Re: GDPR Compliance: Consent Management implications

Dan_Stevens_ · ‎07-18-2017

Anyone that is doing business globally, surely has GDPR on their mind. We had a steering committee call this morning and one of the topics that came up was around "consent management". Specifically the following:

As part of this complex topic is one that states that a user will have the right to have their data removed (e.g., from Marketo) and we will need to keep a record of this. Does Marketo plan on creating some sort of audit trail of this activity? Today, if you delete a person, the only item that remains is their "unsubscribe" status as part of the durable unsubscribe.
Another surprise to us was the fact that GDPR is enforceable based on CITIZENSHIP, not country of residence. As a result, our company will be enforcing GDPR compliance across all marketing activities globally (not just those that target countries in Europe) - to me, this also means that every company needs to be concerned with GDPR (even if their only market is the US?) - essentially, making it global law. So if a German citizen is living in the US, GDPR applies to them. Therefore, we can't rely on the country value in the user's record. Is this a surprise to others?

I'd be very interested in any items on Marketo's roadmap that deal make it easier for its customers to comply with GDPR.

Darrell_Alfons2 · ‎07-18-2017

Good question I'm glad you are bringing it up.

I'm curious too, as we are marketing pretty heavily in the EU.

Dan Stevens or anyone else, are you starting to make any changes on your EU lead gen forms? Disclaimers, opt in buttons or anything?

Dan_Stevens_ · ‎07-18-2017

Hi Darrell - we're about to deploy opt-in functionality on all of our forms (not just those where strict anti-spam legislation exists). Similar to the opt-in checkbox/language that you see here on our Canada contact-us form: Contact Us | Avanade Canada

There has also been some discussion around a subscription center as well as a way for users to opt-in/out of the ability to be tracked on our websites. Today, we bring up a banner at the bottom of the page for first time (non-cookied) visitors that says "By using this site, you agree that we can place cookies on your device. See our Cookie Policy for details." This sort of implied consent is not compliant with GDPR.

Darrell_Alfons2 · ‎07-18-2017

Thanks Dan, good to know, I'll recommend this to our team.

Casey_Grimes · ‎07-18-2017

I'm still going through some legal reading to figure out a full path forward, but thus far the only thing that seems significantly different that I haven't seen mentioned thus far is explicitly capturing the consent language presented to the person at the time they opt-in.

There's some more specific bits around DPO delegation, notifying about third parties who send communication on your behalf, rewording of legal consent language, but those aren't nearly as universal and only selectively apply to companies.

I am particularly interested in the fact that third parties can revoke consent on behalf of others, which may lead to opt-out registers--and managing all of that is going to be very interesting to say the least.

Dan_Stevens_ · ‎07-18-2017

managing all of that is going to be very interesting to say the least

you mean a NIGHTMARE! 😉

Trish_Keenan1 · ‎07-18-2017

Hi Dan,

Once the Canadian CASL law was becoming imminent, we implemented a whitelisting and double opt-in campaign for Canadian customers and prospects that we are now rolling out across the EU. We added the second opt-in field and a datestamp to the database to record it.

I didn't know the piece about country of citizenship. That's an important consideration that I'll share back with my team. I look forward to Marketo's response here. Thanks!

Dan_Stevens_ · ‎07-18-2017

Hi Trish - we use a similar approach for our opt-in process (you can see our detailed approach in this thread: Re: Express Opt-In Checkbox on Forms - CASL Compliance). But that does us no good if we are forced to delete the lead record (where all of this data exists). I suspect we'll just need to create a formal process to capture these sorts of requests outside of Marketo.

Trish_Keenan1 · ‎07-18-2017

True! I don't want another manual/outside of Marketo process. I hope this, too, can live on as the unsubscribes do.

Anonymous · ‎07-27-2017

It's a fun requirement, isn't it? The "right to be forgotten" has an implicit requirement that we remember you - just everything about you. I'm looking at a combination of CRM + external data store to keep this information, but I'm surprised there's been nothing from Marketo on this, or a more formal opt-in/out structure in general.