2B or B2C) markets to, does business with, or simply stores or processes the personal or business information of EU residents, you are subject to GDPR requirements regardless of your business’s location.

Definition of Personal Data

Q: What is considered “personal” data?  Is B2B information exempt?

A: Generic emails, such as “info@,” “contact@” are not personal addresses so do not count as personal data.  All personal (individual) data, whether B2B or B2C, is covered under GDPR. This includes any business information that makes a someone personally identifiable, such as their business email address.

Limits for Storing Data

Q: How do we define the duration of storing data? What constitutes “as long as necessary?”

A: That depends on the purpose of the data.  Where a contractual agreement exists, (ex: I am buying on Amazon) personal data may be retained as long as the contract runs. (or in our Amazon example, as long as I am willing to keep my Amazon account, which is mandatory to purchase on their site.)  If the data subject is not a customer, then three years after the last contact is a reasonable period, per the French CNIL.  It is the Data Controller’s responsibility to set the limit on data retention and this should be specified in your privacy policy. Be careful not to run wake the dead nurture campaigns on opt-ins that have exceeded the stated time frame.

Bundled Consent

Q: Can you bundle consent to receive future communications with other actions, such as a whitepaper download?

A: No. Consent is an independent action from a marketing action and your consent language needs to be clear. You can include an opt-in option to receive additional information on your form with an unchecked checkbox,  just make sure the checkbox is not required to submit the form. And, be sure to include a link to your privacy policy on all forms. See an example of a GDPR compliant opt-in form.

Cookie Law

Q: Does GDPR have any ramifications for EU Cookie laws or is ‘Do Not Track’ still in effect?

A: Yes, ...

Read the full post on the Perkuto Blog.

6049
13
13 Comments
Grégoire_Miche2
Level 10

Hi Michelle,

I read your article with interest and liked it. Thank you !

I might add some comments on a couple of points though :

The point about the cookie consent is not that clear, as far as I know from my European standpoint, all the more so as the EU is preparing a new directive, called ePrivacy (Surprise! GDPR is not the end of it ), that covers the cookie issues, reinforcing the role of the DNT and removing the need to a cookie consent (So much for all the money we spent adding cookie consent banners to our web sites...)

So, for the moment, the cookie consent has to be explicit (meaning with a link to privacy info, plus the fact that the visitor has to explicitly approve the cookies) if and only if the cookies are personal identifiers (meaning linked to you identification, which is the case of Marketo cookie BTW), but this might well be a temporary point, applicable until the ePrivacy directive becomes the rule.

Also the French CNIL did not say that keeping the data for 3 years is OK. The G29 (the EU group of local regulators) are publishing regularly some notices and Q&A on how to interpret and put things into action. This one (https://www.cnil.fr/cnil-direct/question/499?visiteur=pro , sorry it's in French) says that the duration should not be excessive with regards to the reasons for which they were collected and that every company should determine the "right" duration. Unfortunately, this is not saying more than the directive itself. They give the example of corporate vehicle localization data, for which 2 months is the acceptable duration, while 10 years are acceptable for information that have legal or accounting value. All the lawyers I have discussed with agree that, for customers, keeping data as long as the company or the contacts are your customer is OK. But for the prospects, that's really foggy. Are we talking about active of inactive prospects ? about opt-in or non opt-in prospects ? And what about the link with the duration of the buying cycle ? None of the lawyers and DPO who I have been talking to at my customers have a clear answer to this.

-Greg

Grégoire_Miche2
Level 10

Another point that is very important top everyone, the French CNIL has announced that they will not sue nor fine companies during the first year, unless some obvious misconduct has been observed. They will use this first year to counsel, advise recommend. Hopefully, their will also use this first year to hone and develop their guidelines, so that we, as vendors, progressively get some more precise information.

I do not know whether the CNIL counterparts in other countries have made the same announcement, though.

-Greg

Dan_Stevens_
Level 10 - Champion Alumni

That sure would be nice if all countries adopted this (especially since some note that the final ePrivacy Directive won't even be ready until 2019).  Similar to what Canada did around CASL over the summer - and suspending the fines associated with any violations.  On the other hand, I still hope they go after companies like Equifax who are irresponsible when it comes to communicating major breaches of customer data.

Anonymous
Not applicable

Thanks so much for sharing -- this is super helpful!

Michelle_Miles3
Level 9 - Champion Alumni

Thanks Grégoire Michel​ for the great information. Apologies for the delayed response, I have been on vacation. We have also had a difficult time with our lawyers to clearly define the timeline for prospects... there response is essentially that it depends on the business, the agreed upon terms, and that they recommend staying within CNIL guidelines.

Tammy_Chan
Level 3

Hi Michelle,

Thanks for posting this! I'm a bit late to the GDPR game and I'm a bit overwhelmed...

I'm glad you addressed the "bundled consent" b/c I was looking to do this by putting:

     “Yes, I would like to receive marketing communications about your products, services, and events.”

Once they checked this off, I'd then have all the categories in our subscription center checked off. But it sounds like from your post I shouldn't do that?

I'm not sure what the best way to phrase the opt in would be- In your example you had put "I'd like to receive more on this topic" for my situation, I don't have content separated by topic, but "type"- ie event/webinar etc. Or am I looking at this all wrong?

Dan_Stevens_
Level 10 - Champion Alumni

We will be using a preference center primarily to persuade people from not opting-out fully; and promote it in the footer of our emails.  From an opt-in perspective, it's usually opting in to everything initially.  But we may also promote the preference center somehow here as well (what we don't want to do is direct them away from the form before hitting submit).

I think it's perfectly fine to include something like this, along with the disclaimer (which we'll be modifying before May 25):

pastedImage_0.png

Tammy_Chan
Level 3

Gotcha, I was thinking of going this route as well- which I'd assume = opt them into all of our categories until they update their preference center- which would show the categories like:

- webinars

- educational content

- events

all pre-checked, is pre-checking boxes here after they check the opt in an issue?

Michelle_Miles3
Level 9 - Champion Alumni

I would not pre-check.

Dan_Stevens_
Level 10 - Champion Alumni

IF someone opts-in while submitting a form, then yes, the preference center checkboxes can be all checked (that's different than pre-checked).  Initially, they're opting in to all marketing communications by ticking the box on the form.