SOLVED

GDPR and Hidden Fields

Go to solution
Anonymous
Not applicable

GDPR and Hidden Fields

Hi All,

Under the GDPR there are 2 main points that caught my attention:

  • Purpose limitation - data can only be used for the purpose specified at collection
  • Data minimisation - limit the amount of data collected to what is necessary to serve the purpose for what its collected

Do you think this points will affect the use of hidden fields as the user won't be aware of certain data we are collecting?

Thanks!

Tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR and Hidden Fields

Background processing - like behavioral scoring - is also the result of being able to properly TRACK this engagement as users interact with our digital properties, campaigns and content.  Unfortunately, under GDPR, it sounds like we'll now need to block ALL cookies by default (including Munchkin) until a user has given their consent to install these cookies on their browser.  This is significant.  Think about it - would you provide your consent on every site you visit to the multitude of cookies that can be installed?  Heck no.  Serving up pop-ups like this is really going to degrade the overall customer experience (and have a significant impact on our ability to use Marketo - and other marketing automation platforms - like we do today).

pastedImage_0.png

View solution in original post

18 REPLIES 18
Erik_Heldebro2
Level 8

Re: GDPR and Hidden Fields

Hi Macarena,

This is an interesting topic, if you think about it there are more data fields aside from hidden fields on a form, such as lead score fields which are constantly updated in the background. I see it more as a data processing optin on a form. You will need to do a clear documentation of the data you are processing to be compliant.

It would be interesting to hear what others have to say on this topic.

/Erik

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR and Hidden Fields

Background processing - like behavioral scoring - is also the result of being able to properly TRACK this engagement as users interact with our digital properties, campaigns and content.  Unfortunately, under GDPR, it sounds like we'll now need to block ALL cookies by default (including Munchkin) until a user has given their consent to install these cookies on their browser.  This is significant.  Think about it - would you provide your consent on every site you visit to the multitude of cookies that can be installed?  Heck no.  Serving up pop-ups like this is really going to degrade the overall customer experience (and have a significant impact on our ability to use Marketo - and other marketing automation platforms - like we do today).

pastedImage_0.png

Anonymous
Not applicable

Re: GDPR and Hidden Fields

Hi Dan,

Thank you very much for this for this valuable insight, I really appreciate it.

This is very concerning. I thought we would be able to use Munchkin as long as we put in every form a field that allows customers to opt-out. But you are saying it's the other way around, that we won't be able to use Munchkin unless they have given us their explicit consent.

I know Marketo provided a GDPR webinar but it was very high level, without getting into the actual details. We need a very detailed explanation of measures needed to be taken to ensure we are 100% compliant.

Thanks,

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR and Hidden Fields

I posted some questions during that webinar - and while they weren't addressed during the webinar, our CSM got some of the answers for me.  Specific to cookie consent, this is the reply we received from Marketo (it's important to note that you should also be having these conversations with your legal teams as you work toward GDPR compliance):

The GDPR regulation only makes a single reference to cookies, however what is said is important - when cookies can identify an individual via their device, it is considered personal data and so governed by GDPR, hence the questions below. Two points:

  1. The ePrivacy Regulation governing cookies and other tracking technologies is still in draft form and should be monitored closely for further guidance.
  2. Consent for cookies that can identify an individual will need to gained, so that landing on a site for the first time, those cookies have to be blocked until the user takes some action that they are giving their consent.

The exact interpretation of this needs to be made by them in conjunction with their own legal team, we cannot offer legal counsel. The mechanisms for how to manage cookie tracking for Marketo are captured in the Practical Guide.

Erik_Heldebro2
Level 8

Re: GDPR and Hidden Fields

I didn't have a chance to watch the webinar although I was pleased to see this guide they posted which, although not fully encompassing all requirements, does address some examples of hands-on processes for GDPR in Marketo: The GDPR and The Marketer: A Practical Guide for the Marketo Customer

Anonymous
Not applicable

Re: GDPR and Hidden Fields

I found the below in a SiriusDecisions report, and though it might be useful for everyone https://marketplace.siriusdecisions.com/Blogs/GDPRIsComing5MarketingAutomationPitfalls

Here are five important – but often unexpected – danger areas:

  1. MAP "data management campaigns.” Although marketing automation has encouraged systematic data embellishment and “use your data to create new data,” companies must now ensure all such activity is declared. Data from the past will need to be audited, and marketers are responsible for future updates and the outputs of any new or existing automated procedures.
  2. Reverse IP tracking. As marketing automation has found its pivotal and permanent place in the hearts of our businesses, reverse IP tracking has become part and parcel of everyday prospecting. Before GDPR, this was somewhat of a gray area – but now it's crystal clear. Marketers must seek consent before storing and processing an individual’s IP address.
  3. Lead scoring. Scoring programs provide marketers with ready-made segmentation and an engine to automatically send leads to sales. In GDPR terms, this type of processing constitutes profiling, and marketers must have consent to do it. Across the aisle in sales, propensity-to-buy calculations may also be hard at work in a sales force automation system. If this is used to profile for followup then, once again, permission must be granted.
  4. Reactivation programs. Marketers regularly seek to jump-start old databases by running reactivation programs for individuals inactive for months or even years. Unfortunately, under GDPR, individuals who have not opted in recently to communications cannot be contacted in this way.
  5. Record disposal. Finally, something outside of all marketers' comfort zone. If you do not have consent to store and process an individual's data, you must delete what you have. This applies to records accumulated over time but lacking opt-in, as well as to individuals who withdraw consent.

Thanks.

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR and Hidden Fields

Thanks for sharing, Macarena. These points are super important and relevant for almost all of Marketo’s customers (even if businesses don’t operate in the EU). As I’ve been saying, GDPR is really going to restrict our use of Marketo (and other MAPs) as we’re used to doing today.

Given the significanc of this insight you shared, it probably deserves its own post (and not as a comment within an existing thread about forms, marked as “answered”).

Mark_Knight
Level 3

Re: GDPR and Hidden Fields

My understanding of the Profiling restrictions are that you need to allow the user the right to OPT-OUT (assuming the profiling is tracking based for direct marketing purposes and not making an automated decision on user from a contractual perspective)

When processing is for direct marketing purposes, including profiling, the data subject similarly has a right to object but in this case processing must cease and the controller is not authorized to continue under any circumstances.

REF:  Top 10 operational impacts of the GDPR: Part 5 - Profiling

My reading of this is you need a new banner to Preference management, that will allow an initial visitor the right to opt-out of Profiling (that will deactivate the anonymous tracking on your site)

(i am not a lawyer etc..., but i will be raising this issue with a German lawyer i am working with to determine how we need to change our website processes)

- this thread is very timely - thanks.

<<<< UPDATE following discussion with lawyer >>>>

GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned above.

What could POTENTIALLY make tracking opt-in is the e-privacy regulation, that is still currently in draft form, although scheduled for release the same time as GDPR it is generally considered it will not be launched at the same time as it is still under review following the public consultation period.

Summary report on the public consultation on the Evaluation and Review of the ePrivacy Directive | D...

How to deal with cookies?

77% of citizens and civil society and 70% of public authorities believe that information service providers should not have the right to prevent access to their services if users refuse the storing of identifiers, such as cookies, in their terminal equipment. Three quarters of industry on the other hand disagree with this statement.

Dan_Stevens_
Level 10 - Champion Alumni

Re: GDPR and Hidden Fields

GDPR does not make the need for cookies/tracking to be opt-in. This remains opt-out via the preference centre as mentioned

Been hearing both sides of this.  But to hear this come from a German lawyer, is encouraging!

I think what people need to realize is that the way many sites today (including ours) notify visitors (in specific countries, where applicable) that "By using this site, you agree that we can place cookies on your device. See our Cookie Policy for details." - along with an "X" to close out the banner/window.  And that action (closing the banner/window) is providing implied consent and that the visitor agrees to have cookies placed on their device.  This approach is completely non-compliant under GDPR.  Instead, you must give users the ability to opt-out and continue to navigate your website.  Using tools like OneTrust - which is the cookies preference center I posted above - will allow the user to opt-out of specific cookies and give you the ability to note which cookies cannot be disabled in order for the site to function properly.